SupaRoot Privacy Policy

Effective Date: December 17, 2025

This Privacy Policy is issued by:

SupaRoot Operated by: Tariq Riahi Country of residence: Netherlands Contact email: t.riahi0710@gmail.com

SupaRoot is the data controller responsible for your personal data collected through our platform.

This Privacy Policy applies to:

• The SupaRoot platform and related services
• Websites created and hosted through SupaRoot by our business users

Important distinction:

• SupaRoot acts as the platform provider and processes data on behalf of businesses using our platform
• Business users (tenants) are responsible for their own use of the platform and their relationships with their customers

When you create and use a SupaRoot account, we collect:

• Name – for account identification
• Email address – for authentication and communication
• Account credentials – passwords are stored in hashed form only
• Business information – including business name, settings, and preferences

Purpose: To create and manage your account, authenticate your access, and enable platform functionality.

When visitors interact with websites powered by SupaRoot, the following data may be collected on behalf of our business users:

Contact Form Data:

• Name
• Email address
• Message content

Booking Data:

• Name
• Email address
• Phone number
• Appointment date, time, and details

Channel Tracking Data:

• IP address
• Visit timestamp
• Referral source or channel identifier

Purpose: To enable bookings, facilitate communication between businesses and their customers, and provide visit analytics to businesses.

Important: We do not intentionally collect sensitive personal data such as health information, financial data, or data revealing racial or ethnic origin, political opinions, religious beliefs, or similar categories.

SupaRoot processes IP addresses for the following purposes:

• To measure website visits
• To attribute visits to specific channels or referral sources
• To provide analytics to business users

Storage and Retention: IP addresses may be stored temporarily for operational purposes and analytics. Channel tracking data is retained only for as long as necessary to provide analytics functionality to business users and is periodically deleted or anonymized. We implement appropriate technical measures to minimize data retention where possible.

Legal basis: Processing of IP addresses is based on our legitimate interest in providing analytics functionality to our business users and maintaining platform security.

We process personal data under the following legal bases:

Contractual Necessity:

• Account data for SupaRoot users
• Booking data submitted through business websites

Legitimate Interest:

• Channel tracking and visit analytics
• Basic logging and security monitoring
• Platform improvement and optimization

Consent:

• Where required for specific processing activities beyond essential platform functionality (we will obtain explicit consent in such cases)

SupaRoot uses only essential cookies and technical storage necessary for platform functionality. Specifically:

• We use essential cookies required for authentication and session management
• We do not use advertising cookies
• We do not use third-party tracking cookies for marketing purposes

Business users may choose to implement additional tracking on their own websites, for which they are independently responsible.

Your data is stored using the following infrastructure:

• Database: Supabase PostgreSQL database
• Hosting: Cloud infrastructure providers

We engage third-party service providers to support platform operations, including hosting providers and infrastructure services. These processors are contractually obligated to protect your data and use it only for the purposes we specify.

Data may be stored and processed in servers located outside your country of residence. When data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or other legally approved mechanisms, to protect your personal data in accordance with GDPR requirements.

We retain personal data for the following periods:

• Account data: Retained while your account remains active
• Booking data: Retained until deleted by the business user or end customer
• Channel tracking logs: Retained for a limited period necessary for analytics purposes, then periodically deleted or anonymized

When data is no longer needed for its original purpose, it is deleted or anonymized in accordance with our data retention policies.

Under the GDPR and applicable data protection laws, you have the following rights:

• Right to access: Request a copy of your personal data
• Right to rectification: Request correction of inaccurate data
• Right to deletion: Request deletion of your personal data
• Right to restriction: Request limitation of processing in certain circumstances
• Right to data portability: Receive your data in a structured, machine-readable format
• Right to object: Object to processing based on legitimate interests
• Right to lodge a complaint: File a complaint with your local data protection supervisory authority

To exercise any of these rights, please contact us at t.riahi0710@gmail.com.

We implement appropriate technical and organizational security measures to protect your personal data, including:

• Encryption of data in transit and at rest
• Access controls and authentication mechanisms
• Regular security assessments and monitoring
• Secure storage practices

While we strive to protect your data, no method of transmission or storage is completely secure. We cannot guarantee absolute security.

SupaRoot is not intended for use by children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at t.riahi0710@gmail.com so we can delete it.

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will notify you by:

• Posting the updated policy on our website
• Sending an email notification to account holders (where appropriate)

The "Effective Date" at the top of this policy indicates when it was last updated. Your continued use of SupaRoot after changes become effective constitutes acceptance of the updated policy.

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:

Email: t.riahi0710@gmail.com