Legal

Privacy Policy

Last updated: April 2026

This Privacy Policy explains how Digital Root Tools ("we", "us", "our") collects, uses, and protects your personal data when you use our website and AI-powered SEO content tools at digitalroottools.com.

We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Digital Root Tools is an AI-powered SEO content tool platform based in London, UK. We are the data controller responsible for your personal data collected through this website.

If you have any questions about how we handle your data, please contact us at info@digitalrootagency.com.

We collect the following categories of data when you use Digital Root Tools:

  • Email address - provided voluntarily when you use tools that deliver results by email (Alt Text Generator, Blog Post Generator) or when you subscribe to our mailing list. We use this to send you your requested output and, where you have opted in, occasional updates about new tools and features.
  • Account and subscriber data - if you create a paid account or subscribe to our mailing list, we store your email address, subscription plan, Stripe customer ID, and marketing opt-out preference in our database (Supabase). Subscriber records are only created after you confirm your email address via a double opt-in confirmation email. Unconfirmed email addresses are not retained. This data is linked to your account for the purpose of managing your subscription and communications.
  • IP address - automatically collected by our servers for rate limiting purposes (to enforce free tier usage limits and protect our service from abuse). IP addresses and associated usage logs are stored in our database for up to 30 days, after which they are automatically deleted.
  • Form inputs - content you enter into our tools (product names, blog topics, keywords, etc.) is processed by our AI systems to generate your requested output. This content is not stored by us after processing is complete.
  • Images - images uploaded to the Alt Text Generator are processed by our AI model to generate alt text and are not retained after processing.
  • Website analytics - if you consent via our cookie banner, we collect anonymised usage data (pages visited, session duration, traffic source) through Google Analytics 4. Analytics are not activated unless you grant consent. See Section 7 for full details.

We do not collect payment card details directly. All payment processing is handled by Stripe, which is PCI DSS compliant.

We use the data we collect for the following purposes, along with the lawful basis under UK GDPR on which each activity relies:

  • Service delivery - to process your tool requests and email you the results you requested. Lawful basis: performance of a contract / legitimate interests.
  • Account management - to manage your subscription, process payments via Stripe, and maintain your account record. Lawful basis: performance of a contract.
  • Rate limiting - to enforce free tier usage limits and protect our service from abuse using your IP address. Lawful basis: legitimate interests (protecting service integrity).
  • Marketing communications - to send you occasional product updates and feature announcements where you have opted in via our subscription form. Lawful basis: consent. You may withdraw consent at any time by clicking the unsubscribe link in any email.
  • Website analytics - to understand how our tools are used and improve them, using anonymised data from Google Analytics 4 where you have consented. Lawful basis: consent.
  • Direct communications - if you contact us, to respond to your enquiry. Lawful basis: legitimate interests.
  • Legal compliance - to comply with applicable laws, regulations, and legal obligations. Lawful basis: legal obligation.

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

To deliver our services, we use the following third-party sub-processors. Each acts as a data processor on our behalf and is bound by a Data Processing Agreement (DPA) or equivalent contractual terms. Each provider has its own privacy policy:

  • Groq - your form inputs and images are sent to Groq's API for AI model inference to generate your requested output. Data is processed transiently and not retained by Groq for training. Please refer to Groq's privacy policy for details.
  • Supabase - our database and authentication infrastructure provider. We store account data (email, subscription plan, Stripe customer ID, marketing preferences) and usage logs (IP addresses, tool usage counts) in Supabase's hosted PostgreSQL database. Data is stored in the EU/US. Please refer to Supabase's privacy policy for details.
  • Resend - used to deliver email results and subscription communications to the address you provide. Your email address and generated content are transmitted to Resend for delivery. Please refer to Resend's privacy policy for details.
  • Stripe - payment processing for paid subscriptions. We transmit your email address to Stripe to create a billing account. We never store card details on our own servers. Stripe is PCI DSS Level 1 certified. Please refer to Stripe's privacy policy for details.
  • Vercel - our website and serverless API functions are hosted on Vercel's infrastructure. Vercel may collect standard server log data (IP addresses, request metadata) as part of normal hosting operations. Please refer to Vercel's privacy policy for details.
  • Google Analytics 4 - used to collect anonymised website usage data where you have granted consent via our cookie banner. Analytics data is processed by Google and may be transferred to the US under Google's Standard Contractual Clauses. Please refer to Google's privacy policy for details.

We retain your data only for as long as necessary for the purpose it was collected:

  • Tool result email addresses - retained only for the purpose of delivering your requested output. Not added to any marketing list unless you separately opt in.
  • Subscriber / account data - email address, subscription plan, and Stripe customer ID are retained for the duration of your account plus 12 months, after which they are deleted or anonymised. Marketing opt-out preferences are retained indefinitely to honour your choice.
  • IP addresses and usage logs - stored in our database for rate limiting purposes and automatically deleted after 30 days.
  • Form inputs and images - not stored by us after AI processing is complete.
  • Contact enquiries - retained for up to 24 months to allow us to respond to follow-up questions.
  • Analytics data - where you have consented, aggregated and anonymised analytics data is retained in Google Analytics 4 for 14 months, after which it is automatically deleted by Google.

Automated deletion is enforced by scheduled database jobs. Where automatic deletion is not possible, we conduct manual data reviews at least annually.

Under UK GDPR, you have the following rights regarding your personal data:

  • Right of access - you can request a copy of the personal data we hold about you.
  • Right to rectification - you can ask us to correct inaccurate data.
  • Right to erasure - you can ask us to delete your personal data where we have no legitimate reason to continue processing it.
  • Right to restriction - you can ask us to restrict processing of your data in certain circumstances.
  • Right to data portability - you can request your data in a structured, machine-readable format.
  • Right to object - you can object to processing based on our legitimate interests.

To exercise any of these rights, please contact us at info@digitalrootagency.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

Our website uses a cookie consent banner. Until you make a choice, all optional cookies and analytics are blocked by default.

Essential cookies - our hosting infrastructure (Vercel) may set cookies strictly necessary for the site to function. These do not collect personal information and cannot be disabled without affecting site operation.

Analytics cookies (Google Analytics 4) - if you click "Accept" on our cookie banner, we activate Google Analytics 4 (GA4) to collect anonymised data about how the site is used (pages visited, session duration, traffic source, device type). This data helps us improve our tools. GA4 does not receive your name or email address. We have implemented Google Consent Mode v2, which means GA4 only loads and sets cookies after you grant explicit consent. You may withdraw consent at any time by clearing your browser cookies and declining the banner on your next visit.

We do not use Facebook Pixel, advertising cookies, or any remarketing technology.

We take reasonable technical and organisational measures to protect your personal data against unauthorised access, loss, or misuse. Our website uses HTTPS encryption for all data transmitted between your browser and our servers. API keys and sensitive credentials are stored as encrypted environment variables and are never exposed in our codebase.

However, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security, and you provide your data at your own risk.

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of Digital Root Tools after any changes constitutes your acceptance of the updated policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please contact us:

We aim to respond to all privacy-related enquiries within 5 business days.

  • April 2026 - Added Supabase and Groq as named sub-processors; updated GA4 analytics disclosure with Consent Mode v2 details; added lawful basis for each processing activity; corrected IP log retention period to 30 days; implemented double opt-in for marketing subscriptions; added automated data deletion schedule.
  • March 2026 - Initial policy published.