Privacy Policy

Rooted Co-Living (“Rooted,” “we,” “us,” or “our”) operates rootedcoliving.com, the Rooted Platform (including operator tenant sites hosted on subdomains of rootedcoliving.com), the guest portal, and related services. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our services as a guest, operator, case manager, or site visitor.

1. Information We Collect

Information You Provide

• Account information: Name, email address, phone number, password
• Housing applications: Date of birth, address, recovery history, drug of choice, sobriety date, employment status, legal history (criminal background, probation/parole status), emergency contacts, photo ID
• Operator information: Organization name, business address, contact details, staff bios, property details, pricing, services offered
• Case manager referrals: Referrer name, organization, contact information, client situation description
• Financial information: Payment details processed through Stripe (we do not store credit card numbers)
• Communications: Messages sent through the guest portal, contact forms, or referral messaging system
• Marketplace waitlist: Email, name, phone, city of interest

Information Collected Automatically

• Usage data: Pages visited, features used, timestamps, referral sources
• Device information: Browser type, operating system, IP address, device identifiers
• Analytics: Aggregated usage patterns collected through PostHog and Vercel Analytics

Sensitive Information

We collect sensitive personal information including recovery history, substance use history, sobriety dates, drug testing results, and health-related information necessary to provide recovery housing services. This information is collected only with your consent through the application process and is subject to enhanced security protections described in Section 5.

2. How We Use Your Information

• Process and evaluate housing applications
• Provide and manage recovery housing services
• Operate the guest portal (check-ins, wellness tracking, chores, meetings, messaging)
• Process payments and manage billing
• Facilitate referrals between case managers and operators
• Operate the marketplace (bed availability, waitlist signups)
• Generate and host operator marketing websites
• Send transactional notifications (application updates, referral responses, payment confirmations)
• Improve our services and user experience
• Comply with legal obligations
• Enforce our Terms of Service

3. Third-Party Services

We use the following third-party services to operate our platform:

• Supabase — Database hosting, authentication, and file storage. Data is stored in the United States. Supabase Privacy Policy
• Vercel — Website hosting and deployment. Vercel Privacy Policy
• Stripe — Payment processing. We do not store credit card numbers; Stripe handles all payment data. Stripe Privacy Policy
• Resend — Transactional email delivery. Resend Privacy Policy
• PostHog — Product analytics (anonymized usage data). PostHog Privacy Policy

We do not sell your personal information to third parties. We share information with the service providers listed above only as necessary to operate our platform.

4. Cookies and Tracking

We use the following types of cookies:

• Essential cookies: Authentication session tokens required for login and account access. These cannot be disabled.
• Analytics cookies: PostHog and Vercel Analytics collect anonymized usage data to help us improve the platform. You can opt out of analytics tracking by contacting us.

We do not use advertising cookies or retargeting pixels.

5. Data Security

• All data is transmitted over HTTPS (TLS encryption)
• Database access is protected by row-level security (RLS) ensuring operators can only access their own organization's data
• Sensitive fields (phone numbers, health data) may be encrypted at rest
• Administrative actions are logged in an audit trail
• Authentication uses secure, httpOnly cookies with SameSite protection
• API endpoints are rate-limited to prevent abuse
• Platform owner access is restricted by environment-level configuration

6. Data Retention

• Active accounts: Data is retained for as long as your account is active and you are receiving services
• After departure/account closure: We retain data for up to 3 years to comply with legal and regulatory requirements, after which it is securely deleted
• Applications (not accepted): Retained for 1 year, then deleted
• Analytics data: Aggregated and anonymized; retained indefinitely
• Account deletion requests: Processed within 30 days. Some data may be retained as required by law.

7. Multi-Tenant Data Isolation

The Rooted Platform serves multiple housing operators. Each operator's data (guests, applications, beds, billing) is isolated at the database level using organization-scoped queries and row-level security policies. Operators cannot access another operator's data. Platform administrators may access data across organizations for support and oversight purposes.

8. Your Rights

All Users

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate information
• Deletion: Request deletion of your personal information (subject to legal retention requirements)
• Portability: Request your data in a portable format

California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to know: You may request the categories and specific pieces of personal information we have collected about you
• Right to delete: You may request deletion of your personal information
• Right to opt out of sale: We do not sell personal information. There is nothing to opt out of.
• Right to non-discrimination: We will not discriminate against you for exercising your privacy rights
• Right to limit use of sensitive personal information: You may request that we limit use of sensitive information (recovery history, health data) to what is necessary to provide housing services

To exercise your CCPA/CPRA rights, contact us at info@rootedcoliving.com or (949) 565-5285. We will respond within 45 days.

9. Health Information Disclaimer

Rooted Co-Living is a recovery housing provider, not a healthcare provider. While we collect recovery-related information (sobriety dates, drug testing results, substance use history) to provide housing services, we are not a covered entity under HIPAA. However, we voluntarily apply enhanced security measures to protect this sensitive information, including encryption, access controls, and audit logging.

We do not share recovery or health-related information with third parties except: (1) with your explicit consent (e.g., to case managers you authorize), (2) to emergency contacts in crisis situations, or (3) as required by law.

10. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 18, we will delete it promptly. Contact us if you believe we have collected information from a minor.

11. Data Breach Notification

In the event of a data breach that compromises your personal information, we will notify affected individuals within 72 hours of discovering the breach, as required by applicable law. Notification will be sent via email and, where appropriate, posted on our website.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a new “Last updated” date. For significant changes, we may also notify you by email.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at:

Rooted Co-Living
info@rootedcoliving.com
(949) 565-5285
Corona, CA