π Quick Summary
We collect only what we need to provide our service. We never sell your data. You own your data and can export or delete it anytime. We're GDPR compliant and take security seriously.
1. Introduction & Who We Are
RootCascade Ltd. ("RootCascade", "we", "us", or "our") is committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains how we collect, use, store, and protect your information when you use our incident management platform and related services.
π’ Data Controller Information
Company: RootCascade Ltd.
Registration: England and Wales, Company No. 14523891
Address: 282A Lee High Rd, London SE13 5PJ, United Kingdom
Email: privacy@rootcascade.com
ICO Registration: ZB123456
This policy applies to all users of RootCascade, including visitors to our website, free trial users, and paying customers. By using our Service, you acknowledge that you have read and understood this Privacy Policy.
2. What Data We Collect
2.1 Information You Provide Directly
When you create an account, use our service, or contact us, you may provide:
| Data Type | Examples | Purpose |
|---|---|---|
| Account Information | Name, email, company name, job title, password | Create and manage your account |
| Billing Information | Payment card details, billing address, VAT number | Process payments (via Stripe) |
| Incident Data | Incident descriptions, timelines, postmortems, comments, severity levels | Provide core service functionality |
| Team Information | Team member names, emails, roles, on-call schedules | Enable team collaboration |
| Integration Credentials | API tokens, OAuth tokens for connected services | Connect third-party tools (stored encrypted) |
| Support Communications | Support tickets, emails, chat messages, feedback | Provide customer support |
| User Preferences | Timezone, notification settings, UI preferences | Personalise your experience |
2.2 Information Collected Automatically
When you use our Service, we automatically collect:
| Data Type | Details | Retention |
|---|---|---|
| Usage Analytics | Pages visited, features used, actions taken, time spent | 90 days (aggregated indefinitely) |
| Device Information | Browser type, OS, device type, screen resolution | 90 days |
| Log Data | IP addresses (anonymised), access times, referring URLs, error logs | 90 days |
| Performance Data | Page load times, API response times, error rates | 30 days |
2.3 Information from Third-Party Integrations
When you connect third-party services to RootCascade, we may receive:
- From PagerDuty/OpsGenie: Alert details, incident status, on-call schedules, escalation policies
- From Slack/Teams: Channel information, message content (in incident channels only), user presence
- From GitHub/GitLab: Commit information, deployment events, pull request details
- From Datadog/Grafana: Metric snapshots, alert configurations, dashboard links
- From AWS/GCP/Azure: CloudTrail events, resource changes, service health
We only access data necessary for our service to function. You can disconnect integrations at any time, which stops further data collection from that service.
2.4 Information We Don't Collect
We do not collect:
- Sensitive personal data (racial origin, political opinions, religious beliefs, health data, sexual orientation) unless you voluntarily include it in incident descriptions
- Biometric data
- Data from your personal devices outside the Service
- Social media data (unless you connect an integration)
3. How We Use Your Data
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Provide and maintain the Service | Account info, incident data, integrations | Contract performance (Art. 6(1)(b)) |
| Process payments and billing | Billing information | Contract performance (Art. 6(1)(b)) |
| Send service communications | Email address | Contract performance (Art. 6(1)(b)) |
| Provide customer support | Account info, support communications | Contract / Legitimate interests |
| Improve and develop the Service | Usage analytics, feedback | Legitimate interests (Art. 6(1)(f)) |
| Ensure security and prevent fraud | Log data, device info | Legitimate interests (Art. 6(1)(f)) |
| Send marketing communications | Email address, preferences | Consent (Art. 6(1)(a)) |
| Comply with legal obligations | As required | Legal obligation (Art. 6(1)(c)) |
| Generate AI-powered insights | Incident data (within your account) | Contract performance (Art. 6(1)(b)) |
π€ AI and Machine Learning
Our cascade tracing and postmortem generation features use machine learning. Your incident data is processed to provide these features within your account only. We do not use your data to train models that benefit other customers. You can disable AI features in your account settings.
4. Who We Share Data With
We never sell your personal data. We may share data with:
4.1 Service Providers (Sub-processors)
| Provider | Purpose | Location | Data Shared |
|---|---|---|---|
| Amazon Web Services | Infrastructure hosting | EU (London) | All service data |
| Stripe | Payment processing | USA (EU SCCs) | Billing information |
| Intercom | Customer support | USA (EU SCCs) | Support communications, account info |
| PostHog | Product analytics | EU (self-hosted) | Usage analytics (anonymised) |
| Sentry | Error tracking | USA (EU SCCs) | Error logs, device info |
| Resend | Transactional email | USA (EU SCCs) | Email addresses, email content |
4.2 Third-Party Integrations
When you connect integrations, data flows between RootCascade and those services according to your configuration. Each integration has specific data flows documented in our Integrations documentation.
4.3 Legal and Safety Disclosures
We may disclose data if required by law, court order, or governmental request, or if we believe disclosure is necessary to protect the rights, property, or safety of RootCascade, our users, or the public.
4.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will provide 30 days' notice before any such transfer and give you the opportunity to delete your data.
5. How Long We Keep Data
| Data Type | Retention Period | Notes |
|---|---|---|
| Account data | While account is active + 30 days | Deleted within 30 days of account closure |
| Incident data | Per your plan (7-365 days, or custom) | You can configure retention in settings |
| Postmortems | Per your plan settings | Exportable before deletion |
| Billing records | 7 years | Required for tax/legal compliance |
| Support communications | 3 years after resolution | To improve support quality |
| Usage analytics | 90 days (raw), indefinite (aggregated) | Aggregated data is anonymised |
| Log data | 90 days | For security and debugging |
| Backups | 30 days | Encrypted, automatically purged |
6. Your Rights (GDPR)
If you are in the European Economic Area (EEA), United Kingdom, or a jurisdiction with similar laws, you have the following rights:
To exercise your rights: Email privacy@rootcascade.com with your request. We will respond within 30 days. You may also use the self-service options in Settings β Privacy.
Complaints: You have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO).
7. How We Protect Your Data
We implement comprehensive security measures to protect your data:
- Encryption in Transit: All data is encrypted using TLS 1.3 with strong cipher suites
- Encryption at Rest: All data is encrypted using AES-256 encryption
- Access Controls: Role-based access control, principle of least privilege
- Authentication: Secure password hashing (bcrypt), MFA support, session management
- Infrastructure: VPC isolation, security groups, WAF protection, DDoS mitigation
- Monitoring: 24/7 security monitoring, intrusion detection, anomaly alerts
- Testing: Annual penetration tests, regular vulnerability scanning, bug bounty program
- Certifications: SOC 2 Type II, ISO 27001 (in progress)
- Employee Security: Background checks, security training, access logging
See our Security page for more details.
8. International Data Transfers
Your data is primarily stored in AWS EU-West-2 (London). When we transfer data outside the EEA/UK, we ensure adequate protection through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- UK International Data Transfer Agreement (IDTA) for UK transfers
- Adequacy decisions where applicable
- Supplementary measures including encryption and access controls
You can request a copy of our Data Processing Agreement (DPA) and SCCs by emailing legal@rootcascade.com.
9. Cookies & Tracking
We use cookies and similar technologies as described in our Cookie Policy. In summary:
- Essential cookies: Required for the Service to function (cannot be disabled)
- Analytics cookies: Help us understand usage (opt-out available)
- No advertising cookies: We do not use any advertising or tracking cookies
10. Children's Privacy
Our Service is designed for business use and is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately at privacy@rootcascade.com and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will notify you by email at least 30 days before changes take effect
- We will post a prominent notice on our website
- We will update the "Last updated" date at the top of this page
- We will maintain an archive of previous versions
12. Contact Us
For privacy-related questions, to exercise your rights, or to raise concerns:
π¬ Privacy Contact
Email: privacy@rootcascade.com
Post: Data Protection Officer, RootCascade Ltd., 282A Lee High Rd, London SE13 5PJ, United Kingdom
Response time: We aim to respond within 5 business days, and will resolve requests within 30 days.