Privacy Policy

Last updated: April 7, 2026

IntroductionRootcap is a personal health and life data dashboard hosted at rootcap.urldocs.com. It stores your data on your own infrastructure and makes it available to your own AI assistants via the Model Context Protocol (MCP). We are committed to protecting your privacy and handling your data responsibly.This policy was last updated on April 4, 2026.

Information We CollectRootcap collects the following categories of information:

• Account information — email address and authentication credentials used to sign in (via email OTP or Google OAuth)• Health and fitness data from Google Health Connect — sleep sessions (start time, end time, sleep stages), heart rate samples, daily step counts, active minutes, and exercise sessions. This data is used solely to display your personal health trends in the Rootcap dashboard and to provide this data to your own configured AI assistant.• Google Calendar data — calendar events including title, time, duration, and location. Used to display your schedule alongside health data for personal time-awareness insights.• User-entered data — daily capture reflections (morning and evening check-ins), energy levels, focus goals, financial snapshots, and personal notes• Minimal technical data — session information required for authentication and service operation

How We Use Your InformationAll data collected by Rootcap is used exclusively to provide features visible in the application interface:

• Display your personal health, fitness, calendar, and life data in a unified dashboard with charts and trends• Make your data available to AI assistants you explicitly configure via MCP — this is a direct connection between your Rootcap instance and your own AI assistant, with no intermediary services• Generate embeddings of your data for semantic search within the app, powered by Voyage AI — only the text content is sent for embedding, and the resulting vectors are stored alongside your data• Send authentication emails (OTP codes and magic links) via Postmark

We do not use your data for advertising, analytics, profiling, credit assessment, or any purpose beyond providing the Rootcap service to you.

Data Storage and SecurityYour data is stored in a PostgreSQL database on infrastructure you control. All connections use TLS encryption in transit. Authentication tokens are hashed using SHA-256 before storage. MCP tokens are generated using cryptographically secure random bytes and only the hash is persisted.File uploads (such as profile images) are stored in Cloudflare R2 object storage under your account's namespace.

Data Sharing and DisclosureRootcap does not sell, rent, trade, or share your personal data with any third parties. Specifically:

• We do not transfer data to advertising platforms, data brokers, or information resellers• We do not use your data for serving advertisements or targeted marketing• We do not use your data for credit assessment or lending decisions• Your data is accessible only to AI assistants you explicitly configure via MCP using tokens you generate and control

We may disclose data only if required by law (court order, subpoena, or applicable legal process).

Google API Services — Limited Use DisclosureRootcap's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.In particular:

• Data obtained from Google Health Connect and Google Calendar is used solely to provide user-facing features within Rootcap• No Google user data is transferred to third parties except as necessary to provide or improve user-facing features, comply with applicable law, or as part of a merger/acquisition with user consent• No Google user data is used for serving advertisements• No humans read your Google user data unless you provide affirmative consent, it is necessary for security purposes, or it is required by applicable law

Google Health Connect DataRootcap requests access to the following Health Connect data types, each for a specific user-facing purpose:

• Sleep sessions (start time, end time, sleep stages) — displayed as nightly sleep duration and quality trends on the Body dashboard• Heart rate samples — displayed as resting and active heart rate patterns on the Body dashboard• Steps and active minutes — displayed as daily movement summaries on the Body dashboard• Exercise sessions — displayed alongside activity data for workout tracking

All Health Connect data is read-only. Rootcap does not write data back to Health Connect. This data is never shared with other apps or services beyond your own configured AI assistant via MCP.

Google Calendar DataRootcap accesses your Google Calendar events (title, time, duration, location) to display your schedule on the Time dashboard alongside your health data. Calendar data is stored in your database and is not transmitted to any third party.

Data Retention and DeletionYour data is retained for as long as your account exists. You can:

• Delete your account and all associated data at any time from your profile settings• Revoke Google Health Connect permissions via Android Settings > Health Connect at any time• Revoke Google Calendar access via your Google Account security settings at any time• Revoke MCP access tokens from the MCP settings page at any time

When you delete your account, all personal data including health records, calendar data, capture entries, financial snapshots, embeddings, and MCP tokens are permanently removed.

Cookies and AuthenticationRootcap uses session cookies for authentication. These are functional cookies required for the service to operate. We do not use tracking cookies, analytics cookies, or advertising cookies.

Third-Party ServicesRootcap uses the following third-party services in the course of providing the application:

• Postmark — for sending authentication emails (OTP codes and magic links). Only your email address is shared with Postmark for this purpose.• Voyage AI — for generating text embeddings that power semantic search. Only serialized text summaries of your data are sent. Voyage AI does not store your data beyond processing.• Cloudflare R2 — for storing uploaded files (profile images). Files are stored under your account namespace.

Children's PrivacyRootcap is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal data, please contact us.

Changes to This PolicyWe may update this privacy policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "last updated" date above. Continued use of Rootcap after changes constitutes acceptance of the updated policy.

Contact UsIf you have questions about this privacy policy or how your data is handled, contact us via our contact page.