Privacy policy

Introduction

This Privacy Policy explains how Root Sustainability B.V. collects and uses personal data when you visit our website, when you use the Root platform, and when you contact us. It also explains your rights under the EU General Data Protection Regulation (GDPR) and the Dutch Implementation Act (Uitvoeringswet AVG, "UAVG").

1. Who we are

Root Sustainability B.V. ("Root", "we", "us", "our") is a private limited company incorporated under the laws of the Netherlands, with its office at Magalhaensstraat 26-2, 1057 RV Amsterdam, the Netherlands. We are registered with the Dutch Chamber of Commerce (KvK) under number 85257451.

For any privacy question or to exercise your rights, contact us at security@root-sustainability.com or info@root-sustainability.com.

We have not appointed a statutory Data Protection Officer, as we are not required to. As we are established in the European Union, we are not required to appoint an Article 27 EU representative.

2. The two roles we play

• As a controller, we decide how and why personal data is processed in relation to our website visitors and to the account administrators and Users of the Root platform. This Policy describes that processing.
• As a processor, we process personal data contained in the data our business customers upload to the platform (for example, in support of life cycle assessment and carbon-footprint calculations). For that data, our customer is the controller and decides how the data is used. Our processing is governed by the data-protection terms in our Terms & Conditions. If you are an employee or contact of one of our customers and have a question about that data, please contact that customer; we will support them in responding to you.

3. Visitors to this website

When you visit our website, we and our analytics providers collect limited information about your device and how you use the site — such as your IP address, browser type, pages viewed and referring source — through cookies and similar technologies. We use this to operate, secure and improve the website and to understand how it is used.

We set non-essential analytics cookies (Google Analytics and PostHog) only with your consent, which you give through our cookie banner and can withdraw at any time. See Section 9 (Cookies) for details and how to manage your choices.

4. People who use the Root platform

When you are invited to or register for the platform, we process the following as a controller:

• Account data — your name, email address, the company you belong to, your role, and account timestamps. We use this to create and administer your account, authenticate you and provide the Services. Legal basis: performance of a contract (Article 6(1)(b) GDPR), or our legitimate interest in administering accounts where you are not the contracting party (Article 6(1)(f)).
• Authentication data — your email address (used as your username), one-time passcodes, session tokens and, if you enable SMS-based verification, your phone number. We use this to sign you in securely and to provide multi-factor authentication. Legal basis: performance of a contract and our legitimate interest in securing the Services (Article 6(1)(b) and 6(1)(f)).
• Support data — the content of your support conversations and the identifiers needed to handle them. Legal basis: performance of a contract (Article 6(1)(b)).

5. Logs, error monitoring and product analytics

To keep the platform reliable, secure and improving, we process:

• Application and security logs, which may include user and company identifiers, IP addresses and request metadata. Legal basis: our legitimate interest in the reliability and security of the Services (Article 6(1)(f)).
• Error and performance monitoring through Sentry, which may capture error context, identifiers and a limited, sampled set of session recordings to help us diagnose problems. Legal basis: our legitimate interest in operating a reliable, secure service (Article 6(1)(f)).
• Product analytics through PostHog, using pseudonymised identifiers for logged-in users together with company name, role and product-usage events. Legal basis: our legitimate interest in understanding and improving the platform (Article 6(1)(f)).

Where we rely on legitimate interests, we have balanced those interests against your rights and limited what we collect accordingly. You can object to this processing as described in Section 11.

6. Customer data we process on our customers' behalf

Our business customers upload data to the platform to run their assessments. This may include facility names and addresses, geographic coordinates, order and transport records, and employee commute or business-travel records (typically identified by pseudonymous reference rather than by name). We process this on our customers' documented instructions as their processor, under the data-protection terms in our Terms & Conditions. We do not use it for our own purposes, except to produce aggregated, anonymised insights that do not identify any individual.

7. Who we share personal data with (subprocessors and recipients)

We use carefully selected service providers to deliver the platform. They process personal data only on our instructions and under data-protection agreements. Our current providers are:

Our subprocessors are located in the European Union and the United States. Where personal data is transferred outside the European Economic Area, we rely on appropriate safeguards as described in Section 8. For more information about our subprocessors, see our Subprocessor List.

We may also share personal data with professional advisers, and with authorities or other parties where required by law or to establish, exercise or defend legal claims. We do not sell personal data.

8. Sending data outside the European Economic Area

We host platform data in the European Union. Some of the providers listed above are located in the United States. Where personal data is transferred outside the European Economic Area, we rely on an appropriate safeguard under Chapter V GDPR — generally the European Commission's Standard Contractual Clauses, and where applicable the provider's certification under the EU–US Data Privacy Framework. You can request a copy of the relevant safeguard using the contact details in Section 1.

9. Cookies

Our website uses cookies and similar technologies in the following categories:

• Essential cookies — required for the site to function (for example, security and basic operation). These do not require consent.
• Analytics cookies — set by Google Analytics and PostHog to measure and improve how the website is used. These are set only with your consent.

When you first visit, our cookie banner lets you accept or reject non-essential cookies, with an equally easy option to refuse as to accept. You can change or withdraw your choice at any time through the banner or your settings, and you can also block or delete cookies through your browser settings — though doing so may affect how the site works.

10. How long we keep personal data

We keep personal data only as long as necessary for the purposes described above:

• Account data — for the life of your account; deleted, in the ordinary course, within about 30 days after your account is closed or the customer's contract ends.
• One-time passcodes — a few minutes (they expire shortly after issue).
• Application/security logs — typically one month.
• Error and analytics data — for the retention period offered by the relevant provider.
• Data exports — automatically expire after 60 days.
• Backups — overwritten on a rolling cycle (currently 35 days).

We may keep certain data longer where the law requires it or to establish, exercise or defend legal claims.

11. Your rights

Under the GDPR you have the right to:

1. access the personal data we hold about you;
2. have inaccurate data corrected;
3. have your data erased in certain circumstances;
4. restrict or object to certain processing, including processing based on our legitimate interests;
5. receive certain data in a portable format;
6. withdraw consent at any time (for example, for analytics cookies), without affecting processing already carried out; and
7. not be subject to a decision based solely on automated processing that produces legal or similarly significant effects — which we do not carry out.

To exercise any of these rights, contact us at security@root-sustainability.com. We may need to verify your identity, and we will respond within one month. If your request relates to data we process on behalf of a customer (Section 6), we will refer you to that customer.

You also have the right to lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl), or your local supervisory authority.

12. How we protect personal data

We apply appropriate technical and organisational measures under Article 32 GDPR, including encryption of data at rest (AES-256) and in transit (TLS), role-based access controls, and logical separation of each customer's data. Our information-security practices are aligned with ISO/IEC 27001.

13. Automated decision-making and AI

We do not make decisions about individuals based solely on automated processing that produce legal or similarly significant effects. The platform uses AI text embeddings to match material and product descriptions; no personal data is sent to that service, and it operates on a zero-retention basis.

14. Changes to this Policy

We may update this Policy from time to time. We will post the updated version here and change the "last updated" date above. Where changes are material, we will take reasonable steps to notify you.

15. Contact

Questions about this Policy or your personal data? Email security@root-sustainability.com or write to Root Sustainability B.V., Magalhaensstraat 26-2, 1057 RV Amsterdam, the Netherlands.

‍