Privacy Policy

Effective date: March 31, 2026

This Privacy Policy explains how Roots CRM ("Roots CRM," "we," "our," or "us") collects, uses, stores, shares, and protects personal information when you use our website, software, applications, integrations, and related services (collectively, the "Services").

This Policy applies to information we collect from business customers who create or administer Roots CRM accounts, as well as information processed through the Services about employees, contractors, job applicants, customers, leads, prospects, vendors, and other individuals whose data is submitted to Roots CRM by our customers.

1. Important role clarification

In many cases, Roots CRM acts as a service provider, processor, or similar vendor on behalf of the business customer that uses our Services. That business customer decides what data is collected, uploaded, or managed in the platform. If your information was provided to Roots CRM by one of our customers, that customer may control certain privacy decisions regarding your information.

2. Information we collect

A. Information you provide directly

We may collect information such as:

• name, email address, phone number, username, password, and business details;
• billing details, subscription details, and transaction records;
• customer, lead, and contact records uploaded or entered into the platform;
• employee and contractor information, including onboarding, payroll, tax, payout, and direct deposit details submitted through the Services;
• documents you upload, including onboarding documents, agreements, forms, invoices, estimates, receipts, and attachments;
• messages, emails, SMS content, support requests, and other communications;
• settings, preferences, templates, branding, workflows, and custom content you create.

B. Information collected automatically

When you use the Services, we may automatically collect:

• IP address, browser type, device identifiers, operating system, and approximate location;
• usage data such as pages viewed, features used, clicks, log events, and timestamps;
• cookie, local storage, session, and similar technical information used to keep you signed in and improve the Services;
• performance, diagnostic, and error information.

C. Information from integrations and third parties

If you connect third-party services, we may receive information from those services consistent with your permissions and the integration’s functionality. Depending on what you connect, this may include information from providers such as Google, Stripe, Twilio, SendGrid, QuickBooks, Gusto, and similar vendors.

D. Sensitive and financial information

Because Roots CRM supports onboarding, payroll, billing, and payment workflows, we or our service providers may process sensitive or regulated categories of data, including government-issued identifiers, tax information, payout details, and bank account information, when submitted through the Services by you or your organization. We only process this information as needed to provide requested features, comply with law, detect fraud, maintain security, or fulfill related business purposes described in this Policy.

3. How we use information

We use personal information to:

• provide, operate, maintain, secure, and improve the Services;
• create and manage accounts, authenticate users, and enforce access controls;
• support CRM, communications, onboarding, scheduling, billing, payroll, estimates, invoices, documents, and reporting features;
• process transactions, subscriptions, payments, payouts, refunds, and account administration;
• send service-related notices, authentication messages, onboarding messages, support communications, and transactional emails or SMS;
• connect and operate third-party integrations that you enable;
• detect, investigate, prevent, and address fraud, abuse, security incidents, and technical issues;
• comply with legal obligations and enforce our agreements;
• analyze usage and improve functionality, performance, and user experience.

4. How we share information

We may share information in the following circumstances:

• With service providers and subprocessors: hosting, infrastructure, analytics, communications, payments, email, SMS, accounting, support, authentication, payroll, and integration providers that help us run the Services;
• With integrations you enable: when you choose to connect providers such as Google, Stripe, Gusto, QuickBooks, Twilio, or SendGrid;
• Within your organization: with authorized users, admins, managers, and team members in your workspace according to your account and permission settings;
• For legal, security, or compliance reasons: if required by law, subpoena, court order, government request, or where necessary to protect rights, property, safety, users, or the Services;
• In a business transaction: as part of a merger, acquisition, financing, bankruptcy, reorganization, or sale of assets;
• With your direction or consent: when you instruct us to disclose information.

We do not sell personal information for money. We also do not use Google user data obtained through restricted Google scopes for advertising or other prohibited purposes. Google’s policies require accurate disclosure, limited use, deletion handling, and secure processing of user data.

5. Google data and connected account data

If you connect a Google account, we may access and use Google account data only for the functionality you authorize, such as sending email from your connected account or displaying connected account details in the Services. We do not use Google-connected data for unrelated advertising. We retain and use Google data only as necessary to provide the requested functionality, maintain security, comply with law, and support legitimate operational needs.

6. Payments, payroll, and financial data

Some payment, payroll, tax, or banking functions may be provided in connection with third-party partners such as Stripe and Gusto. When you use those features, your information may be processed by those providers under their own terms and privacy practices in addition to this Policy. We may receive limited status, account, payout, payroll, or transaction information from those providers to support the functionality of the Services.

7. Cookies and similar technologies

We may use cookies, local storage, pixels, session technologies, and similar tools to keep you signed in, remember preferences, secure accounts, understand usage, and improve the Services. You may be able to control certain cookie settings through your browser, but disabling them may affect functionality.

8. Data retention

We retain information for as long as reasonably necessary to provide the Services, maintain business and tax records, support legitimate operational needs, resolve disputes, enforce agreements, and comply with legal obligations. Retention periods may vary based on the type of information, the workspace’s settings, and applicable law.

9. Security

We use administrative, technical, and organizational safeguards designed to protect information against unauthorized access, loss, misuse, alteration, and disclosure. No method of storage or transmission is completely secure, and we cannot guarantee absolute security. The FTC recommends that businesses map the personal data they hold and implement reasonable safeguards appropriate to the sensitivity of that data.

10. Your rights and choices

Depending on where you live, you may have rights to:

• access, correct, update, or delete certain personal information;
• object to or restrict certain processing;
• request a copy of your information in a portable format;
• withdraw consent where processing is based on consent;
• appeal a privacy-related decision where required by law.

If you are an end user, employee, contractor, or customer whose information was submitted by one of our business customers, please contact that business first. We may assist our customer in responding where appropriate.

11. International transfers

We and our service providers may process and store information in the United States and other countries where we or our providers operate. As a result, your information may be transferred to jurisdictions that may have different data protection laws than the place where you reside.

12. Children’s privacy

The Services are not directed to children under 13, and we do not knowingly collect personal information directly from children under 13 through the Services. If you believe a child has provided personal information to us, please contact us so we can investigate and take appropriate action.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we may update the effective date above and, where appropriate, provide additional notice through the Services or by email.

14. Contact us

If you have questions about this Privacy Policy or our privacy practices, contact:

Roots CRM
support@rootscrm.app
https://rootscrm.app