Privacy Policy
Last updated: 19 June 2026
ReRooted ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our visa application tracking service.
1. Information We Collect
1.1 Account Information
When you create an account, we collect:
- Email address (for authentication and communication)
- Name (for personalization)
- Password (stored securely using industry-standard hashing)
- Profile image URL (if signing in with a social provider)
If you sign in using a social provider such as Google or Facebook, that provider shares your email address, name, and profile image with ReRooted. The provider's own privacy policy governs how they handle your data.
1.2 Application Tracking Data
When you use our service, we collect:
- Application labels (user-defined names for your applications)
- Application status (workflow status such as "In Progress" or "Submitted")
- Relationship milestone dates (e.g., when your relationship started, cohabitation began)
- Application milestone dates (e.g., lodgement date, grant date)
- Requirement completion statuses
- Structured prompt responses (limited to 1,000 characters per response)
- Applicant, sponsor, or petitioner nationality (optional)
1.3 Information We Do NOT Collect
We are committed to data minimization. We explicitly do not collect:
- Passport numbers
- Full dates of birth
- Physical addresses
- Document numbers or identification numbers
- Private message transcripts
- Free-form personal notes (we use structured prompts instead)
Our structured prompt system includes warnings reminding you not to enter sensitive information such as passport numbers or private messages.
1.4 Automatically Collected Information
When you use our service, we automatically collect certain technical information for security and operational purposes:
- IP address (stored per session for security auditing)
- User-Agent and browser information (stored per session)
This information is used for security auditing, abuse prevention, and rate limiting. It is associated with your session and retained in accordance with our data retention policy.
1.5 Subscription & Billing Data
If you subscribe to a paid plan, we store:
- Subscription status (e.g., active, trialing, cancelled)
- Trial end date (if applicable)
- Current billing period start and end dates
We do not store your credit card details. All payment information is handled entirely by Stripe, our payment processor. See Section 7 for more information.
1.6 Usage & Analytics Data
To understand how our service is used and to measure our marketing, we and our analytics providers (see Section 7) collect:
- Pages you view and basic navigation within the service
- Product events describing how you use features — for example that a sign-up started or an application was created. These events are limited to non-sensitive metadata (such as visa type and country) and never include your requirement responses, evidence, or relationship details.
- Approximate location (country/region), device, browser, and referring source
- An analytics identifier, which we associate with your account identifier and email
These tools are configured with privacy-protective defaults. Analytics runs by default wherever you are, and you can switch it off at any time through the "Your Privacy Choices" footer link. Advertising (the Meta Pixel) runs by default outside the EEA and UK and can be switched off the same way; for EEA and UK visitors we do not run the Pixel unless you turn it on. Regardless of location, we honour a Global Privacy Control or Do-Not-Track signal as an opt-out of advertising "sharing" (which also denies Google's advertising signals), keep no session recordings, and enable Meta's "Limited Data Use" mode on the conversion data we do send. Google advertising features are also denied for EEA/UK visitors, who are not served the Pixel. See Section 7 for the providers involved and Section 10.2 for how California residents can opt out of advertising-related sharing.
2. How We Use Your Information
We use the information we collect to:
- Provide and maintain our visa application tracking service
- Enable you to track your progress against visa requirements
- Calculate and display your application completion progress
- Authenticate your account and maintain your session
- Process your subscription and billing (if applicable)
- Send important service-related communications
3. Data Storage and Security
Your data is stored securely using industry-standard practices:
- All data is transmitted using HTTPS encryption
- Passwords are hashed using secure algorithms (never stored in plain text)
- Session cookies use HttpOnly, Secure, and SameSite=Lax attributes
- Access to data is restricted to authorized personnel only
4. Data Retention
- Active accounts: Your data is retained for as long as your account is active.
- Deleted accounts: When you delete your account, all your personal data is immediately and permanently deleted (cascade deletion).
- System logs: Technical logs are retained for 30 days for security and debugging purposes, then automatically deleted.
5. Your Rights
You have the right to:
- Access your data: View all information we hold about you through your account.
- Delete your account: Permanently delete your account and all associated data at any time from your account settings. For step-by-step instructions, see our Data Deletion page.
- Update your information: Modify your account details and application data.
- Request your data: You may request a copy of your personal data in a portable format. Automated data export is planned for a future release; in the meantime, contact us to request a manual export.
6. Cookies
We use essential cookies for authentication and session management, plus analytics cookies (on by default, subject to your opt-out) and advertising cookies (on by default outside the EEA/UK and subject to your opt-out; not run for EEA/UK visitors unless you turn them on). You can manage the non-essential categories at any time via the "Your Privacy Choices" link in our footer. For more details, please see our Cookie Policy.
7. Third-Party Services
We use the following third-party services:
- Stripe:For payment processing. Stripe's privacy policy applies to payment data. We do not store your credit card information.
- Google & Facebook: For social sign-in (OAuth authentication). If you choose to sign in with Google or Facebook, your email address, name, and profile image are shared with us by the provider. Their respective privacy policies govern how they handle your data.
- Resend: For transactional email delivery. Your email address is shared with Resend to deliver password reset emails, verification emails, and other service-related communications.
- PostHog: For first-party product analytics (understanding which features are used). We send PostHog page views and non-sensitive product events together with your account identifier and email. Session recording is disabled and no requirement or evidence content is sent.
- Vercel Analytics: For aggregate, cookieless page-traffic analytics. It does not use a cross-site identifier and is not used for advertising.
- Google Analytics: For aggregate behavioural analytics. We enable Google Consent Mode; its advertising features (
ad_storage,ad_user_data,ad_personalization) are denied for EEA/UK visitors and whenever advertising is off (including under a GPC/DNT signal), and granted by default elsewhere. - Meta (Facebook) Pixel & Conversions API:To measure the effectiveness of our advertising (for example, landing-page views from our ads and sign-ups originating from our campaigns), we send event data to Meta in two ways. The browser Pixel loads only after you opt in if you are in the EEA/UK, and by default elsewhere (you can opt out at any time via "Your Privacy Choices"); we never load it when your browser sends a Global Privacy Control or Do-Not-Track signal. Separately, the Conversions API sends a limited set of measurement events to Meta directly from our servers for advertising attribution. Upper-funnel advertising events, such as paid landing-page views, are sent only when advertising is enabled for you (by your opt-in in the EEA/UK, or by default elsewhere unless you have opted out or sent a GPC/DNT signal). Signup and purchase conversion mirrors are sent server-to-server with Meta's "Limited Data Use" mode enabled. Depending on the event, the data sent may include a hashed version of your email, your IP address, your browser user-agent, and Meta's own browser and click identifiers. See Section 10.2 for California opt-out rights.
- Hosting & infrastructure providers: Our service is hosted on secure cloud infrastructure in Australia and internationally. This includes database hosting, session management infrastructure (e.g., Redis for CSRF token storage), and content delivery networks.
8. International Data Transfers
ReRooted is operated from Australia and offered to users worldwide. Some of our third-party service providers (including hosting, email delivery, and payment processing) may process your data outside of your country of residence — for example, Australian users' data may be processed in the United States or Europe, and United States users' data may be processed in Australia or elsewhere.
Where your data is transferred internationally, we take reasonable steps to ensure that the recipient handles your personal information consistently with the protections required in your jurisdiction. For Australian users, that means the Australian Privacy Principles (in particular APP 8). For United States users, that means a standard of care reasonably consistent with the privacy laws of your state of residence (including the California Consumer Privacy Act / California Privacy Rights Act, where applicable).
We encourage you to review the privacy policies of our third-party providers listed in Section 7 for details on their data handling and transfer practices.
9. Children's Privacy
ReRooted is intended for users aged 18 and over, consistent with our Terms of Service. We do not knowingly collect personal information from children under 18 years of age. If you believe a child under 18 has provided us with personal information, please contact us and we will promptly delete it.
10. Jurisdiction-Specific Rights
10.1 Australian Privacy Principles (Australian users)
ReRooted is designed with the Australian Privacy Principles (APPs) in mind. We are committed to:
- Collecting only the minimum data necessary for our service
- Using data only for the purpose it was collected
- Maintaining appropriate security measures
- Providing transparency about our data practices
- Giving you control over your personal information
10.2 California Consumer Privacy Act / CPRA (California residents)
If you are a California resident, you have the following rights, subject to verification:
- Right to know: request the categories and specific pieces of personal information we have collected about you in the preceding 12 months. You can satisfy this right today by viewing your account data through the in-product settings page; for items not yet exposed in-product, contact us.
- Right to delete: request deletion of your personal information. You can do this immediately from your account settings page (see Section 5 above), which deletes all of your data on a cascade basis.
- Right to correct: request correction of inaccurate personal information. Most fields are editable directly in-product; contact us for anything that is not.
- Right to opt out of sale or sharing: we do not sell your personal information for money. We do use the Meta (Facebook) Pixel and Conversions API to measure advertising, which may involve sharing limited event data — which, depending on the event, may include a hashed email, your IP address, and your browser user-agent — with Meta for cross-context behavioural advertising as the CPRA defines that term. This sharing happens in two ways, with different controls. The browser Pixel runs by default for California residents (in the EEA/UK it loads only after opt-in), and you can opt out of this sharing at any timeusing the "Your Privacy Choices" link in our footer; we also automatically honour a Global Privacy Control (GPC) or browser Do-Not-Track signal as a valid opt-out by disabling the Pixel, which overrides any other selection. Separately, the Conversions API sends a limited set of measurement events to Meta from our servers. Upper-funnel advertising events, such as paid landing-page views, follow the same effective advertising-consent choice and GPC/DNT floor as the Pixel. Signup and purchase conversion mirrors are sent with Meta's "Limited Data Use" mode enabled so that Meta restricts its processing as required for California residents; to opt out of this server-side conversion sharing as well, contact us through our support channels and we will honour your request. For the Google advertising features we could use, we deny Google's advertising signals by default.
- Right to non-discrimination: we will not deny service, charge a different price, or provide a different level of quality because you exercise any of these rights.
10.3 Users in other jurisdictions
If you reside outside Australia or the United States, you may have additional rights under your local data-protection laws (including, for example, GDPR if you are in the European Union or UK GDPR if you are in the United Kingdom). Contact us to exercise any such rights and we will respond consistently with the standard required by the applicable law.
11. Automated Decision-Making
ReRooted does not use automated decision-making or profiling that produces legal or similarly significant effects. All visa application tracking and progress calculations are based on information you provide and are entirely user-directed.
12. Data Breaches
In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and the relevant regulators in each jurisdiction we are obligated to notify, including:
- The Office of the Australian Information Commissioner (OAIC) under the Australian Notifiable Data Breaches (NDB) scheme, for incidents affecting Australian users.
- State attorneys general and any other regulators required by United States state breach notification laws (for example, California, New York, and other states with breach notification statutes), for incidents affecting United States users.
- Any other regulators required by the applicable local laws of users in other jurisdictions.
We will provide affected individuals with sufficient information to understand the nature and scope of the incident, the categories of data involved, and the steps we are taking in response.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.
14. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us through our support channels.
Note: ReRooted provides general information to help you organise your visa application. It is not legal advice. For official information about visas, please refer to the immigration authority for your jurisdiction — for example, the Department of Home Affairs (Australia) or USCIS (United States) — and/or a registered migration agent or licensed immigration attorney.