Mentions légales

Privacy Policy

Dernière mise à jour : April 20, 2026

Courtesy translation. The French version of this Policy prevails in case of disagreement or legal dispute.

Our commitments in three points

1. Your data is never sold or rented to any third party, for any purpose.

2. Your data is never used to train artificial intelligence models, including those of our AI provider, which contractually commits not to reuse content sent via its API for training.

3. No advertising profiling imposed without consent: any measurement and advertising tools are only activated if you consent via our cookie banner.

1. Data controller

RootsAI processes Users' personal data in strict compliance with Regulation (EU) 2016/679 (GDPR) and the amended French Data Protection Act. The data controller can be reached at privacy@rootsai.co.

2. Data collected

  • Email (authentication)
  • Genealogical data that you enter (names, dates, places, notes)
  • Payment information (processed by the provider, not stored by us)
  • Connection data (IP, browser) for security purposes

3. Legal bases for each processing (GDPR art. 13)

Each processing is based on an identified legal basis: (a) performance of the contract for account creation, narrative generation and service provision; (b) legal obligation for billing and accounting retention (10 years); (c) legitimate interest for service security and fraud prevention; (d) consent for any non-essential communication and for any advertising or audience measurement trackers.

4. Third-party living persons data

When the User enters information about a living third party in their tree, RootsAI acts as the User's data processor (the User itself being the controller of this data) for the sole purpose of hosting and display. Any living person identified may exercise their GDPR rights directly with RootsAI (privacy@rootsai.co): an identity verification process is implemented, then the data is masked or deleted within a maximum of 30 days, the User holding the tree being informed.

5. Deceased persons

Data of deceased persons is not covered by the GDPR (Recital 27), but RootsAI respects post-mortem directives provided for in article 85 of the French Data Protection Act. Heirs of a deceased person may request the rectification or deletion of data concerning them upon presentation of proof of heir status.

6. Minors

The service is not intended for children under 15. In case of account opening between 15 and 18, RootsAI may verify the existence of parental authorization. Any data concerning a minor appearing in a User's tree is subject to the consent of the holder of parental authority; failing this, it is masked on request.

7. Hosting and security

Data is hosted in the European Union (Ireland). No transfer outside the EU without appropriate guarantees. Data is encrypted in transit (TLS 1.3) and at rest. Access to databases is restricted to a limited number of authenticated operators. RootsAI applies ANSSI recommendations and the CNIL security framework.

In the event of a data breach likely to create a risk to the rights and freedoms of persons, RootsAI notifies the CNIL within 72 hours and the Users concerned without undue delay.

8. Transfers outside the EU (narrative AI model)

The artificial intelligence service used for narration may process, during the time of a narrative generation, textual data from the User's tree. This transfer is governed by the Standard Contractual Clauses adopted by the European Commission (decision 2021/914) and by contractual commitments of non-reuse of data and deletion within a maximum of 30 days. No other transfer outside the EU takes place.

9. Retention period after account deletion

Upon account deletion, the tree and associated narratives are deleted within 30 days. Some data is kept beyond:

  • Billing data for 10 years (accounting obligation).
  • Security logs for 12 months (CNIL recommendation).
  • Encrypted backups for a maximum of 90 days before being overwritten.

Beyond that, no personal data is retained. The User may request the complete GEDCOM export of their tree at any time before deletion.

10. Your rights

You have the rights of access, rectification, deletion, portability and objection provided for by the GDPR. To exercise these rights: privacy@rootsai.co. You may at any time file a complaint with the CNIL (3 place de Fontenoy, 75007 Paris, www.cnil.fr).

11. Subprocessors

We rely on specialized technical providers for:

  • Hosting and database (European Union)
  • Application hosting and content delivery network (with GDPR guarantees)
  • Payment processing (PCI-DSS certified provider)
  • Transactional email sending
  • Artificial intelligence models for narration (transfer governed by standard contractual clauses, cf. section 8)

The detailed and named list of subprocessors is available on request at privacy@rootsai.co, in accordance with article 28 of the GDPR.