Rooted Passage: Privacy & Data Protection Policy

1. Introduction and Scope of Policy

Welcome to Rooted Passage (“we”, “us”, “our”). We are dedicated to providing transformative retreat experiences that foster connection, growth, and wellness. In doing so, we recognize that your personal data is not just information—it is a reflection of your identity and your trust in us. This Privacy Policy has been meticulously crafted to ensure that you have complete transparency regarding how we collect, use, store, and protect your information. By accessing and using our website, www.rootedpassage.co (the “Website”), engaging with our services, or providing your personal data to us through any medium, you acknowledge that you have read, understood, and consented to the practices described in this policy.

The digital landscape is complex, but our commitment to your privacy is straightforward. We aim to handle your data responsibly, securely, and in strict accordance with applicable laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy is designed to cover all interactions within the Rooted Passage ecosystem, including website browsing, formal applications, booking procedures, and day-to-day communications via email, WhatsApp, or social media platforms. Our ultimate goal is to provide you with clarity, trust, and absolute control over your personal data at every stage of your journey with us.

2. Data Controller Information

For the purposes of data protection law, Rooted Passage acts as the Data Controller. This means we are the entity responsible for deciding how and why your personal data is processed. We take this responsibility seriously and have implemented internal protocols to ensure that every piece of information we touch is handled with the highest level of care.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data handling practices, we encourage you to reach out to us directly. Our designated contact point for all privacy matters is:

  • Email: rootedpassage.co@gmail.com

  • Website: www.rootedpassage.co

We are committed to responding to all inquiries promptly and helping you understand your rights in relation to the information we hold.

3. Core Principles of Data Protection

Rooted Passage adheres to the fundamental principles of data protection as outlined in the UK GDPR. These principles form the bedrock of our privacy framework and guide every decision we make regarding information technology and customer service.

  • Lawfulness, Fairness, and Transparency: We only process data when we have a valid legal reason to do so, and we are always open about what those reasons are.

  • Purpose Limitation: We collect your data for specific, explicit, and legitimate purposes (such as organizing a retreat) and do not use it for anything incompatible with those goals.

  • Data Minimisation: We do not believe in "data hoarding." We only ask for the information that is strictly necessary to provide our services.

  • Accuracy: We take reasonable steps to ensure your data is accurate and, where necessary, kept up to date.

  • Storage Limitation: We don't keep your data forever. Once it is no longer needed for the purpose it was collected, it is securely deleted or anonymized.

  • Integrity and Confidentiality: We use industry-standard security measures to protect your data from unauthorized access, accidental loss, or destruction.

4. Categories of Personal Data We Collect

To provide a seamless and safe retreat experience, we must collect various types of information. We categorize this data to help you understand exactly what we are looking at.

4.1 Identity and Contact Data

This category is the most basic information required to establish a relationship with you. It includes your full name, email address, telephone number (including WhatsApp contact details), and your country of residence. We collect this during the initial inquiry phase, when you fill out a form on our website, or when you move forward with a formal booking. This allows us to know who you are and how to reach you with vital updates.

4.2 Communication Data

Every time you send us an email, message us on WhatsApp, or interact with our social media profiles, we generate Communication Data. This includes the content of your messages, the metadata associated with them, and any feedback or complaints you provide. Retaining this data is essential for maintaining a high standard of customer service and ensuring we have a record of any special requests or issues raised during your interaction with Rooted Passage.

4.3 Booking and Customer Data

Once you commit to a retreat, we collect more specific information to facilitate the experience. This includes your specific booking details, room preferences (e.g., shared vs. private), your history of participation in previous Rooted Passage events, and travel-related details such as flight numbers and arrival times. This information is the "logistical engine" that allows us to ensure your room is ready and your transport is waiting.

4.4 Payment Data

Financial security is our top priority. All payments are processed through secure, PCI-DSS compliant third-party providers such as Stripe. While we facilitate the transaction, Rooted Passage does not store your full credit card numbers or CVV codes on our own servers. We receive confirmation of payment, transaction identifiers, and billing details, which allow us to reconcile our accounts and confirm your spot on the retreat.

4.5 Technical and Usage Data

When you visit our Website, we automatically collect data about how you interact with our digital platform. This includes your IP address, browser type and version, time zone setting, operating system, and information about the pages you visit and how long you stay on them. This data is largely used for diagnostic and analytical purposes to help us improve the website's performance and user experience.

4.6 Marketing Data

We track your preferences regarding the receipt of marketing materials. This includes whether you have opted into our newsletter and how you interact with our digital advertisements or email campaigns (such as click-through rates). This helps us ensure that we are only sending you content that you find genuinely interesting.

4.7 Special Category Data

In the context of a wellness retreat, we may need to collect "Special Category" data, which is more sensitive in nature. This specifically relates to your health, including dietary requirements, severe allergies, or physical conditions that might affect your ability to participate in certain activities. We process this data with the utmost sensitivity and only with your explicit voluntary consent or where it is strictly necessary for your safety and well-being during the retreat.

5. Methods of Data Collection

We utilize a variety of methods to collect data, ensuring that we have a comprehensive understanding of your needs while maintaining technical efficiency.

  • Direct Interactions: The vast majority of the data we hold comes directly from you. This happens when you fill out a Typeform booking application, send us a WhatsApp message to ask a question, or talk to us directly via email.

  • Automated Technologies: As you move through our Website, we may automatically collect technical data through the use of cookies, server logs, and similar technologies. This helps us understand the "flow" of our audience.

  • Third-Party Sources: We receive information from external partners, such as Stripe (for payment confirmation), Google Analytics (for traffic insights), and various advertising platforms (to understand which of our campaigns led you to us).

6. How and Why We Use Your Data

Our use of your data is always tied to providing value and ensuring the smooth operation of our business.

6.1 Providing and Managing Services

The primary reason we process your data is to fulfill our contract with you. This includes managing your booking, confirming your reservation, and coordinating with local partners (such as accommodation providers) to ensure your stay meets our standards. Without this data, we simply could not deliver the retreat experience.

6.2 Essential Communication

We use your contact information to provide "transactional" updates. These are not marketing messages but essential communications regarding your retreat, such as packing lists, itinerary changes, or emergency updates. This also includes responding to any questions you send our way via customer support channels.

6.3 Personalisation of Experience

Rooted Passage is not a "one size fits all" company. We use your preferences and dietary information to adapt the retreat experience to your specific needs. This ensures that the plant-based meals provided are safe for you and that the workshops are tailored to the general level of the group.

6.4 Improving Business Operations

We analyze usage data to see which parts of our Website are working and which are causing confusion. This allows us to constantly develop our services and improve the digital "front door" of Rooted Passage.

6.5 Marketing and Community Building

With your consent, we use your data to keep you informed about future retreats, early-bird offers, and wellness content. We believe in building a long-term community, and these communications are designed to keep the spirit of the retreat alive long after you've returned home.

7. Lawful Bases for Processing

Under the UK GDPR, we must have a "lawful basis" for every processing activity we undertake. We primarily rely on the following:

  • Contractual Necessity: Processing is necessary to fulfill the booking contract we have with you.

  • Legitimate Interests: Processing is necessary for our legitimate business interests (e.g., improving our website or ensuring our marketing is relevant), provided these interests do not override your fundamental rights.

  • Consent: Where we process sensitive health data or send direct marketing emails, we rely on your explicit, opt-in consent.

  • Legal Obligation: In some cases, we are required by law to keep records (for example, for tax purposes or to comply with health and safety regulations).

8. Marketing Communications and Opting Out

We want our marketing to be a source of inspiration, not a nuisance. You will only receive marketing communications from us if you have actively opted in to receive them, or if you have previously booked with us and have not opted out.

You have the absolute right to stop receiving these messages at any time. Every marketing email we send includes an "unsubscribe" link at the bottom. Alternatively, you can simply email us at hello@rootedpassage.com and ask to be removed from our mailing list. We will process these requests immediately.

9. Data Sharing and Third-Party Disclosures

Rooted Passage does not, and will never, sell your personal data to third parties for their own marketing purposes. However, we do share data with a select group of trusted service providers who help us run our business:

  • Payment Processors: Such as Stripe, to handle your transactions securely.

  • Internal Tools: Such as Typeform (for applications), CRM software, and email platforms (like Mailchimp or similar) to manage our community.

  • Logistical Partners: We may share your name and dietary requirements with our local accommodation and catering partners to ensure your needs are met on-site.

  • Professional Advisers: Including lawyers, bankers, auditors, and insurers who provide consultancy and legal services.

All our third-party providers are contractually obligated to protect your data and are prohibited from using it for any purpose other than the specific service they are providing to us.

10. International Data Transfers

Rooted Passage is a global community, and our service providers may operate outside the United Kingdom or the European Economic Area (EEA). Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • We only transfer data to countries that have been deemed to provide an adequate level of protection for personal data.

  • We use specific "Standard Contractual Clauses" approved for use in the UK which give personal data the same protection it has in the UK.

11. Rigorous Data Security Measures

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized way. This includes encrypted storage, secure access controls for our staff, and the use of firewalls and secure socket layers (SSL) for data transmission.

In the highly unlikely event of a data breach, we have procedures in place to deal with the situation. We will notify you and any applicable regulator of a breach where we are legally required to do so. However, please remember that no method of transmission over the internet is 100% secure, and we encourage you to take steps to protect your own digital identity.

12. Data Retention: How Long We Keep Your Info

We only retain your personal data for as long as reasonably necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements.

  • Booking Records: We typically keep basic customer information (including Contact, Identity, and Transaction Data) for six years after the retreat for tax and legal protection purposes.

  • Communication Records: General inquiries that do not lead to a booking are typically deleted after two years.

  • Marketing Data: We keep this until you withdraw your consent or "unsubscribe."

13. Your Legal Rights

Under data protection laws, you have rights that we are committed to upholding:

  • Access: You can request a copy of the personal data we hold about you.

  • Correction: You can ask us to correct any incomplete or inaccurate data.

  • Erasure: Also known as the "right to be forgotten," you can ask us to delete your data where there is no good reason for us to continue processing it.

  • Object/Restrict: You can object to us processing your data for direct marketing or ask us to suspend processing in certain scenarios.

  • Withdraw Consent: Where we rely on consent, you can pull it back at any time.

To exercise any of these rights, please contact us at hello@rootedpassage.com. We do not usually charge a fee for this, but we may ask for proof of identity to ensure we are not disclosing data to the wrong person.

14. Cookie Policy

Our Website uses cookies to distinguish you from other users. This helps us provide you with a good experience when you browse and also allows us to improve our site. We use "Strictly Necessary" cookies for site functionality, "Analytical" cookies to understand visitor numbers, and "Marketing" cookies to track the effectiveness of our outreach. You can set your browser to refuse all or some browser cookies, but please note that some parts of the Website may become inaccessible or not function properly if you do so.

15. Third-Party External Links

Our Website may include links to third-party websites, plug-ins, and applications (such as social media buttons). Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. We encourage you to read the privacy policy of every website you visit.

16. Complaints and Regulatory Authority

If you are unhappy with how we have handled your data, we would appreciate the chance to deal with your concerns first. However, you have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk).

17. Protection of Children’s Data

Rooted Passage retreats and services are strictly intended for individuals aged 18 and over. We do not knowingly collect or solicit personal data from anyone under the age of 18. If we learn that we have inadvertently collected personal data from a minor, we will delete that information with immediate effect.

18. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or the law. When we make material changes, we will update the "Last Revised" date at the bottom of the policy and, if the changes are significant, we may notify you via email. We encourage you to review this policy periodically to stay informed about how we are protecting your information.

last revised: 4th of April 2026