PRIVACY POLICY
Deep Roots Apotheke & Clinic LLC
Effective Date: April 3, 2026
Last Updated: April 3, 2026
1. INTRODUCTION
This Privacy Policy ("Policy") describes the privacy practices of Deep Roots Apotheke & Clinic LLC, doing business as Deep Roots School of Foraging & Herbal Medicine ("Company," "we," "us," or "our"), regarding the collection, use, disclosure, and protection of personal information. This Policy applies to information collected through the Company's website, online platforms, courses, subscription services, email communications, in-person classes, events, and all other Company services and operations.
By accessing or using the Company's services, users acknowledge that they have read and understood this Policy and consent to the collection and processing of their personal information as described herein.
2. SCOPE OF POLICY
This Policy governs all personal information collected by the Company through:
Website and digital properties
Online courses and educational programs, including the Advanced Medicine Making Course (AMMC), Herbal Medicine Monthly Subscription (HMMS), Kitchen Medicine, and Southeastern Foraging Conference (SEFC)
Email communications and newsletters
In-person classes, workshops, and events
Customer support channels
Social media platforms operated by the Company
Offline interactions and data collection
The Company may establish separate privacy policies for specific services, products, or acquisitions. Such separate policies will be clearly identified.
3. DATA CONTROLLER AND CONTACT INFORMATION
Controller: Deep Roots Apotheke & Clinic LLC
Principal: Cameron Strouss
Location: Birmingham, Alabama, United States
Email for Privacy Inquiries: cameron@deeprootsherbschool.com
The Company is the data controller responsible for the collection and processing of personal information as described in this Policy.
4. CATEGORIES OF PERSONAL INFORMATION COLLECTED
4.1 Personally Identifiable Information
The Company collects the following types of personally identifiable information:
Full name, email address, mailing address, and telephone number
Account username and password
Date of birth and age information
Gender and demographic data
Health and medical history information provided in consultation or course contexts
Photographs, video recordings, and audio recordings submitted by users
Written communications, testimonials, and feedback
4.2 Transaction Information
In connection with purchases of products and services, the Company collects:
Description and quantity of items or services purchased
Purchase date and transaction amount
Transaction status and payment confirmation
Shipping address and delivery information
Refund and return requests
4.3 Payment Information
The Company does not directly collect, process, or store credit card numbers, debit card information, banking credentials, or other sensitive payment data. All payment processing is handled exclusively by third-party payment processors, including Infusionsoft (Keap), PayPal, Stripe, Square, and similar providers. Payment processors maintain independent privacy policies and security protocols. Users are bound by the privacy policies and terms of service of the respective payment processor.
4.4 Academic and Course Information
For users enrolled in courses or educational programs, the Company collects:
Course enrollment and registration information
Attendance records
Assessment results and quiz scores
Assignment submissions and academic performance
Course completion status and certificates earned
User-generated content and class participation records
4.5 Automatically Collected Technical Information
The Company automatically collects certain information through website and service interactions:
Internet Protocol (IP) address and device identifiers
Device type, operating system, and browser specifications
Websites visited and pages accessed
Time spent on each page and navigation patterns
Links clicked and user interactions
Referring website or source
General geographic location derived from IP address
Cookies, web beacons, and similar tracking technologies
Log data and analytics identifiers
4.6 Information from Third Parties
The Company may receive personal information from third-party sources, including:
Email service providers and marketing automation platforms
Social media platforms when users authorize account connections
Analytics and web tracking services
Course management and learning platforms
Payment processors and financial service providers
Public databases and commercially available data sources
4.7 Health and Clinical Information
Users may voluntarily provide sensitive health information in the following circumstances:
Enrollment in clinical or consultative programs
Requests for herbal guidance or wellness consultations
Intake forms and health questionnaires
Medical history, current medications, supplement use, and allergies
Records of previous herbal treatments or clinical consultations
Communications regarding health conditions and wellness concerns
Such information is subject to heightened protections as described in Section 8.
5. USE OF PERSONAL INFORMATION
The Company uses collected personal information for the following lawful purposes:
5.1 Service Delivery
Registering and managing user accounts
Processing orders, payments, and refunds
Delivering courses, educational materials, and services
Providing customer support and responding to user inquiries
Administering subscriptions and recurring services
Fulfilling and shipping physical orders
Maintaining records of services provided
5.2 Communication
Sending transactional emails (order confirmations, receipts, passwords)
Communicating course updates, schedules, and administrative information
Sending newsletters and promotional materials (with user consent or as existing customer)
Responding to user requests and inquiries
Conducting surveys and collecting feedback
Notifying users of policy changes
5.3 Improvement and Optimization
Analyzing usage patterns to improve website and service functionality
Understanding user preferences and engagement
Testing new features and functionality
Conducting analytics to identify trends
Optimizing marketing and advertising effectiveness
Personalizing user experience
5.4 Security and Legal Compliance
Detecting and preventing fraud, abuse, and unauthorized access
Protecting the security of systems and data
Enforcing the Company's Terms of Use and other agreements
Complying with applicable laws, regulations, and legal process
Protecting the rights, safety, and property of the Company, users, and the public
Maintaining records for regulatory and audit purposes
5.5 Marketing and Business Development
Identifying and targeting potential customers
Creating audience segments for targeted advertising
Measuring the effectiveness of marketing campaigns
Creating aggregated, anonymized reports on user interests and demographics
Developing new products and services
6. LEGAL BASIS FOR PROCESSING
Where applicable under international privacy laws (including GDPR, CCPA, PIPEDA, and similar regulations), the Company processes personal information based on the following lawful bases:
Consent: User has explicitly consented to the processing of their data (e.g., opting into email communications or agreeing to terms of service)
Contractual Performance: Processing is necessary to perform services that the user has requested or purchased
Legal Obligation: Processing is required by applicable law or regulation
Legitimate Interests: Processing is necessary for the Company's legitimate business interests, including fraud prevention, security, service improvement, and marketing, where such interests are not overridden by user privacy rights
Vital Interests: Processing is necessary to protect the vital interests of the data subject or another person
Users may object to processing based on legitimate interests by contacting the Company at cameron@deeprootsherbschool.com.
7. DISCLOSURE AND SHARING OF PERSONAL INFORMATION
7.1 No Sale of Personal Information
The Company does not sell, rent, trade, or otherwise transfer personally identifiable information to unaffiliated third parties for their independent marketing purposes. The Company does not facilitate the sale of personal information under the meaning of the California Consumer Privacy Act (CCPA) or similar state privacy laws.
7.2 Service Providers and Processors
The Company discloses personal information to third-party service providers and data processors who assist in operating the Company's website, delivering services, and conducting business, including:
Email service providers (ConvertKit, ManyChat, Infusionsoft/Keap)
Course and learning management platforms
Social media management and advertising platforms (Publer, Buffer, Meta, Google)
Website hosting and infrastructure providers
Customer relationship management (CRM) systems
Payment processors and financial service providers
Analytics and tracking services
Cloud storage providers
Video hosting services (Vimeo, YouTube)
All service providers are contractually required to maintain the confidentiality of personal information, use such information only for specified purposes, and implement security measures equivalent to or exceeding those of the Company. The Company conducts due diligence and periodic audits of service provider practices.
7.3 Legally Required Disclosure
The Company may disclose personal information when required or permitted by law, including:
Response to valid subpoenas, court orders, warrants, or other legal process
Compliance with federal, state, or local regulatory requirements
Enforcement of the Company's Terms of Use and other agreements
Protection of the safety, rights, and property of the Company, users, or the public
Detection and prevention of fraud or illegal activities
The Company shall provide notice of such disclosure where legally permissible.
7.4 Aggregated and Anonymized Data
The Company may disclose, sell, or license aggregated or anonymized data that cannot reasonably be used to identify individuals. Such data is not subject to the restrictions in this Policy and may be used or shared for any business purpose.
7.5 Business Transactions
In the event of a merger, acquisition, bankruptcy, or sale of the Company or substantially all of its assets, personal information may be disclosed to or transferred to the acquiring entity or successor as part of such transaction. Users will be notified of any such change in ownership or control of their personal information.
7.6 Authorized Disclosures with User Consent
The Company may disclose personal information to third parties when the user has provided explicit consent or requested such disclosure (e.g., providing health information to an authorized healthcare provider).
8. HEALTH AND CLINICAL INFORMATION
8.1 Special Protections
Personal information that constitutes health data or clinical records is subject to heightened confidentiality protections under this Section. Health information includes medical history, medications, allergies, treatment records, and other information related to the user's health or wellness.
8.2 Limited Use
Health information is used exclusively for:
Providing herbal guidance and wellness consultation
Clinical assessment and treatment planning
Improving the quality of care
Maintaining continuity of care
Complying with legal and professional obligations
8.3 Restricted Disclosure
Health information will not be disclosed to third parties except:
With the user's explicit written consent
To authorized healthcare providers or practitioners whom the user has specifically authorized
When required by law, court order, or regulatory process
For legitimate medical or safety emergencies
8.4 Data Retention
Health and clinical information will be retained in accordance with professional standards for medical record retention, typically a minimum of seven (7) years from the date of last service, to ensure continuity of care and comply with professional obligations.
8.5 Not Medical Care
The Company provides herbal education and guidance but does not constitute medical care, diagnosis, or treatment. Users experiencing medical emergencies should contact emergency services (911) or the nearest emergency room. Herbal consultation is not a substitute for professional medical care.
9. COOKIES AND TRACKING TECHNOLOGIES
9.1 Use of Cookies
The Company uses cookies and similar tracking technologies to:
Maintain user sessions and authentication
Store user preferences and settings
Facilitate website functionality and security
Collect usage data and analytics
Deliver targeted advertising
Cookies are small text files placed on user devices that enable the Company to recognize users and remember information about their interactions.
9.2 Types of Cookies
Essential Cookies: Required for website functionality, login, and payment processing
Preference Cookies: Store user settings and preferences
Analytics Cookies: Collect data on website usage and performance (Google Analytics)
Marketing Cookies: Enable targeted advertising by the Company and third-party advertisers
Third-Party Cookies: Placed by advertising and analytics partners
9.3 User Control
Users may manage cookie preferences through browser settings. Most browsers allow users to:
Refuse all cookies
Delete existing cookies
Receive notification when a cookie is placed
Users should note that disabling cookies may impair website functionality and prevent access to certain features.
9.4 Third-Party Cookies
Third-party service providers, including Google, Facebook, and other advertising platforms, may place cookies to:
Facilitate service delivery
Collect analytics data
Display targeted advertisements
Measure advertising effectiveness
Such third parties maintain their own privacy policies and terms. Users should review the privacy policies of third-party providers for information on their cookie practices and opt-out mechanisms.
9.5 Do Not Track
The Company does not respond to or honor "Do Not Track" signals sent by browser features or extensions, as no industry standard for handling such signals currently exists.
For a detailed explanation of the Company's cookie practices, see the Company's Cookie Policy [link].
10. THIRD-PARTY LINKS AND SERVICES
10.1 No Responsibility for Third-Party Sites
The Company's website and communications may contain links to third-party websites and services. The Company is not responsible for:
The privacy practices or policies of third-party sites
The content, accuracy, or practices of third-party sites
Personal information provided to third parties
How third parties use, protect, or disclose personal information
Users should review the privacy policies of third-party sites before providing any personal information.
10.2 Social Media Integration
The Company may permit users to connect social media accounts (Facebook, Instagram, Twitter, etc.) for account creation, comments, or sharing. When users authorize such connections:
The social media platform may provide the Company with profile information, including profile image, display name, username, page ID, and public demographic data
The user grants the Company permission to access and use such information as described in this Policy
Users may disconnect their social media accounts through account settings
Social media platforms maintain their own privacy policies governing their use of user data
11. GOOGLE ANALYTICS AND ADVERTISING SERVICES
11.1 Google Analytics
The Company uses Google Analytics to analyze website traffic and user behavior. Google Analytics collects:
IP address and device information
Pages visited and user interactions
Duration of site visits
Referring websites
Geographic location
Google may use this data to show targeted advertisements to users across the internet. Users may opt out of Google Analytics tracking by installing Google's Analytics opt-out browser extension. For more information, visit: https://tools.google.com/dlpage/gaoptout
11.2 Google and Facebook Advertising
The Company uses Google Ads and Facebook Ads to display targeted advertisements to potential customers. These services:
Track user behavior across websites using cookies and tracking pixels
Build audience segments based on user interests and behavior
Display targeted advertisements based on such segments
May use user email addresses to create custom audiences
Users may opt out of personalized advertising:
Google: https://support.google.com/ads/answer/2662922
Facebook: Settings > Ads > Ad Preferences
12. DATA SECURITY
12.1 Security Measures
The Company implements technical, organizational, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction:
Encryption of data in transit using Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols
Encryption of sensitive data at rest
Secure, password-protected servers with restricted access
Regular security scans and vulnerability assessments
Firewall and intrusion detection systems
Access controls limiting employee access to personal information to those with legitimate business need
Employee training on data protection and confidentiality
Contractual confidentiality obligations for all employees and contractors
12.2 Payment Card Processing
The Company does not store, process, or transmit payment card information on its own servers. All payment card data is processed directly by third-party payment processors in accordance with PCI Data Security Standards.
12.3 Limitations on Security
No security system is impenetrable. While the Company makes reasonable efforts to protect personal information, the Company cannot guarantee absolute protection against all security threats, unauthorized access, or data breaches. Users acknowledge and accept the inherent risks associated with internet communications.
13. DATA BREACHES AND INCIDENT NOTIFICATION
13.1 Breach Notification
In the event of a data breach or unauthorized access to personal information, the Company shall:
Investigate the breach to determine its scope, nature, and impact
Notify affected users by email within seven (7) business days of discovering the breach
Notify competent regulatory authorities within 72 hours of discovering the breach (if required by applicable law)
Provide notice to affected users as soon as practicable and without unreasonable delay
13.2 Notification Contents
Breach notifications shall include:
Description of the personal information affected
The nature and scope of the breach
Actions the Company is taking to address the breach and prevent future incidents
Recommendations for users to protect themselves (e.g., password changes, credit monitoring)
Contact information for the Company's privacy officer or designated contact
Additional resources or assistance available to affected users
13.3 Public Notice
The Company shall post a notice of any breach affecting a large number of users on its website or through other reasonable means of notification.
14. INTERNATIONAL DATA TRANSFERS
14.1 Transfer of Data
The Company is based in the United States. Personal information collected from users may be transferred to, stored in, and processed in the United States and other countries where the Company or its service providers maintain facilities.
14.2 User Consent to Transfer
By using the Company's services, users consent to the transfer of their personal information to countries outside their country of origin, which may have different data protection laws than the user's home country.
14.3 Adequacy and Safeguards
For transfers to countries that do not have equivalent data protection laws (particularly with respect to users in the European Union, United Kingdom, Canada, and other privacy-protected jurisdictions):
The Company may rely on Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs)
Service providers maintain contractual obligations to protect transferred data
Additional safeguards are implemented to ensure data protection equivalent to that provided in the originating jurisdiction
Users may lodge complaints with competent regulatory authorities regarding transfer practices
For EU/UK users, see Section 16 for additional information on GDPR compliance.
15. DATA RETENTION AND DELETION
15.1 Retention General Principle
The Company retains personal information only for so long as necessary to fulfill the purposes for which it was collected, unless longer retention is required by law.
15.2 Retention Periods by Category
Information Type Retention Period Reason Account Information Duration of account + 3 years Business records, tax compliance Course Completion Records Permanent Credential and certificate history Transaction/Payment Records 7 years Tax law and financial compliance Email Communications Until unsubscribe + 1 year CAN-SPAM compliance, archival Health/Clinical Records 7 years minimum Professional standards, continuity of care Analytics Data 26 months Google Analytics default setting Website Log Data 30-90 days Security and technical support Cookies Varies by type Session, preference, or analytics purpose
15.3 Deletion and Anonymization
Upon request, the Company shall delete or anonymize personal information, except where:
Retention is required by law
The information is necessary to enforce legal claims
The information relates to continuing legal disputes
Anonymization is not technically feasible
Deleted information will be removed from active systems. Information may persist in backup systems for a limited time before being purged.
16. PRIVACY RIGHTS BY JURISDICTION
16.1 General Data Protection Regulation (GDPR) - EU and UK Users
Users in the European Union and United Kingdom have additional rights under GDPR, including:
Right to Access: Users may request confirmation of whether personal information is being processed and receive a copy of such information.
Right to Rectification: Users may request correction of inaccurate personal information.
Right to Erasure ("Right to be Forgotten"): Users may request deletion of personal information under certain circumstances.
Right to Restrict Processing: Users may request that the Company limit processing of personal information.
Right to Data Portability: Users may request personal information in a portable, machine-readable format and have it transferred to another controller.
Right to Object: Users may object to processing based on legitimate interests or for direct marketing purposes.
Automated Decision-Making: Users have rights with respect to decisions made solely by automated processes.
Right to Lodge a Complaint: Users may lodge complaints with their national data protection authority (e.g., Information Commissioner's Office in the UK).
Right to Withdraw Consent: Users may withdraw consent to processing at any time.
To exercise GDPR rights, users should contact the Company at cameron@deeprootsherbschool.com.
16.2 California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
California residents have rights including:
Right to Know: Request what personal information is collected, used, shared, or sold.
Right to Delete: Request deletion of personal information collected from the user (with specific exceptions).
Right to Correct: Request correction of inaccurate personal information.
Right to Opt-Out: Opt out of "sales" or "sharing" of personal information (including for targeted advertising).
Right to Non-Discrimination: The Company shall not discriminate against users for exercising their California privacy rights through differential pricing or service quality.
Right to Limit Use: Request that the Company limit use and disclosure of sensitive personal information.
To submit a California privacy request, users should contact cameron@deeprootsherbschool.com and include proof of residency.
16.3 Other US State Privacy Laws
Additional state privacy laws may apply in Colorado, Connecticut, Utah, Virginia, and other jurisdictions. Users in these states may have rights similar to those described above. For information on specific state rights, contact the Company.
16.4 Canadian Privacy Laws (PIPEDA)
Users in Canada are protected under the Personal Information Protection and Electronic Documents Act (PIPEDA). Users have rights to access, correct, and request deletion of personal information and may lodge complaints with the Office of the Privacy Commissioner of Canada.
17. EMAIL COMMUNICATIONS AND CAN-SPAM COMPLIANCE
17.1 Consent Requirements
The Company sends commercial emails, including newsletters, promotional materials, and product updates, only to users who have:
Explicitly opted in to receive such communications
Purchased products or services from the Company and consented to receive related communications
17.2 CAN-SPAM Compliance
All commercial emails from the Company comply with the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM). Specifically:
All emails include the Company's physical business address
Subject lines accurately reflect content and are not false or misleading
Commercial messages are clearly identified as advertisements or promotions
Each email includes a functional, clear opt-out or unsubscribe mechanism
Unsubscribe requests are processed within ten (10) business days
17.3 Email Service Providers
The Company uses third-party email service providers including ConvertKit, ManyChat, and Infusionsoft/Keap to send emails. These providers maintain their own privacy policies and are required to comply with CAN-SPAM and other applicable regulations.
17.4 Transactional Emails
Transactional emails (order confirmations, receipts, account updates, password resets) may be sent to users regardless of opt-out status, as these are necessary for business and legal compliance.
18. USER RIGHTS REGARDING PERSONAL INFORMATION
18.1 Access and Verification
Users may request information about what personal information the Company holds about them. To submit such a request:
Email cameron@deeprootsherbschool.com
Include full name and email address
Clearly describe what information is requested
Provide verification of identity if required
The Company shall respond within 30 days with information about personal data held.
18.2 Correction and Updates
Users may correct, update, or modify personal information by:
Logging into their account and updating information directly
Emailing cameron@deeprootsherbschool.com with a description of the correction needed
Providing verification of the correction
The Company shall respond within 30 days.
18.3 Deletion Requests
Users may request deletion of their personal information by emailing cameron@deeprootsherbschool.com. Requests should include:
Full name and email address
Specific information to be deleted or request for complete account deletion
Statement of reason for deletion request (optional)
The Company shall respond within 30 days and comply unless deletion is not feasible or legally permissible.
18.4 Opt-Out of Marketing
Users may opt out of marketing communications by:
Clicking the unsubscribe link at the bottom of any email
Emailing cameron@deeprootsherbschool.com with request to unsubscribe
Adjusting notification preferences in their account
The Company shall process opt-out requests within ten (10) business days.
18.5 Opt-Out of Analytics and Targeting
Users may opt out of analytics tracking and targeted advertising as described in Section 11 above.
19. ACCOUNT SECURITY AND USER RESPONSIBILITIES
19.1 User Responsibility
Users who create accounts on the Company's platform are responsible for:
Creating and maintaining a strong, unique password
Keeping password information confidential
Not sharing account credentials with third parties
Immediately notifying the Company of any unauthorized access
All activities occurring under their username and password
19.2 Company Limitation of Liability
The Company is not liable for:
Loss, theft, or unauthorized use of account credentials
Data breaches resulting from user negligence or failure to protect password information
Unauthorized account access by third parties when the Company has implemented reasonable security measures
Impacts of users sharing credentials with others
19.3 Unauthorized Use
Users shall notify the Company immediately of any unauthorized or improper use of their account by contacting cameron@deeprootsherbschool.com.
20. MINORS AND CHILDREN
The Company does not knowingly collect personal information from individuals under age sixteen (16). If the Company becomes aware that personal information from someone under age 16 has been collected, it shall delete such information within a reasonable timeframe.
If a parent or guardian believes their child has provided personal information without consent, they should contact the Company immediately at cameron@deeprootsherbschool.com.
21. CHANGES TO THIS POLICY
21.1 Updates and Modifications
The Company may update this Privacy Policy at any time to reflect:
Changes in business operations or services
Changes in applicable laws or regulations
Improvements in privacy practices
User feedback and requests
21.2 Notification of Changes
The Company will post the updated Policy on its website with a new "Last Updated" date
Material changes will be communicated to users by email or prominent notice on the website
For material changes, the Company may require explicit opt-in consent
21.3 Continued Use
Users' continued use of the Company's services following the posting of changes constitutes acceptance of the revised Policy.
22. CONTACT INFORMATION
For questions, concerns, or requests regarding this Privacy Policy or the Company's privacy practices, users should contact:
Email: cameron@deeprootsherbschool.com
Mailing Address: Deep Roots Apotheke & Clinic LLC, Birmingham, Alabama
The Company shall respond to inquiries within ten (10) business days.
For additional information, visit the Company's website or Terms of Use.
Effective as of: April 3, 2026
Last Updated: April 3, 2026
