Privacy Policy
Effective Date: May 1, 2026 Version: 2
Rootlake LLC (“Rootlake,” “we,” “us,” or “our”) is a Wyoming limited liability company. This Privacy Policy describes how we collect, use, disclose, sell, share, and safeguard personal information in connection with our website and our data services.
If you are a resident of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Delaware, New Hampshire, or another U.S. state that has enacted a comprehensive consumer privacy law, you have specific rights under that law as described in Section 8 below.
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (the “GDPR”), the UK GDPR, or the Swiss Federal Act on Data Protection as described in Section 8 below.
1. Who we are and the scope of this policy
Rootlake operates a software development kit (the “SDK”) that mobile-application developers (“Publishers”) integrate into their mobile applications. With each end user’s prior consent obtained through the Publisher’s consent management platform and, where applicable, through the user’s operating-system controls, the SDK collects measurements about mobile network performance, device characteristics, and (where consented) location, and forwards them to Rootlake’s infrastructure.
Rootlake aggregates these measurements across the apps in which our SDK is installed and provides curated data products and analytics to our business customers. We do not operate consumer-facing applications. Individuals who use the apps in which our SDK is installed interact with us only indirectly, through those apps.
This Privacy Policy covers:
- (a) personal information collected through our SDK from end users of Publisher applications;
- (b) personal information collected through our website at rootlake.io; and
- (c) personal information collected from business contacts who reach out to us, evaluate our services, or do business with us.
This policy does not cover the privacy practices of Publishers or of our business customers. Publisher applications have their own privacy policies that describe what those apps collect directly and how they use the SDK. Our business customers have their own privacy policies that describe what they do with the data we deliver to them.
Geographic scope. Rootlake’s SDK is not deployed in the United States and does not process personal information from devices located in the United States. United States-originating records are excluded at ingestion before any data is written to our systems.
2. Categories of personal information we collect
2.1 Through our SDK (from end users of Publisher applications)
When a Publisher integrates the Rootlake SDK in its mobile application and an end user provides consent, the SDK may collect the following categories of personal information:
| Category (CCPA §1798.140) | Examples specific to Rootlake |
|---|---|
| Identifiers | Mobile advertising identifier (Android Advertising ID, Amazon Advertising ID, Huawei Advertising ID — when available on the device); a Rootlake-generated installation identifier; IP address |
| Internet or other network activity information | Cellular signal measurements (signal strength, signal quality, network type, latency, throughput); cell tower identifiers (mobile country code, mobile network code, cell ID); WiFi network identifiers (BSSID and SSID) when WiFi is the active connection; speedtest measurements |
| Geolocation data (including precise geolocation, which is “sensitive personal information” under California law) | GPS coordinates (latitude and longitude) with horizontal accuracy; altitude and speed when available |
| Inferences | Coverage inferences derived from the above (e.g., signal-quality classifications) |
| Device characteristics | Device manufacturer, model, operating system and version, locale, time zone, battery state, screen state |
The SDK does not collect names, email addresses, phone numbers, contact lists, photos, microphone audio, camera content, communications content, browsing history, app-usage history, or financial information. The SDK does not capture data when the end user has not provided consent, when consent has been withdrawn, or when the operating system reports an opt-out signal (for example, when the user has deleted or reset their advertising identifier).
2.2 Through our website
When you visit rootlake.io, we may collect:
- IP address, user-agent string, and approximate location derived from your IP address;
- Pages viewed, the referring URL, and timestamps of your visit;
- Information stored in cookies and similar tracking technologies (see Section 12).
2.3 From business contacts
When you contact us, request information about our services, evaluate our SDK, or enter into a commercial relationship with us, we collect:
- Name, job title, business email address, business phone number;
- Company name, industry, and other business-context information you provide;
- Records of our communications and meetings with you.
3. Categories of sources of personal information
We obtain personal information from the following categories of sources:
- Directly from end users’ devices, through the Rootlake SDK integrated in Publisher applications, when consent is provided.
- Directly from our website visitors, when you interact with rootlake.io.
- Directly from business contacts, when you communicate with us.
- From Publishers, in the form of contractual metadata about which applications integrate the SDK.
- From third-party data providers such as MaxMind, which supplies us with offline IP-geolocation and ASN reference databases that we use to enrich measurements (the third-party provider does not receive any data from us).
4. Business and commercial purposes for which we use personal information
We use personal information for the following purposes:
- Providing our data products, which involves processing measurements collected through the SDK, organizing them into data sets, and making those data sets available to our business customers.
- Improving the accuracy, quality, and coverage of our SDK and our data products, including engineering diagnostics, fraud detection, and detection of synthetic or low-quality data.
- Operating, securing, and improving our website.
- Responding to inquiries and operating our business relationships, including pre-sales communications, contract negotiation, customer support, billing, and account management.
- Complying with applicable law, including responding to lawful government requests, exercising or defending legal claims, and meeting our contractual and regulatory obligations.
- Exercising and defending our legal rights, including in connection with mergers, acquisitions, or asset transfers.
5. How we share personal information
5.1 Categories of recipients
We share personal information with the following categories of recipients. We do not publish the names of our individual business customers in this Privacy Policy, both because that list changes over time and because customer relationships are subject to confidentiality terms. Upon a verified request, we will provide a current list of customer categories and, where appropriate, the specific recipients of data associated with a particular individual.
| Category of recipient | What we share | Why |
|---|---|---|
| Telecommunications and network analytics providers and partners | SDK-collected network performance measurements and associated identifiers and location | To enable analysis of mobile network coverage and quality on behalf of the recipient’s own customers |
| Location-data analytics buyers | SDK-collected geolocation measurements and associated identifiers | To enable the recipient to create location-intelligence products for their own customers |
| Infrastructure-planning, regulatory, and benchmarking partners | Aggregated or de-identified measurements derived from SDK data | To support infrastructure investment decisions, regulatory broadband reporting, or independent benchmarking |
| Service providers and subprocessors | All SDK-collected data, on our behalf, solely for purposes of operating our service (see Section 5.2) | Cloud hosting, data warehouse, monitoring, communications, code hosting, infrastructure management |
| Legal authorities and parties to legal proceedings | Specific records as required by subpoena, court order, lawful government request, or in defense of legal claims | Compliance with applicable law |
| Acquirers | All categories above | In connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or substantially all of our assets |
For the purposes of the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”), our sharing of personal information with telecommunications and network analytics providers, location-data analytics buyers, and infrastructure-planning, regulatory, and benchmarking partners constitutes a “sale” or “sharing” of personal information as those terms are defined under California law, regardless of whether monetary consideration is exchanged. You have the right to opt out of this sale and sharing as described in Section 8.
5.2 Our service providers and subprocessors
We use service providers that process personal information on our behalf, solely on our documented instructions and under written contracts with privacy obligations substantially equivalent to those we make to our business customers. Categories include:
- Cloud computing and storage (including managed compute, object storage, streaming ingestion, data warehouse, and content-delivery services);
- Operational database hosting;
- Reference-data licensors (offline databases consumed by our systems);
- Domain-name and edge-network services;
- Source-control and continuous-integration services;
- Infrastructure-state management;
- Website hosting and analytics.
A current list of our subprocessors and the regions in which they process personal data is maintained internally and is available to business customers under the terms of their data processing agreements with us, and to other interested parties on request to privacy@rootlake.io.
5.3 Disclosures required by law
We may disclose personal information when we believe in good faith that disclosure is required to comply with applicable law, a lawful court order or subpoena, or a binding request from a governmental authority, or to establish, exercise, or defend our legal rights.
6. Data retention
We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, except where a longer retention period is required or permitted by law.
| Data | Retention | Mechanism |
|---|---|---|
| Measurements and identifiers collected through the SDK | 365 days (with archive transition after 90 days) | Automated lifecycle policy on our data store |
| Data exports delivered to business customers | 90 days on our staging infrastructure (recipients retain in accordance with their own policies and our agreements with them) | Automated lifecycle policy |
| Operational logs (server, ingestion, pipeline) | 30 days | Automated retention policy |
| Suppression entries (identifiers opted-out by data subjects) | Indefinite (required to enforce ongoing opt-out) | Operational database, periodic review |
| Website visit logs | 12 months | Automated rotation |
| Business-contact information | Duration of relationship plus 24 months, or until you ask us to delete it | Manual review |
A successful erasure request from a data subject overrides the retention periods above for the affected identifiers.
7. Data security
We implement technical and organizational measures designed to protect personal information against unauthorized access, loss, misuse, and alteration. These include encryption of data in transit and at rest, role-based access controls and access logging, network isolation and security groups, application-level payload encryption between the SDK and our ingestion infrastructure, periodic credential rotation, and infrastructure and code review prior to production deployments. We document these measures in our Information Security Policy, which is available to business customers under their data processing agreements and to other interested parties on request.
No method of transmission over the internet or method of electronic storage is 100% secure. While we use commercially reasonable measures to protect personal information, we cannot guarantee absolute security.
8. Your privacy rights
The rights described below apply to personal information about you that we hold. Where multiple laws apply to a single request, we honor the right that grants you the strongest protection.
8.1 Rights of residents of California and other U.S. states with comprehensive privacy laws
Depending on the law of your state, you have one or more of the following rights:
- Right to know. You may ask us to confirm whether we are processing personal information about you, and to disclose the categories of personal information collected, the categories of sources, the business and commercial purposes for processing, the categories of third parties with whom we share or to whom we sell that information, and the specific pieces of personal information we have collected about you.
- Right to delete. You may ask us to delete personal information we have collected from you, subject to exceptions permitted by law.
- Right to correct. You may ask us to correct inaccurate personal information that we maintain about you.
- Right to opt out of sale and sharing. You may opt out of our “sale” and “sharing” of your personal information, as those terms are defined under California law. We honor the Global Privacy Control (“GPC”) signal as a valid opt-out request from visitors to our website. For our SDK-collected data, the operational opt-out mechanism is described in Section 8.4 below.
- Right to limit use of sensitive personal information. Where we use precise geolocation (which is sensitive personal information under California law), you may direct us to use that information only for the limited purposes necessary to provide our services. To the extent practical, this right is implemented through erasure plus suppression, as described in Section 8.4.
- Right to non-discrimination. We will not discriminate against you for exercising any of these rights. We will not deny our services, charge different prices, or provide a different level or quality of service because you exercised these rights.
To exercise any of these rights, follow the instructions in Section 8.4 below or contact us at privacy@rootlake.io.
“Do Not Sell or Share My Personal Information” / “Limit the Use of My Sensitive Personal Information”: California residents and residents of states with equivalent rights may opt out of the sale and sharing of personal information and limit the use of sensitive personal information by:
- Following the instructions on our Opt-Out and Data Subject Rights page; or
- Sending the GPC signal from your browser (we recognize it automatically); or
- Emailing privacy@rootlake.io with the subject line “Do Not Sell or Share / Limit Sensitive PI.”
8.2 Rights of residents of the EEA, the United Kingdom, and Switzerland
Under the GDPR, the UK GDPR, and the Swiss Federal Act on Data Protection, you have the following rights:
- Right of access (Art. 15)
- Right to rectification (Art. 16)
- Right to erasure / right to be forgotten (Art. 17)
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20)
- Right to object to processing (Art. 21)
- Right to withdraw consent at any time, without affecting the lawfulness of processing prior to withdrawal
- Right to lodge a complaint with your supervisory authority
The legal basis on which we process personal information collected through the SDK is the data subject’s consent captured by the Publisher’s consent management platform, in accordance with Article 6(1)(a) and, where applicable, Article 9(2)(a). The legal basis on which we process business-contact information is our legitimate interest in operating and growing our business, in accordance with Article 6(1)(f). The legal basis on which we process website-visit information is our legitimate interest in operating our website securely, in accordance with Article 6(1)(f).
To exercise any GDPR / UK GDPR / Swiss FADP right, follow the instructions in Section 8.4 below or email privacy@rootlake.io. You may also contact your data-protection supervisory authority directly.
8.3 Authorized agents
You may use an authorized agent to submit a request on your behalf. We will require:
- Written proof of authorization signed by the data subject; and
- Verification of the agent’s identity.
For verifiable requests under the CCPA / CPRA, we follow the procedures in the California regulations at 11 CCR §7063.
8.4 How to exercise your rights, including for SDK-collected data
Because our SDK collects data linked to mobile advertising identifiers and installation identifiers, rather than to names or accounts, the most effective ways to exercise your rights with respect to SDK-collected data are described on our Opt-Out and Data Subject Rights page. In summary:
- Operating-system controls: deleting or resetting your mobile advertising identifier in your device settings causes our SDK to cease associating further measurements with that identifier.
- In-app consent controls: withdrawing consent in the Publisher’s consent dialog causes our SDK to stop collecting and forwarding data.
- In-app “Delete my data”: when the Publisher app exposes this option, it instructs our SDK to wipe locally cached data and identifiers.
- Web-based erasure and opt-out request: send us your advertising identifier (or installation identifier, or sufficient context for us to locate the records) to privacy@rootlake.io. We will add the identifiers to our suppression list, delete historical records associated with them, and notify any business customers that have received exports including those identifiers, asking them to remove the data on their side.
We will acknowledge a verifiable request within five business days and provide a substantive response within 30 calendar days of receipt, as required by GDPR Article 12. Where a request is complex or we have received a high volume of requests, we may extend the response period by up to a further 60 calendar days; in that case we will notify you of the extension and the reasons for it within the initial 30-day period.
There is no charge for exercising your rights, except where requests are manifestly unfounded or excessive (in which case we may charge a reasonable fee or refuse to act, as permitted by law).
9. Sensitive personal information
The CCPA / CPRA classifies precise geolocation as “sensitive personal information.” We collect precise geolocation through our SDK only with consent and use it only for the purposes described in Section 4 above. We do not use sensitive personal information to infer characteristics about you, and we do not retain it longer than is necessary to provide our services.
You have the right to direct us to limit our use and disclosure of your sensitive personal information to that which is necessary to provide our services. To exercise this right, follow the instructions on our Opt-Out and Data Subject Rights page or email privacy@rootlake.io.
10. Children’s privacy
Our SDK and the data services we provide are not directed to, and are not intended for use by, children. Specifically, our SDK and the data we collect through it are not intended for, and must not be deployed in, applications directed to:
- Children under 13 in the United States (Children’s Online Privacy Protection Act, COPPA);
- Children under 13 in the United Kingdom (UK GDPR / Data Protection Act 2018);
- Children under 16 in the European Economic Area (GDPR Art. 8 default age of digital consent, subject to lower thresholds set by individual Member States); and
- Minors covered by other applicable jurisdictional thresholds where higher protections apply (for example, minors under 18 covered by certain U.S. state laws).
We do not collect age, date of birth, or any identifier from which age can be reliably inferred, and we do not knowingly process personal information of children. Publishers and the applications that integrate our SDK are contractually required to ensure their applications are not directed to, and are not used by, children below the applicable thresholds, and to obtain any required parental consent where their products are accessible to such users.
If you believe personal information of a child has been transmitted to Rootlake, please contact us immediately at privacy@rootlake.io. We will promptly investigate and, where confirmed, delete the data and add the relevant identifiers to our suppression list.
11. International data transfers
Rootlake is located in the United States. The data we collect is processed in the United States, primarily in cloud infrastructure regions located in the eastern United States. Where personal information of a data subject located in the European Economic Area, the United Kingdom, or Switzerland is transferred to Rootlake or to a third party in the United States, we and the receiving party rely on the European Commission’s Standard Contractual Clauses of 4 June 2021 and the United Kingdom’s International Data Transfer Addendum of 21 March 2022, as applicable, and on supplementary technical and organizational measures designed to provide a level of protection essentially equivalent to that guaranteed in the European Economic Area.
We make available, on request, the safeguards we use for international transfers. Contact privacy@rootlake.io.
12. Cookies and tracking technologies
Our website uses a limited number of cookies and similar technologies, including:
- Strictly necessary cookies that enable the website to load and operate;
- Analytics cookies that allow us to measure aggregate website traffic and improve content (configurable through your browser settings).
We do not use third-party advertising or behavioral-tracking cookies on our website. We honor browser-based privacy signals, including the Global Privacy Control, as opt-out requests where applicable. You can manage or disable cookies through your browser settings; doing so may affect website functionality.
13. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be reflected in an updated effective date at the top of this page. Where required by law, we will provide additional notice through our website or directly to known data subjects before the change takes effect.
A versioned history of this Privacy Policy is maintained in our public source repository and can be made available on request to privacy@rootlake.io.
14. EU/EEA & UK GDPR Representatives (Article 27)
If you are located in the EU or UK and have questions or concerns regarding your personal data, you may contact our appointed GDPR representative:
EU Representative:
Euverify Ltd (Ireland)
Unit 3D North Point House
North Point Business Park
New Mallow Road
Cork
T23 AT2P
Ireland
Email: gdpr@euverify.com
UK Representative:
Euverify Ltd (UK)
3rd Floor
86-90 Paul Street
London
EC2A 4NE
United Kingdom
Email: gdpr@euverify.com
To submit a Data Subject Access Request (DSAR), data deletion request, or any other GDPR-related inquiry, please use our secure portal at:
https://gdpr.euverify.com/verify/02a8f3da-9051-4b96-9369-0731da5debf4
This link allows you to verify our appointed representative and submit GDPR requests directly. Requests submitted through this portal are logged and tracked to ensure timely response and compliance.
15. Contact us
If you have any question, concern, or request relating to this Privacy Policy or to how Rootlake processes personal information:
Rootlake LLC 30 N Gould St Ste N Sheridan, WY 82801 United States Privacy: privacy@rootlake.io General: info@rootlake.io Legal: legal@rootlake.io