Privacy Policy

1. Who we are

Roots is a mobile wellness app published by Krystof Celba. This policy describes what data the app collects, where it is stored, and how you can delete it.

2. What we collect and where it is stored

2.1 On-device data (AsyncStorage)

All personal content you create stays on your device and is never sent to our servers unless explicitly noted. Stored under the roots_* key prefix:

• Card progress — which moments you've unlocked and tasks you've completed (roots_card_progress, roots_install_date, roots_onboarding_complete).
• Personal context — the goals, values, and coaching-mode preferences you enter in Settings → My Context (roots_user_context).
• Guide notes — facts the AI coach has remembered about you via the remember_fact tool (roots_guide_notes).
• Practice history — dates you've practiced, used to draw the streak heatmap (roots_practice_days).
• Reminder settings — your daily reminder on/off and time (roots_reminder_*, roots_card_reminder_scheduled_*, roots_card_notification_ids).
• Free message counters — the daily AI message counts for free-tier users (roots_free_messages, roots_free_guide_messages).
• Stable app user ID — a random UUID generated on first launch, used as your RevenueCat ID and analytics identifier (roots_user_id). No name, email, or phone number is attached to this ID.

2.2 RevenueCat (subscription & purchase data)

We use RevenueCat to process Apple and Google in-app purchases. RevenueCat receives:

• Your roots_user_id UUID as the appUserID.
• Purchase receipts from Apple / Google (required by the stores to validate subscriptions).
• Subscription status, renewal dates, and entitlement data.

RevenueCat's privacy policy: revenuecat.com/privacy.

2.3 AI coach conversations (OpenRouter via our proxy)

When you send messages to the AI coach, they are routed through our Cloudflare Worker proxy (api.roots.celba.me/agent/chat) to OpenRouter, which forwards them to the underlying model (currently Google Gemini Flash). The proxy sends:

• Your roots_user_id UUID (for rate limiting and quota enforcement).
• The conversation messages.
• Your pro/free entitlement status (verified against RevenueCat).

The proxy does not log message contents. OpenRouter's retention policy applies to the messages they receive (typically no long-term storage, but see openrouter.ai/privacy for the authoritative terms).

2.4 Analytics (PostHog — coming soon)

We plan to add PostHog product analytics proxied through our own domain (api.roots.celba.me/ph/*). When live, it will collect:

• Your roots_user_id as the distinct_id.
• Anonymous event data (screens viewed, buttons tapped) — no message contents, no personal context fields.
• IP address (for country-level geolocation only, then discarded).

PostHog's privacy policy: posthog.com/privacy.

2.5 Image uploads

If you attach an image to the AI coach, it is sent through the same proxy to OpenRouter for the model to interpret. Images are not stored by us.

2.6 Local notifications

Daily reminders and per-card reminder notifications (D+1, D+4, weekly) are scheduled locally on your device via Expo Notifications. No data is sent to us to deliver them.

3. What we do NOT collect

• No name, email address, phone number, or other direct identifiers.
• No device location (beyond the country-level inference PostHog may derive from IP when enabled).
• No contacts, photos (beyond ones you explicitly attach to chat), microphone audio, or health data.
• No data from users under 13. We do not knowingly collect data from children. If you believe a child under 13 has used the app, please contact us and we will delete any associated data.

4. How to delete your data

4.1 In-app factory reset

Settings → Danger Zone → Factory Reset. Confirming this action will:

• Delete every roots_* key from your device's AsyncStorage (progress, context, notes, reminders, user ID).
• Anonymize your RevenueCat identity (the next app launch generates a fresh UUID).
• Cancel all scheduled local notifications.
• Return you to the onboarding flow.

After factory reset, the only remaining data is what Apple or Google retain for purchase records (governed by their own policies — we cannot delete this on your behalf; see Apple and Google Play support).

4.2 Email request

You can also email privacy@roots.celba.me to request data deletion. We will respond within 30 days and manually trigger deletion of any server-side records we hold for your roots_user_id (RevenueCat subscriber profile, OpenRouter quota counters, PostHog person profile when active).

5. Changes to this policy

We will update the Last updated date above when this policy changes. Material changes will be surfaced in-app.

6. Contact

privacy@roots.celba.me