Privacy Policy
Root & Seal (dba Root & Fork™ / CultureFit Health Engine™) — rootandfork.app
Last updated: May 27, 2026
This Privacy Policy explains how Root & Seal ("we," "us," or "our") collects, uses, shares, and protects information when you use the Root & Fork™ / CultureFit Health Engine™ website and services (the "Service"). By using the Service, you agree to this Policy.
1. Information We Collect
Account information. Name, email, password (stored hashed), and authentication identifiers when you sign up or log in.
Profile and preferences. Cultural cuisine selection, dietary preferences, allergies and restrictions, household/family settings, and goals you choose to share.
Generated content. The meal plans, recipes, and substitutions returned to you, plus the inputs that produced them.
Usage and device data. Log data, IP address, browser type, device identifiers, and basic analytics about how you use the Service.
Payment data. Processed by our payment provider; we do not store full card numbers on our servers.
2. Health-Related Information
Information you provide about allergies, intolerances, or general nutrition goals is used solely to personalize meal recommendations. The Service is not a covered entity or business associate under HIPAA and should not be used to store or transmit Protected Health Information. Do not submit clinical diagnoses, lab results, or medical records.
3. How We Use Information
We use information to: (a) operate, personalize, and improve the Service; (b) generate and deliver meal recommendations; (c) maintain security and prevent abuse; (d) communicate with you about your account, updates, and support; (e) comply with legal obligations; and (f) develop aggregated, de-identified analytics that do not identify you.
4. AI and Recommendation Processing
To generate meal plans, your inputs (cuisine, preferences, restrictions) are sent to our server, which uses our proprietary scoring and substitution logic together with a third-party large-language-model gateway. We do not sell your inputs, and we instruct providers not to use your inputs to train their general-purpose models where that option is available.
5. Sharing
We share information only with: (a) service providers who help us operate the Service (hosting, database, authentication, analytics, AI inference) under confidentiality obligations; (b) our Merchant of Record, Paddle.com, which processes all payments, subscription management, tax compliance, and invoicing on our behalf and acts as an independent data controller for that purpose (see Paddle's Privacy Notice); (c) professional advisers (legal, accounting); (d) authorities when required by law or to protect rights and safety; and (e) successors in a merger, acquisition, or asset sale (with notice where required). We do not sell your personal information.
6. Cookies and Analytics
We use cookies and similar technologies for authentication, preferences, and basic analytics. You can control cookies through your browser settings; disabling them may break parts of the Service.
7. Data Retention
We retain account and profile data while your account is active and for a reasonable period afterward to comply with legal obligations, resolve disputes, and enforce our agreements. You can request deletion at any time (see "Your Rights").
8. Security
We use industry-standard administrative, technical, and physical safeguards including encryption in transit (TLS), encryption at rest for our managed database, row-level security, and access controls. No system is perfectly secure; we cannot guarantee absolute security.
9. Your Rights
Depending on your jurisdiction (including California/CCPA and EU/UK GDPR), you may have the right to access, correct, delete, port, or restrict processing of your personal information, and to withdraw consent. To exercise these rights, contact us. We will respond within the timeframe required by applicable law.
10. Children's Privacy
The Service is not directed to children under 13 (or under 16 in the EEA/UK). We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.
11. International Transfers
We are based in the United States and may process information in the U.S. and other countries that may have different data-protection laws than your country. Where required, we use appropriate safeguards for cross-border transfers.
12. Changes to This Policy
We may update this Policy from time to time. Material changes will be posted on this page with an updated "Last updated" date.
13. Contact
Questions about this Policy or your data? Contact us.
