Legal
Privacy Policy
Last updated May 17, 2026. We try to write these without buzzwords — if anything reads opaque, email privacy@rootherald.io and we'll fix it.
Scope
What this covers
This policy covers rootherald.io, the Root Herald dashboard, our API, our client SDKs, and the browser extension. It applies to people who sign up for a tenant (you're our customer) and people whose devices attest through our service (your end-users). The two get very different treatment because they share very different data with us.
Customers
If you have a Root Herald tenant
When you sign up, we collect your email, password (stored only as a bcrypt hash), the name of your organization, and the slug you pick. We use this to authenticate you and to bill you. If you're on a paid plan, Stripe processes the payment and we store the Stripe customer id and the last four digits of the card — nothing more.
We log API request metadata (timestamps, route, tenant id, response code) for 30 days for security and abuse detection. We do not log request or response bodies. We do not track your dashboard sessions with third-party analytics; the dashboard ships with no third-party scripts.
You can delete your tenant from the dashboard at any time. We remove identifiable data within 30 days; statistical counters that have already been aggregated for usage billing may persist for one more billing cycle. Deletion is irreversible.
End-users
If your device attested through Root Herald
When a device attests, the SDK sends a TPM quote (or Secure Enclave / StrongBox / App Attest assertion) and a per-device handle. The handle is a cryptographic identifier derived from the device's attestation key — it is not a username, email, IP, or browser fingerprint. We do not see who you are.
The relying party that asked your device to attest sees only the verdict (pass/fail/needs-review) and a token containing the device class. They join that to their own user identity on their side — that's not us.
We keep raw attestation evidence for 30 days for fraud review and replay-defense, then permanently delete it. Statistical signals derived from many devices (e.g., "this firmware version is associated with abuse") are retained longer, because they make the platform safer for everyone — but they cannot be reversed to point at any single device.
Locations
Where the data lives
Our production environment runs in AWS us-west-2 (Oregon, USA). We use Stripe for payments (US/Ireland), Postmark for transactional email (US), Sentry for error tracking (US), and Cloudflare for DDoS protection (global edge). The full list lives at /legal/sub-processors.
If you're in the EU, the EU Standard Contractual Clauses cover cross-border transfers. We'll sign your DPA — contact dpa@rootherald.io.
Your rights
What you can ask us to do
You can ask us for a copy of everything we have on you, ask us to correct it, ask us to delete it, or ask us to stop processing it. Email privacy@rootherald.io. We respond within 30 days, no questions asked, no dark patterns.
If you're not happy with our response you can complain to your local data protection authority. We'd obviously rather you tell us first so we can fix it.
Changes
If we change this
We'll post the new version here with the "Last updated" date bumped at the top, and email tenant admins if anything material changes. The git history of this file lives in our public repo — diffs are available.