Privacy Policy

The App and Website are operated by Roots Sh.p.k., a limited liability company incorporated in Albania (registration with the National Business Centre / Qendra Kombëtare e Biznesit is in progress).

• Brand / product name: Roots Earth
• Registered seat: Tirana, Albania
• Contact email: support@rootsearth.com
• Postal contact: by email request to the address above

We act as the data controller for personal data described in this policy, under EU Regulation 2016/679 (GDPR) and Albanian Law no. 9887/2008 on Personal Data Protection (as amended).

Roots Earth is designed to require as little personal data as possible. Most of what we collect is anonymous or pseudonymous — tied to a random identifier, not to your name or face.

2.1 Data the App always collects

• Anonymous device identifier. When you first open the App, we generate a random UUID and store it on your device. It is never linked to your real-world identity. We use it only to remember your purchases on the same installation.
• Language preference. The interface and audio language you select.
• App version and platform.Your operating system (iOS or Android) and the App version — needed to support you and to diagnose problems.
• Anonymous usage events.Which Points of Interest you open, which audio tracks you play, and basic navigation events. These are stored under the anonymous device identifier — not under your name or email.

2.2 Data we collect only if you give it

• Email address (optional). Only if you contact support, request to restore purchases across a new device, or voluntarily provide it. We never require an account to use the App.
• Approximate location (optional).Only if you grant the “While Using the App” permission, so we can show your position on the map. The location stays on your device — we do not transmit, log, or store your location on our servers.

2.3 Purchase data

When you buy a pass (Day, 3-Day, Week, Month, 3-Month), payment is handled directly by Apple (App Store) or Google (Google Play). We never see or store your card number, billing address, or phone number. We receive only what those platforms send us to confirm a valid purchase:

• An anonymous transaction identifier from Apple or Google
• The product purchased and the expiry date
• Whether the receipt is still valid (so we know when access ends)

We link this to the anonymous device identifier so the App knows you have access. We do not link it to your Apple ID or Google account directly — only to the receipt the platforms hand us.

2.4 Data we do NOT collect

We deliberately do not collect, and have no technical ability to read:

• Your real name, postal address, or phone number
• Your precise location history
• Your contacts, photos, microphone, or camera
• Advertising identifiers (IDFA / GAID) for tracking across apps
• Health, financial, biometric, or political-opinion data
• Anything you do in other apps or on the web outside Roots Earth

Under GDPR we must tell you why we process each piece of data and on what legal basis. Here’s the full list.

The personal data we control (your anonymous device ID, language choice, and purchase records) is stored on our own servers inside the European Economic Area (EEA)— in Germany. Audio, images and other media are delivered through a global content-delivery network so they load quickly wherever you are; that network caches public media files only and does not receive your personal data. Apple and Google may process payment data on their global infrastructure under their own privacy policies.

To run the service we use a small set of trusted third parties that act as our data processors. They process data on our instructions, under written data processing agreements, and they are not allowed to use your data for their own purposes.

We do not share your data with advertisers, data brokers, or any third party for marketing purposes. We do not sell your data. We never will.

• Anonymous device ID & purchase records: while your pass is active, and for up to 5 yearsafterwards for Albanian tax & accounting compliance.
• Anonymous usage analytics: aggregated and kept for up to 12 months; individual events are deleted automatically after that window.
• Email (if you provided one): kept for as long as you have an active relationship with us, or until you ask us to delete it.
• Crash reports: 90 days, then deleted.

When you uninstall the App, the anonymous device ID stored on your device is gone. The corresponding server-side record stays under the retention rules above until automatically deleted, or until you ask us to delete it sooner.

Under GDPR and Albanian data-protection law, you have the following rights regarding your personal data:

• Right of access— ask us what data we hold about you
• Right to rectification— ask us to correct inaccurate data
• Right to erasure(“right to be forgotten”) — ask us to delete your data, subject to legal retention obligations
• Right to restriction— ask us to limit how we use your data
• Right to data portability— receive your data in a structured, machine-readable format
• Right to object— object to processing based on legitimate interest (e.g. analytics)
• Right to withdraw consent— at any time, where processing is based on consent
• Right to lodge a complaint— with the Albanian Data Protection Commissioner (Komisioneri për të Drejtën e Informimit dhe Mbrojtjen e të Dhënave Personale) idp.al or your local EU supervisory authority

To exercise any of these rights, email support@rootsearth.com. We respond within 30 days. Because most of our data is tied only to an anonymous device ID, you may need to tell us the device ID shown in the App’s Settings screen so we can find your record.

We protect your data with industry-standard measures:

• All network traffic between the App, the Website, and our servers uses TLS 1.2 or higher
• Data at rest is encrypted on our backend
• Access to production systems is restricted to a minimum number of authorised people and is logged
• Payment card details never touch our systems — they are handled directly by Apple and Google
• We follow a documented incident-response process; in the unlikely event of a personal-data breach we will notify the relevant data-protection authority within 72 hours and inform affected users where required by law

Roots Earth is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe your child has provided us with personal data, please email us and we will delete it.

Where local law sets a higher digital-consent age (such as 16 in parts of the EU), users below that age should use the App only with parental consent.

The mobile App does not use cookies. It uses only the local device storage to remember your language preference, your anonymous device ID, and any audio you have downloaded for offline use.

The Website uses only essential technical storage required to serve the pages and to remember your cookie-consent choices. We do not use marketing cookies, advertising trackers, or cross-site tracking pixels.

Roots Earth is available worldwide, and our audio content covers cities and countries across many regions. Wherever you are, and whichever region you explore, we apply the same EU-standard data-protection rules described in this policy.

We may update this Privacy Policy from time to time, for example if we add a new feature or change a processor. When we do, we will update the “Last updated” date at the top of this page and, where the change is material, notify you in the App or by email (if you have given us one).

Older versions of this policy are available on request.

For any privacy-related question, request, or complaint:

Roots Sh.p.k. — Roots EarthTirana, AlbaniaEmail: support@rootsearth.com