Skip to content
mroot.co
PRIVACY POLICY · VERSION 2026-07-13

Privacy, in plain language.

This policy explains what the Mroot Project Advisor collects, why it is processed, and how long it is kept. The advisor is for project guidance and contact—not marketing enrollment.

Information the advisor collects

The advisor stores your categorical project answers; sanitized optional project details; name, email, and any optional business, website, or phone information you submit; first-touch attribution; consent acknowledgment; and the resulting assessment. It also stores random session, submission, idempotency, and event identifiers that contain no contact information.

Optional project details are sanitized before storage. Obvious email addresses and phone numbers are redacted, control characters are removed, and the value is limited to 500 characters. The unsanitized version is not stored.

AI processing

Cloudflare Workers AI processes your categorical project answers and sanitized optional details to draft assessment language. Contact fields are not sent to the AI model. Mroot selects the three eligible services deterministically before AI processing, validates the model output, and uses a deterministic fallback if validation or the provider fails.

Contact and transactional email

Your contact details are used to respond about the assessment you requested. Resend processes the email address and approved assessment content to deliver transactional messages to you and Mroot. Submission does not subscribe you to a marketing list, and Phase 1 has no marketing email workflow.

Security and operational data

Cloudflare Turnstile processes technical request information to help prevent spam. Operational records include non-PII status, latency, model usage, fallback state, notification state, and stable error codes. Prompts, generated prose, contact fields, optional details, and raw IP addresses are not written to operational logs.

Analytics

The advisor records bounded, typed events such as opening the flow, viewing a step, selecting an approved option, generating a result, and clicking an approved CTA. Free text and contact information are not analytics fields. Phase 1 uses session storage only and does not create a long-lived cross-session visitor ID in your browser.

Retention

  • Incomplete anonymous sessions and related data: 30 days.
  • Analytics events and anonymous visitor records, if used in a future phase: 13 months.
  • Spam leads and associated results: 90 days.
  • Provider-call and notification operational records: 90 days.
  • Completed leads, answers, and generated results: 24 months after last activity.
  • Queue messages: Cloudflare platform retention; D1 remains the operational source of truth.

Choices and deletion requests

You may leave optional fields blank. To request access, correction, or deletion, use the contact page. Associated records will be removed or anonymized unless retention is legally required.

Questions

For privacy questions, contact [email protected].