This Privacy Policy describes how Squared Root LLC ("we", "our", or "us") collects, uses, stores, and protects personal information when you use our RCS (Recovery Convention Software) web application ("RCS" or the "Service").

1. Scope

This Policy applies to:

• Attendees registering for events hosted on RCS
• Event organizers using RCS to manage events
• Visitors to the RCS website and affiliated subdomains

2. Data Roles and Responsibilities

• Squared Root LLC acts as a Data Controller for data collected during registration or through direct use of the Service.
• For data entered by event organizers (our clients), we act as a Data Processor, processing data on their behalf.

3. Information We Collect

1. Personal Data
   • Name, email, phone number
   • Mailing address (if shipping items or badges)
   • Purchase history and payment information (via third-party processors)
   • Login credentials (encrypted)
2. Usage Data
   • Device/browser info, IP address, login timestamps
   • Page views, session durations, crash/error logs
3. Optional Data
   • Anonymous profile names
   • Special access needs, dietary preferences, or volunteer signups

4. How We Use Your Data

We use your data to:

• Provide, maintain, and improve the RCS platform
• Process secure payments (through vendors like Square)
• Communicate updates, confirmations, and reminders
• Support analytics, reporting, and fraud detection

5. Cookies and Tracking

We use cookies and similar technologies for the following purposes:

• User authentication and session management
• Performance and usage analytics
• Customizing user experience

You may disable cookies in your browser settings, but this may affect functionality.

6. Data Sharing

We do not sell your personal data. We may share your information with:

• Event organizers using the RCS platform to manage their events
• Third-party vendors (e.g., AWS, Square, email providers) for operational purposes
• Government or legal authorities, if required by law or valid subpoena

7. Cross-Border Data Transfers

Your data may be processed in the United States or other jurisdictions where our service providers operate. Where required, we use appropriate safeguards such as Standard Contractual Clauses (SCCs) to ensure data protection in compliance with GDPR and other regulations.

8. Retention and Deletion

We retain personal data only as long as needed for legitimate purposes, including compliance and auditing. Our retention guidelines include:

• Event and registration data: up to 5 years
• Payment-related metadata: up to 7 years for financial compliance
• Inactive user accounts: deleted or anonymized after 24 months of inactivity

You may request account deletion by contacting privacy@squaredroot.com.

9. Your Rights

Depending on your jurisdiction, you may have rights to:

• Access the personal data we hold about you
• Request corrections to inaccurate data
• Request erasure ("right to be forgotten")
• Withdraw consent or restrict certain types of processing
• Request a portable copy of your data
• File a complaint with a supervisory authority (if located in the EU or UK)

To exercise any of these rights, email us at privacy@squaredroot.com.

10. Security

We implement industry-standard security practices to protect your personal data. These include:

• Data encryption in transit (TLS) and at rest
• Role-based access control (RBAC)
• Cloud infrastructure monitoring and auditing (via AWS)

No system is 100% secure, but we take reasonable steps to minimize risks.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or through the RCS platform interface. Your continued use of RCS after these updates constitutes your acceptance of the revised policy.

12. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at:

• Email: mroot@squaredroot.net