PRIVACY POLICY

Last Updated: December 30, 2025

WOM Online, Inc. (collectively, “WOM Online, Inc.,” “root,” “we,” or “us”) operates a social wellness discovery and community platform that helps women find, save, and share local and virtual wellness businesses and routines. Our platform primarily serves:

• Users: Individual users who create accounts, explore wellness content, follow friends and local spots, and share experiences through features like feeds and saved lists (e.g., “MySpots”).
  
• Businesses: Local and virtual wellness providers (for example, fitness studios, salons, spas, therapists, and other self-care providers) that maintain profiles and may be discovered, saved, and recommended by Users.
  
• Visitors: Individuals who visit our websites or other online properties without creating an account.
  

We are committed to respecting your privacy and handling your data responsibly. This Privacy Policy explains how we collect, use, disclose, store, and protect your information when you use our websites, mobile applications, and related online services, tools, and features (collectively, the “Services”). It also describes your choices and rights regarding that information.

By accessing or using the Services, you acknowledge that you have read and understand this Privacy Policy and agree to the practices it describes. If you do not agree with this Privacy Policy, please do not access or use the Services.

1. Scope & Acceptance

1. Applicability. This Privacy Policy applies to personal information collected by WOM Online, Inc. (“root,” “we,” or “us”) in connection with:

• The root website, mobile applications, and any other online services that link to or reference this Privacy Policy.
• User accounts, business accounts or profiles, referral and promotional programs, and any in-app or online community features (including social feeds, comments, and saved spots such as “MySpots”).
• Our marketing, promotional activities, waitlists, surveys, and customer or technical support channels.
• Interactions with us via email, phone, social media, or other direct communications.

2. Acceptance of Policy. By accessing or using our Services, creating an account, or otherwise interacting with root, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree with any part of this Privacy Policy, please discontinue use of our Services.
3. Third-Party Links. Our Services may include links or connections to third-party websites, apps, or services that are not owned or controlled by us (for example, external booking sites for wellness businesses, social media platforms, or payment providers). We are not responsible for the privacy practices or content of those third parties. We encourage you to review the privacy policies of any third-party sites or services that you visit or use.
4. Updates. We may update or modify this Privacy Policy from time to time. If we make material changes, we will provide notice (for example, by updating the “Last Updated” date at the top of this Privacy Policy, posting a notice within the Services, or sending you an email) before the changes become effective. Your continued use of the Services after the effective date of any updated Privacy Policy will constitute your acknowledgment of, and agreement to, the updated Policy. If you do not agree to the updated Policy, you should stop using the Services.

2. Information We Collect

The types of information we collect depend on how you interact with our Services, and whether you are using them as a User, a Business, or a Visitor.

2.1 Information You Provide Directly

• Account Creation: When you register for a root account, we may collect information such as your name, username, email address, password, city or general location, and basic profile details (for example, a profile photo, short bio, and wellness interests).
• Business Details: If you are a Business, you may provide company details, business addresses, service descriptions, logos, stripe onboarding info, tax IDs, or professional licenses (as required by local law).
• Content You Share: When you use social or community features of the Services, we collect the content you choose to share. This may include posts, photos, captions, comments, reactions, ratings, MySpots entries, saved businesses, notes you add about a spot, and any other user-generated content you create or upload through the Services. Depending on your settings, some or all of this content may be visible publicly or only to a more limited audience (for example, if you set your account to “private” and approve followers).
• Referrals and Invites: If you use referral, invite, or “share with a friend” features, you may provide contact information for other individuals (such as a name, email address, social handle, or phone number) so we can send them an invitation or link at your request. You should only provide contact information for individuals you have permission to share with us.
• Preferences & Settings: We collect information about your preferences (for example, notification settings, saved locations or interests, and content filters) when you select or update them in your account.
• Communications & Support: When you contact us (for example, by email, through in-app support, or via social media) or respond to surveys or questionnaires, we collect the information you provide, such as your contact details, the content of your message, and any follow-up responses. We may also maintain records of these communications.
• Payment & Billing (If Applicable): If you choose to make purchases or pay for any paid features or services that root may offer (for example, premium tools for Businesses), payments may be processed by third-party payment providers. We may receive limited information related to those transactions, such as the fact that a payment was made, the date/time, and non-sensitive payment details (for example, the last four digits of a card number), for billing, accounting, and fraud-prevention purposes.

2.2 Information Collected Automatically

• Usage Data: We automatically collect information about your activity on the Services, such as the pages or screens you view, features you use (for example, viewing a Business profile, saving a MySpot, or posting in the feed), the content you tap or interact with, your search queries, timestamps and duration of sessions, and how you navigate through the app or site.
• Device & Log Data: When you use the Services, we may collect technical information from your device, including IP address, device type and model, operating system and version, app version, device identifiers, language settings, and mobile network information. We also collect log information such as access times, app performance data, and diagnostic or crash data to help us maintain and improve the Services.
• Approximate Location Information: We may collect or infer your approximate location (for example, city, postal code, or general region) from information such as your IP address, device settings, or the location information you choose to provide (for example, selecting your city or service area). We use this approximate location to help show you locally relevant wellness content and Businesses. We do not require or use precise GPS-level location for the core operation of the app.
• Cookies, SDKs & Similar Technologies: We and our service providers may use cookies, mobile software development kits (SDKs), and similar technologies to recognize your browser or device, remember your preferences, help keep your account secure, understand how you use the Services, and measure the effectiveness of our communications. On the web, you may be able to manage certain cookie preferences through your browser settings; see Section 7 below for more information about choices and controls.

2.3 Information From Third Parties

• Stripe & Payment Processors: For Businesses subscribing to services via our website, certain personal information (e.g., name, transaction ID, partial payment info) is shared with or received from Stripe and other payment gateways.
• Third-Party Login Providers: If you choose to sign up or log in using a third-party account (for example, a social media or single-sign-on provider), that service may share certain information with us, such as your name, email address, and profile picture, subject to that provider’s terms and privacy settings.
• Wellness Businesses and Partners: Businesses and other partners may provide us with information about you, such as when they invite you to use root, claim or update a Business profile, or share feedback about how Users interact with their listing (for example, aggregate engagement data).
• Analytics and Service Providers: We may receive information about you from analytics providers, security and fraud-prevention partners, and hosting or support vendors who help us operate and improve the Services. This information may include aggregated or de-identified data about usage trends or app performance.
• Google APIs (for example, Maps/Places): If we use Google APIs to power certain features (such as business search, place details, or map-related functionality), Google may receive certain information in connection with those requests (such as device and network information, approximate location signals, and request details) in accordance with Google’s terms and privacy policy.
• Other Users: Other Users may provide information about you when they interact with the Services—for example, when they mention you, tag you in content, share a Business or MySpot with you, or invite you to join root.

We handle all personal information we receive from third parties in accordance with this Privacy Policy and any additional restrictions imposed by the source of the data.

3. How We Use Your Information

We use personal information for legitimate business purposes, including (if applicable under the EU/UK GDPR or similar laws):

1. Providing and Improving the Services

• Create, maintain, and manage your user account.
• Enable you to discover, follow, and save wellness Businesses and MySpots.
• Operate social and community features, including feeds, posts, comments, reactions, and sharing.
• Show you content, Businesses, and suggestions that are relevant to your wellness interests and approximate location.
• Maintain and improve the functionality, security, and performance of the Services.

2. Payment Processing and Financial Compliance

• Collecting subscription fees, processing refunds.
• Complying with applicable tax and accounting obligations (in conjunction with Stripe or other payment providers).

3. Communications

• Send you confirmations, receipts (if applicable), technical notices, security alerts, and administrative messages.
• Respond to your questions, feedback, and customer support requests
• Communicate with you about changes to our policies, terms, or Services.

4. Personalization & Recommendations

• Recommend Businesses, content, and routines that may be of interest to you.
• Highlight trends or popular spots within your local area or communities you follow.
• Customize in-app experiences, such as which posts or Businesses are surfaced first.

5. Marketing, Referrals & Promotions

• Send you newsletters, offers, or updates about root, new features, or wellness-related opportunities.
• Administer referral programs, waitlists, challenges, or other promotional campaigns, including tracking when an invite or referral results in a signup or other action.

6. Analytics & Platform Development

• Monitor and analyze usage, engagement, and trends across the Services.
• Diagnose technical issues and maintain app stability and security.
• Test new features, experiences, and changes to understand how Users respond.
• Support research, reporting, and business planning.

7. Safety, Security & Moderation

• Help protect the security and integrity of the Services, including detecting, preventing, and responding to spam, abuse, fraud, or other harmful activity.
• Review and moderate content, investigate potential violations of our Terms of Service or community guidelines, and take appropriate action (such as removing content or restricting accounts).

8. Legal & Regulatory

• Enforce our Terms of Service and other agreements.
• Comply with legal and regulatory obligations, including responding to lawful requests from public authorities.
• Establish, exercise, or defend legal claims.

4. Legal Basis for Processing (If Applicable)

Where mandated (e.g., in the EEA, UK, or similar jurisdictions), we rely on certain legal grounds:

• Consent: We process your information when you have given us clear consent for a specific purpose, such as receiving certain marketing communications or enabling optional features. You may withdraw your consent at any time, as described in Section 11.
• Contract: We process information when it is necessary to enter into or perform a contract with you, including providing and operating the Services you request (for example, creating and maintaining your account, enabling you to use social and discovery features, or responding to support inquiries).
• Legitimate Interests: We process information based on our legitimate interests in operating, improving, and protecting the Services, including for analytics, personalization, security and fraud prevention, content moderation, and limited marketing of our own Services—provided that these interests are not overridden by your rights and interests.
• Legal Obligation: We process information when necessary to comply with legal or regulatory obligations, to respond to lawful requests and legal processes, and to protect our rights or the rights of others.

5. How We Share & Disclose Information

We do not sell your personal information to anyone. We also do not share your personal data with third parties for their own advertising or marketing purposes. We only share your information in a few limited situations, described below:

1. With Other Users (Social and Public Features):

• When you post or share content in a public area of our app (for example, making a public post, comment, or adding to a public list), other users can see that content along with your profile information (like your name, username, and profile photo). In some cases, if content is available publicly, visitors to our website or app might also see it. If your account is set to private, then only people you approve can see your content. However, root and our service providers may still access that information when necessary to operate the service, provide support, enforce our terms, or comply with legal requirements. Also, if you engage with other users’ content (for instance, if you like or comment on someone’s post), those actions may be visible to the person who posted it and to others, depending on the context and settings.

2. With Businesses You Interact With:

• Our platform helps you discover and connect with wellness businesses. If you follow a business profile, view or save a business listing, or click on a business’s external booking or website link, that business may learn that you visited or showed interest in them through root. Similarly, if you communicate or share information with a business via features in our app (for example, if we enable direct messaging or feedback to a business), the information you provide will be shared with that business.

3. With Service Providers (Third-Party Vendors):

• We use trusted third-party companies to help us run and improve root. These vendors perform various services for us such as cloud hosting, data storage, analytics, crash reporting, email and push notification delivery, customer support, and payment processing (if applicable). For example, we might use a service like Google Firebase for app analytics and notifications, or other cloud providers to host data securely. These service providers only have access to the personal information needed to perform their tasks, and they are contractually obligated to protect your data and keep it confidential. They must also adhere to privacy and security standards that are at least as stringent as those described in this Privacy Policy. They are not allowed to use your information for anything other than helping us provide and improve our services.

4. Analytics and Measurement Partners:

• We may share certain limited data with analytics partners to understand how our app is used and to make improvements. This information is typically aggregated or anonymized so it does not personally identify you. For instance, we might tell an analytics platform that “X number of users tried the new feature this week,” without sharing who those users are. If we work with third-party partners to help market our services or measure the success of our own campaigns, we will only share the information that is necessary for those purposes. In such cases, we will ensure that appropriate privacy protections are in place, and we will provide any required notices or obtain consent from you when needed.

5. Business Transfers:

• If WOM Online, Inc. (root) is involved in a business transaction like a merger, acquisition, reorganization, or sale of assets, or in the unlikely event of bankruptcy, your information may be transferred to the relevant third party as part of that deal. If such a transfer happens, we will require the new owner or combined entity to continue to protect your personal information in line with this Privacy Policy. We will also notify you of any significant changes to how your information is handled.

6. Legal Compliance and Safety:

• We may disclose your information if we are required to do so by law or if we believe in good faith that such disclosure is necessary. This includes situations like responding to valid legal requests (for example, court orders or subpoenas) or addressing lawful requests by public authorities. We might also share information when necessary to enforce our Terms of Service and other agreements, or to protect the rights, property, or safety of root, our users, our business partners, or the public. For example, we may share information to investigate or prevent fraud, security issues, or other harmful or illegal activity.

7. With Your Consent or At Your Direction:

• We will share your information with third parties if you ask us to or explicitly give us your permission. For instance, if you choose to link root with another app or service (such as a social media account or a wellness program) or you participate in a co-sponsored promotion, we will share the necessary information with the relevant third party as needed and with your consent.

8. Aggregated or De-Identified Information:

• We may also share information that does not identify you personally. This could be information that has been aggregated (combined with data from many users) or data that we have stripped of personal details. We use this kind of information for purposes like research, analyzing trends, or improving our services. For example, we might share general usage statistics with a partner or publish trends about how users as a whole are using root (such as the total number of users in a region or the most popular types of wellness activities) – but this information will not include anything that can identify you.

6. Data Retention

1. We retain personal information only for as long as reasonably necessary to fulfill the purposes described in this Privacy Policy, including to provide and improve the Services, comply with our legal and accounting obligations, resolve disputes, and enforce our agreements. The exact retention period can vary depending on the type of information and the context in which it was collected, but we generally apply the following principles:

• We retain account information (such as your profile, settings, and preferences) for as long as your account is active.
• We retain user-generated content (such as posts, comments, and MySpots) for as long as it is needed to provide the Services or until you delete it or your account, subject to the limitations described below.
• We may retain logs, analytics data, and security-related information for a reasonable period for security, troubleshooting, and service improvement.
• We may retain records necessary for legal, tax, or compliance purposes for the period required by applicable law.

2. Deletion & Account Closure:

You may delete your account directly in the app by going to Settings → Account → Delete Account (or a substantially similar in-app path). You may also contact us at hello@myrootapp.com or by mail at WOM Online, Inc., 131 Continental Drive, Suite 305, Newark, DE 19713, USA** for assistance with deletion requests.

When you request account deletion, we will take steps to delete or de-identify your personal information within a reasonable period, subject to applicable law and our legitimate business needs. In some cases, we may need to retain certain information (for example, to comply with legal obligations, resolve disputes, maintain security, prevent fraud, or enforce our agreements).

We may also retain secure backup copies for a limited period as part of our standard backup and disaster-recovery procedures. Backup copies are stored securely and are overwritten or deleted on a scheduled basis.

Please note that content you have shared with others (for example, posts, comments, or messages) may remain visible to those Users if they have already viewed, saved, or copied it, even after your account is deleted.

7. Cookies & Tracking Technologies

1. Overview

• We and our service providers use cookies, mobile identifiers, SDKs, pixel tags, local storage, and similar technologies (“Tracking Technologies”) to help operate, protect, and improve the Services. These technologies allow us to recognize your browser or device, remember your preferences, understand how you interact with the Services, and measure the effectiveness of our communications and features.

2. Types of Technologies We Use

• Cookies and Local Storage (Web): Small data files placed on your browser or device that help remember your settings, keep you signed in, and understand usage patterns on our website.
• Mobile SDKs & Device Identifiers (App): Code within our mobile apps and identifiers provided by your device or operating system (such as device and app information, and basic diagnostic identifiers) that help us understand app performance, deliver certain features, and improve reliability.
• Pixel Tags / Web Beacons: Small, transparent images or code that help us and our service providers understand how you interact with emails, web pages, or in-app content (for example, whether a particular email was opened).

3. Analytics

• We use analytics tools to help us understand how the Services are used, improve performance and stability, and develop new features. These tools may use cookies, SDKs, or similar technologies to collect information such as your device type, approximate location, app usage, and events within the Services. Where possible, we use aggregated or de-identified information for analytics.

4. Targeting & Measurement (If Used)

• We may partner with advertising or measurement providers that use Tracking Technologies to help us understand the performance of our own promotions, referral programs, or campaigns (for example, whether someone who saw a particular link or promotion later created an account). If we use any third-party tools for this purpose, we seek to limit the information shared to what is reasonably necessary and, where required by law, we will provide additional notices and choices.

5. Your Choices

• Browser Settings (Web): Most web browsers are set to accept cookies by default, but you can usually choose to remove or reject browser cookies through your browser settings. Doing so may affect certain features or functionality of the Services.
• Mobile Settings (iOS): Your iPhone’s iOS settings may allow you to limit certain types of tracking and control certain device identifiers (for example, by managing app permissions and privacy settings). Please refer to your iOS device settings for more information.
• Email Settings: You can opt out of most marketing emails from us by using the unsubscribe link in the email, though we may still send you non-promotional messages (such as security alerts or important service updates).

Some browsers may transmit “Do Not Track” (“DNT”) signals. Our Services do not currently respond to DNT signals in a uniform way, because there is not yet a common industry standard for doing so. We will continue to review developments around DNT and related technologies.

No Cross-App Tracking: We do not use personal information to track you across third-party apps or websites for advertising purposes, and we do not share personal information for cross-context behavioral advertising.

8. Data Security

We use commercially reasonable and industry-standard safeguards to help protect personal information, including technical, administrative, and physical measures such as encryption in transit, access controls, secure hosting environments, and regular monitoring for unusual activity.

However, no method of transmission over the internet or method of electronic storage is completely secure, and we cannot guarantee absolute security of your information.

You are responsible for maintaining the confidentiality of your account credentials and for limiting access to your devices. Please notify us promptly at hello@myrootapp.com if you believe your account or information has been compromised or accessed without authorization.

9. Children’s Privacy

The Services are not intended for or directed to individuals under the age of 18, and we do not knowingly collect personal information from anyone under 18. If we become aware that we have collected personal information from a minor in violation of this policy, we will take reasonable steps to delete such information as soon as practicable.

If you are a parent or guardian and believe that a minor has provided us with personal information, please contact us at hello@myrootapp.com, and we will work to remove that information from our records.

10. International Transfers

The Services are operated from the United States, and your personal information may be processed and stored in the United States or in other countries where we or our service providers operate. These locations may have data protection laws that are different from the laws of your country of residence and, in some cases, may provide a lower level of protection.

Where required by applicable law, we implement appropriate safeguards to help ensure that any cross-border transfers of personal information provide an adequate level of protection. These safeguards may include standard contractual clauses approved by relevant regulatory authorities or other lawful transfer mechanisms.

By using the Services or providing us with your information, you acknowledge that your personal information may be transferred to and processed in the United States and other countries as described in this Privacy Policy. If you have questions about our international data transfer practices or the safeguards we use, you can contact us at hello@myrootapp.com.

11. Your Rights & Choices

Depending on your location and applicable law, you may have certain rights in relation to your personal information. These may include the right to:

• Access your personal information and obtain a copy of the data we hold about you.
• Correct or update inaccurate or incomplete information (for example, by editing your profile within the Services).
• Delete or request the erasure of certain personal information, subject to our legitimate business needs and legal obligations.

• You can initiate account deletion in the app via Settings → Account → Delete Account, or contact us at hello@myrootapp.com for help

• Object to or request restriction of certain processing activities (for example, where we process your information based on our legitimate interests).
• Withdraw consent where we rely on your consent to process your information (such as certain marketing communications), without affecting the lawfulness of processing carried out before you withdraw your consent.
• Portability, in some jurisdictions, by requesting a copy of certain personal information in a structured, commonly used, and machine-readable format.

You also have choices about how we communicate with you and how certain information is used:

• You can manage some privacy and communication settings directly in your account (for example, profile visibility, notifications, and certain sharing options), where such controls are made available in the app.
• You can opt out of non-essential marketing emails at any time by using the unsubscribe link in those emails or by adjusting your preferences, while still receiving important transactional or service-related messages.

To exercise any of the rights described above, or if you have questions about your rights, please contact us using the information provided in Section 13 (Contact Us). We may take steps to verify your identity before responding to your request, and your rights may be subject to certain limitations or exceptions under applicable law.

12. Jurisdiction-Specific Disclosures

Certain privacy laws (such as the California Consumer Privacy Act, as amended (“CCPA”), the EU/EEA General Data Protection Regulation (“GDPR”), the UK GDPR and Data Protection Act, and similar laws in other jurisdictions) grant additional rights or require specific disclosures. This section is intended to supplement the other parts of this Privacy Policy for individuals in those locations.

• California Residents (CCPA / CPRA)

If you are a California resident, you may have the right to:

• Know / Access: Request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purposes for collection, and the categories of third parties with whom we share personal information.
• Delete: Request the deletion of certain personal information we have collected about you, subject to applicable exceptions.
• Correct: Request correction of inaccurate personal information that we maintain about you.
• Opt Out of Certain Uses: Where applicable, opt out of the “sale” or “sharing” of personal information, as those terms are defined under California law, and limit the use and disclosure of sensitive personal information.
• Non-Discrimination: We will not discriminate against you for exercising your rights under California law (for example, by denying you services, charging different prices, or providing a different level or quality of services), subject to permitted program differences that relate reasonably to the value of your data.

At the time of this Privacy Policy, root does not sell personal information for money and does not share personal information for cross-context behavioral advertising as those terms are defined under California law. If this changes in the future, we will update this Privacy Policy and provide any required notices and choices, including a way to opt out.

You may exercise your rights as described in this section by contacting us using the information in Section 13 (Contact Us). We may need to verify your identity (and, in some cases, your residency) before fulfilling your request. You may also designate an authorized agent to make certain requests on your behalf, subject to verification requirements.

• EEA / EU and UK Residents (GDPR / UK GDPR):

If you are located in the European Economic Area (EEA), Switzerland, or the United Kingdom, you have the rights described in Section 11, including the rights to:

• access, rectification, erasure, restriction of processing, and data portability;
• object to processing, including processing based on our legitimate interests and processing for direct marketing; and
• withdraw consent where we rely on consent as a legal basis (see Section 4 for more information on our legal bases for processing).

You also have the right to lodge a complaint with a competent data protection authority if you believe that our processing of your personal information violates applicable data protection laws. We encourage you to first contact us so we can address your concerns directly, but you are not required to do so before contacting a supervisory authority.

For further details about how to exercise your rights or to submit a request, please contact us using the email or postal address provided in Section 13 (Contact Us).

13. How to Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, reach us at:

WOM Online, Inc. (d/b/a root)
131 Continental Drive
Suite 305
Newark, DE 19713, USA
Email: hello@myrootapp.com

We will respond to inquiries within a reasonable timeframe, consistent with applicable law.

14. Changes to This Policy

We may modify or update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable laws. When we make material changes, we will take appropriate steps to notify you, such as updating the “Last Updated” date at the top of this Privacy Policy, posting a notice within the Services, or sending you an email if we have your current email address.

We encourage you to review this Privacy Policy periodically to stay informed about our privacy practices. Your continued use of the Services after any changes become effective signifies your acknowledgment of, and agreement to, the updated Privacy Policy. If you do not agree with the updated Policy, you should stop using the Services.

Disclaimer

This Privacy Policy is intended to provide a general overview of how WOM Online, Inc. (d/b/a root) handles personal information and does not constitute legal advice or a legal guarantee of compliance. Privacy and data protection laws may impose additional or more specific requirements depending on your location, the types of data involved, and how you use the Services. You should consult with a qualified attorney to ensure that this Privacy Policy, and your use of the Services, comply with all laws and regulations that apply to you.