Privacy Policy

1. Who is Responsible?

Root & Logic is the so-called Data Controller for the processing of personal data as described in this statement, insofar as it concerns our own business administration, website visitors, and contact persons at business clients (B2B).

Insofar as Root & Logic processes personal data in its applications on behalf of a client (e.g., a dataset uploaded by the client), Root & Logic acts as Processor. The agreements regarding this are recorded in the General Terms and Conditions and/or a separate Data Processing Agreement.

2. What Data Do We Process?

Depending on the service you purchase or your interaction with us, we process the following categories of data:

• Business Contact Details: Name, job title, company name, email address, telephone number, billing details, and payment history.
• Account Data: Usernames, hashed passwords, login logs, and rights structures within our software.
• Technical Usage & Telemetry: IP addresses, browser fingerprints, device IDs, logs of API calls, error reports, and click behavior within the applications.
• Input Data (Input): Textual input ('prompts'), files, and parameters entered by the user into our AI systems.
• Communication: Content of email traffic, support tickets, and chat messages with our helpdesk.

3. Purposes and Legal Bases of Processing

We process personal data for the following purposes, based on the legal grounds mentioned alongside (Art. 6 GDPR):

• Execution of the Agreement: Delivering software licenses, providing access to the SaaS platform, providing support, and invoicing services.
• Legal Obligation: Keeping financial records and complying with fiscal retention obligations.
• Legitimate Interest (Security & Fraud): Monitoring network traffic to detect and prevent abuse, DDoS attacks, and hacking attempts.
• Legitimate Interest (Product Improvement & AI Training): Analyzing anonymized usage data and prompts to improve the accuracy, safety, and performance of our algorithms and AI models.

Note: Personal data is anonymized where possible before being used for this purpose.

4. Sharing Data with Third Parties (Sub-processors)

Root & Logic only shares personal data with third parties if this is strictly necessary for the service provision. We use the following categories of service providers ("Sub-processors"):

• Cloud & Hosting Providers: (e.g., AWS, Microsoft Azure, Google Cloud) for data storage and computing power.
• AI Service Providers: (e.g., OpenAI, Anthropic) for processing prompts via API connections.
• Financial Services: Accounting software and payment providers.

We have concluded data processing agreements with all these parties that meet the requirements of the GDPR. These third parties are prohibited from using the data for their own commercial purposes, unless aggregated and anonymized.

5. International Transfer (Outside the EEA)

Given the nature of AI technology, it may occur that data is processed by servers in the United States or other countries outside the European Economic Area (EEA). Root & Logic ensures that such transfers only take place if:

• The country offers an adequate level of protection according to the European Commission (e.g., via the EU-US Data Privacy Framework); or
• Use is made of the model contract clauses (Standard Contractual Clauses - SCCs) of the European Commission, supplemented with necessary security measures such as encryption.

6. Security and Retention Periods

Security

We take appropriate technical and organizational measures to prevent abuse, loss, unauthorized access, and other unwanted actions. This includes, among other things:

• Encryption of data at rest and in transit
• Multi-factor authentication (MFA)
• Strict access control

Retention Periods

We do not retain data longer than necessary for the purpose of the processing.

7. Your Rights

As a data subject, you have the following rights:

• Right to access your personal data
• Right to rectification or erasure of data
• Right to restriction of processing
• Right to data portability
• Right to object to processing

Because we primarily process business data, certain rights may be limited. Requests can be submitted via info@rootandlogic.com. We will respond within four weeks.

8. Automated Decision Making

Root & Logic uses AI algorithms. Although these systems perform analyses, no fully automated decision-making takes place with regard to persons that has legal consequences or significantly affects the data subject (as intended in Art. 22 GDPR), unless explicitly agreed otherwise.

The final responsibility for decisions based on AI output lies with the human user.

9. Cookies

Our website uses cookies to improve the user experience and analyze website traffic. For more information about this, we refer you to our Cookie Policy.

10. Amendments

We may amend this privacy statement from time to time. Amendments will be published on this page with a new version date. We advise you to consult this page regularly.