PRIVACY POLICY

Deep Roots Apotheke & Clinic LLC

Effective Date: April 3, 2026
Last Updated: April 3, 2026

1. INTRODUCTION

This Privacy Policy ("Policy") describes the privacy practices of Deep Roots Apotheke & Clinic LLC, doing business as Deep Roots School of Foraging & Herbal Medicine ("Company," "we," "us," or "our"), regarding the collection, use, disclosure, and protection of personal information. This Policy applies to information collected through the Company's website, online platforms, courses, subscription services, email communications, in-person classes, events, and all other Company services and operations.

By accessing or using the Company's services, users acknowledge that they have read and understood this Policy and consent to the collection and processing of their personal information as described herein.

2. SCOPE OF POLICY

This Policy governs all personal information collected by the Company through:

  • Website and digital properties

  • Online courses and educational programs, including the Advanced Medicine Making Course (AMMC), Herbal Medicine Monthly Subscription (HMMS), Kitchen Medicine, and Southeastern Foraging Conference (SEFC)

  • Email communications and newsletters

  • In-person classes, workshops, and events

  • Customer support channels

  • Social media platforms operated by the Company

  • Offline interactions and data collection

The Company may establish separate privacy policies for specific services, products, or acquisitions. Such separate policies will be clearly identified.

3. DATA CONTROLLER AND CONTACT INFORMATION

Controller: Deep Roots Apotheke & Clinic LLC
Principal: Cameron Strouss
Location: Birmingham, Alabama, United States
Email for Privacy Inquiries: cameron@deeprootsherbschool.com

The Company is the data controller responsible for the collection and processing of personal information as described in this Policy.

4. CATEGORIES OF PERSONAL INFORMATION COLLECTED

4.1 Personally Identifiable Information

The Company collects the following types of personally identifiable information:

  • Full name, email address, mailing address, and telephone number

  • Account username and password

  • Date of birth and age information

  • Gender and demographic data

  • Health and medical history information provided in consultation or course contexts

  • Photographs, video recordings, and audio recordings submitted by users

  • Written communications, testimonials, and feedback

4.2 Transaction Information

In connection with purchases of products and services, the Company collects:

  • Description and quantity of items or services purchased

  • Purchase date and transaction amount

  • Transaction status and payment confirmation

  • Shipping address and delivery information

  • Refund and return requests

4.3 Payment Information

The Company does not directly collect, process, or store credit card numbers, debit card information, banking credentials, or other sensitive payment data. All payment processing is handled exclusively by third-party payment processors, including Infusionsoft (Keap), PayPal, Stripe, Square, and similar providers. Payment processors maintain independent privacy policies and security protocols. Users are bound by the privacy policies and terms of service of the respective payment processor.

4.4 Academic and Course Information

For users enrolled in courses or educational programs, the Company collects:

  • Course enrollment and registration information

  • Attendance records

  • Assessment results and quiz scores

  • Assignment submissions and academic performance

  • Course completion status and certificates earned

  • User-generated content and class participation records

4.5 Automatically Collected Technical Information

The Company automatically collects certain information through website and service interactions:

  • Internet Protocol (IP) address and device identifiers

  • Device type, operating system, and browser specifications

  • Websites visited and pages accessed

  • Time spent on each page and navigation patterns

  • Links clicked and user interactions

  • Referring website or source

  • General geographic location derived from IP address

  • Cookies, web beacons, and similar tracking technologies

  • Log data and analytics identifiers

4.6 Information from Third Parties

The Company may receive personal information from third-party sources, including:

  • Email service providers and marketing automation platforms

  • Social media platforms when users authorize account connections

  • Analytics and web tracking services

  • Course management and learning platforms

  • Payment processors and financial service providers

  • Public databases and commercially available data sources

4.7 Health and Clinical Information

Users may voluntarily provide sensitive health information in the following circumstances:

  • Enrollment in clinical or consultative programs

  • Requests for herbal guidance or wellness consultations

  • Intake forms and health questionnaires

  • Medical history, current medications, supplement use, and allergies

  • Records of previous herbal treatments or clinical consultations

  • Communications regarding health conditions and wellness concerns

Such information is subject to heightened protections as described in Section 8.

5. USE OF PERSONAL INFORMATION

The Company uses collected personal information for the following lawful purposes:

5.1 Service Delivery

  • Registering and managing user accounts

  • Processing orders, payments, and refunds

  • Delivering courses, educational materials, and services

  • Providing customer support and responding to user inquiries

  • Administering subscriptions and recurring services

  • Fulfilling and shipping physical orders

  • Maintaining records of services provided

5.2 Communication

  • Sending transactional emails (order confirmations, receipts, passwords)

  • Communicating course updates, schedules, and administrative information

  • Sending newsletters and promotional materials (with user consent or as existing customer)

  • Responding to user requests and inquiries

  • Conducting surveys and collecting feedback

  • Notifying users of policy changes

5.3 Improvement and Optimization

  • Analyzing usage patterns to improve website and service functionality

  • Understanding user preferences and engagement

  • Testing new features and functionality

  • Conducting analytics to identify trends

  • Optimizing marketing and advertising effectiveness

  • Personalizing user experience

5.4 Security and Legal Compliance

  • Detecting and preventing fraud, abuse, and unauthorized access

  • Protecting the security of systems and data

  • Enforcing the Company's Terms of Use and other agreements

  • Complying with applicable laws, regulations, and legal process

  • Protecting the rights, safety, and property of the Company, users, and the public

  • Maintaining records for regulatory and audit purposes

5.5 Marketing and Business Development

  • Identifying and targeting potential customers

  • Creating audience segments for targeted advertising

  • Measuring the effectiveness of marketing campaigns

  • Creating aggregated, anonymized reports on user interests and demographics

  • Developing new products and services

6. LEGAL BASIS FOR PROCESSING

Where applicable under international privacy laws (including GDPR, CCPA, PIPEDA, and similar regulations), the Company processes personal information based on the following lawful bases:

  • Consent: User has explicitly consented to the processing of their data (e.g., opting into email communications or agreeing to terms of service)

  • Contractual Performance: Processing is necessary to perform services that the user has requested or purchased

  • Legal Obligation: Processing is required by applicable law or regulation

  • Legitimate Interests: Processing is necessary for the Company's legitimate business interests, including fraud prevention, security, service improvement, and marketing, where such interests are not overridden by user privacy rights

  • Vital Interests: Processing is necessary to protect the vital interests of the data subject or another person

Users may object to processing based on legitimate interests by contacting the Company at cameron@deeprootsherbschool.com.

7. DISCLOSURE AND SHARING OF PERSONAL INFORMATION

7.1 No Sale of Personal Information

The Company does not sell, rent, trade, or otherwise transfer personally identifiable information to unaffiliated third parties for their independent marketing purposes. The Company does not facilitate the sale of personal information under the meaning of the California Consumer Privacy Act (CCPA) or similar state privacy laws.

7.2 Service Providers and Processors

The Company discloses personal information to third-party service providers and data processors who assist in operating the Company's website, delivering services, and conducting business, including:

  • Email service providers (ConvertKit, ManyChat, Infusionsoft/Keap)

  • Course and learning management platforms

  • Social media management and advertising platforms (Publer, Buffer, Meta, Google)

  • Website hosting and infrastructure providers

  • Customer relationship management (CRM) systems

  • Payment processors and financial service providers

  • Analytics and tracking services

  • Cloud storage providers

  • Video hosting services (Vimeo, YouTube)

All service providers are contractually required to maintain the confidentiality of personal information, use such information only for specified purposes, and implement security measures equivalent to or exceeding those of the Company. The Company conducts due diligence and periodic audits of service provider practices.

7.3 Legally Required Disclosure

The Company may disclose personal information when required or permitted by law, including:

  • Response to valid subpoenas, court orders, warrants, or other legal process

  • Compliance with federal, state, or local regulatory requirements

  • Enforcement of the Company's Terms of Use and other agreements

  • Protection of the safety, rights, and property of the Company, users, or the public

  • Detection and prevention of fraud or illegal activities

The Company shall provide notice of such disclosure where legally permissible.

7.4 Aggregated and Anonymized Data

The Company may disclose, sell, or license aggregated or anonymized data that cannot reasonably be used to identify individuals. Such data is not subject to the restrictions in this Policy and may be used or shared for any business purpose.

7.5 Business Transactions

In the event of a merger, acquisition, bankruptcy, or sale of the Company or substantially all of its assets, personal information may be disclosed to or transferred to the acquiring entity or successor as part of such transaction. Users will be notified of any such change in ownership or control of their personal information.

7.6 Authorized Disclosures with User Consent

The Company may disclose personal information to third parties when the user has provided explicit consent or requested such disclosure (e.g., providing health information to an authorized healthcare provider).

8. HEALTH AND CLINICAL INFORMATION

8.1 Special Protections

Personal information that constitutes health data or clinical records is subject to heightened confidentiality protections under this Section. Health information includes medical history, medications, allergies, treatment records, and other information related to the user's health or wellness.

8.2 Limited Use

Health information is used exclusively for:

  • Providing herbal guidance and wellness consultation

  • Clinical assessment and treatment planning

  • Improving the quality of care

  • Maintaining continuity of care

  • Complying with legal and professional obligations

8.3 Restricted Disclosure

Health information will not be disclosed to third parties except:

  • With the user's explicit written consent

  • To authorized healthcare providers or practitioners whom the user has specifically authorized

  • When required by law, court order, or regulatory process

  • For legitimate medical or safety emergencies

8.4 Data Retention

Health and clinical information will be retained in accordance with professional standards for medical record retention, typically a minimum of seven (7) years from the date of last service, to ensure continuity of care and comply with professional obligations.

8.5 Not Medical Care

The Company provides herbal education and guidance but does not constitute medical care, diagnosis, or treatment. Users experiencing medical emergencies should contact emergency services (911) or the nearest emergency room. Herbal consultation is not a substitute for professional medical care.

9. COOKIES AND TRACKING TECHNOLOGIES

9.1 Use of Cookies

The Company uses cookies and similar tracking technologies to:

  • Maintain user sessions and authentication

  • Store user preferences and settings

  • Facilitate website functionality and security

  • Collect usage data and analytics

  • Deliver targeted advertising

Cookies are small text files placed on user devices that enable the Company to recognize users and remember information about their interactions.

9.2 Types of Cookies

  • Essential Cookies: Required for website functionality, login, and payment processing

  • Preference Cookies: Store user settings and preferences

  • Analytics Cookies: Collect data on website usage and performance (Google Analytics)

  • Marketing Cookies: Enable targeted advertising by the Company and third-party advertisers

  • Third-Party Cookies: Placed by advertising and analytics partners

9.3 User Control

Users may manage cookie preferences through browser settings. Most browsers allow users to:

  • Refuse all cookies

  • Delete existing cookies

  • Receive notification when a cookie is placed

Users should note that disabling cookies may impair website functionality and prevent access to certain features.

9.4 Third-Party Cookies

Third-party service providers, including Google, Facebook, and other advertising platforms, may place cookies to:

  • Facilitate service delivery

  • Collect analytics data

  • Display targeted advertisements

  • Measure advertising effectiveness

Such third parties maintain their own privacy policies and terms. Users should review the privacy policies of third-party providers for information on their cookie practices and opt-out mechanisms.

9.5 Do Not Track

The Company does not respond to or honor "Do Not Track" signals sent by browser features or extensions, as no industry standard for handling such signals currently exists.

For a detailed explanation of the Company's cookie practices, see the Company's Cookie Policy [link].

10. THIRD-PARTY LINKS AND SERVICES

10.1 No Responsibility for Third-Party Sites

The Company's website and communications may contain links to third-party websites and services. The Company is not responsible for:

  • The privacy practices or policies of third-party sites

  • The content, accuracy, or practices of third-party sites

  • Personal information provided to third parties

  • How third parties use, protect, or disclose personal information

Users should review the privacy policies of third-party sites before providing any personal information.

10.2 Social Media Integration

The Company may permit users to connect social media accounts (Facebook, Instagram, Twitter, etc.) for account creation, comments, or sharing. When users authorize such connections:

  • The social media platform may provide the Company with profile information, including profile image, display name, username, page ID, and public demographic data

  • The user grants the Company permission to access and use such information as described in this Policy

  • Users may disconnect their social media accounts through account settings

  • Social media platforms maintain their own privacy policies governing their use of user data

11. GOOGLE ANALYTICS AND ADVERTISING SERVICES

11.1 Google Analytics

The Company uses Google Analytics to analyze website traffic and user behavior. Google Analytics collects:

  • IP address and device information

  • Pages visited and user interactions

  • Duration of site visits

  • Referring websites

  • Geographic location

Google may use this data to show targeted advertisements to users across the internet. Users may opt out of Google Analytics tracking by installing Google's Analytics opt-out browser extension. For more information, visit: https://tools.google.com/dlpage/gaoptout

11.2 Google and Facebook Advertising

The Company uses Google Ads and Facebook Ads to display targeted advertisements to potential customers. These services:

  • Track user behavior across websites using cookies and tracking pixels

  • Build audience segments based on user interests and behavior

  • Display targeted advertisements based on such segments

  • May use user email addresses to create custom audiences

Users may opt out of personalized advertising:

  • Google: https://support.google.com/ads/answer/2662922

  • Facebook: Settings > Ads > Ad Preferences

12. DATA SECURITY

12.1 Security Measures

The Company implements technical, organizational, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction:

  • Encryption of data in transit using Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols

  • Encryption of sensitive data at rest

  • Secure, password-protected servers with restricted access

  • Regular security scans and vulnerability assessments

  • Firewall and intrusion detection systems

  • Access controls limiting employee access to personal information to those with legitimate business need

  • Employee training on data protection and confidentiality

  • Contractual confidentiality obligations for all employees and contractors

12.2 Payment Card Processing

The Company does not store, process, or transmit payment card information on its own servers. All payment card data is processed directly by third-party payment processors in accordance with PCI Data Security Standards.

12.3 Limitations on Security

No security system is impenetrable. While the Company makes reasonable efforts to protect personal information, the Company cannot guarantee absolute protection against all security threats, unauthorized access, or data breaches. Users acknowledge and accept the inherent risks associated with internet communications.

13. DATA BREACHES AND INCIDENT NOTIFICATION

13.1 Breach Notification

In the event of a data breach or unauthorized access to personal information, the Company shall:

  • Investigate the breach to determine its scope, nature, and impact

  • Notify affected users by email within seven (7) business days of discovering the breach

  • Notify competent regulatory authorities within 72 hours of discovering the breach (if required by applicable law)

  • Provide notice to affected users as soon as practicable and without unreasonable delay

13.2 Notification Contents

Breach notifications shall include:

  • Description of the personal information affected

  • The nature and scope of the breach

  • Actions the Company is taking to address the breach and prevent future incidents

  • Recommendations for users to protect themselves (e.g., password changes, credit monitoring)

  • Contact information for the Company's privacy officer or designated contact

  • Additional resources or assistance available to affected users

13.3 Public Notice

The Company shall post a notice of any breach affecting a large number of users on its website or through other reasonable means of notification.

14. INTERNATIONAL DATA TRANSFERS

14.1 Transfer of Data

The Company is based in the United States. Personal information collected from users may be transferred to, stored in, and processed in the United States and other countries where the Company or its service providers maintain facilities.

14.2 User Consent to Transfer

By using the Company's services, users consent to the transfer of their personal information to countries outside their country of origin, which may have different data protection laws than the user's home country.

14.3 Adequacy and Safeguards

For transfers to countries that do not have equivalent data protection laws (particularly with respect to users in the European Union, United Kingdom, Canada, and other privacy-protected jurisdictions):

  • The Company may rely on Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs)

  • Service providers maintain contractual obligations to protect transferred data

  • Additional safeguards are implemented to ensure data protection equivalent to that provided in the originating jurisdiction

  • Users may lodge complaints with competent regulatory authorities regarding transfer practices

For EU/UK users, see Section 16 for additional information on GDPR compliance.

15. DATA RETENTION AND DELETION

15.1 Retention General Principle

The Company retains personal information only for so long as necessary to fulfill the purposes for which it was collected, unless longer retention is required by law.

15.2 Retention Periods by Category

Information Type Retention Period Reason Account Information Duration of account + 3 years Business records, tax compliance Course Completion Records Permanent Credential and certificate history Transaction/Payment Records 7 years Tax law and financial compliance Email Communications Until unsubscribe + 1 year CAN-SPAM compliance, archival Health/Clinical Records 7 years minimum Professional standards, continuity of care Analytics Data 26 months Google Analytics default setting Website Log Data 30-90 days Security and technical support Cookies Varies by type Session, preference, or analytics purpose

15.3 Deletion and Anonymization

Upon request, the Company shall delete or anonymize personal information, except where:

  • Retention is required by law

  • The information is necessary to enforce legal claims

  • The information relates to continuing legal disputes

  • Anonymization is not technically feasible

Deleted information will be removed from active systems. Information may persist in backup systems for a limited time before being purged.

16. PRIVACY RIGHTS BY JURISDICTION

16.1 General Data Protection Regulation (GDPR) - EU and UK Users

Users in the European Union and United Kingdom have additional rights under GDPR, including:

Right to Access: Users may request confirmation of whether personal information is being processed and receive a copy of such information.

Right to Rectification: Users may request correction of inaccurate personal information.

Right to Erasure ("Right to be Forgotten"): Users may request deletion of personal information under certain circumstances.

Right to Restrict Processing: Users may request that the Company limit processing of personal information.

Right to Data Portability: Users may request personal information in a portable, machine-readable format and have it transferred to another controller.

Right to Object: Users may object to processing based on legitimate interests or for direct marketing purposes.

Automated Decision-Making: Users have rights with respect to decisions made solely by automated processes.

Right to Lodge a Complaint: Users may lodge complaints with their national data protection authority (e.g., Information Commissioner's Office in the UK).

Right to Withdraw Consent: Users may withdraw consent to processing at any time.

To exercise GDPR rights, users should contact the Company at cameron@deeprootsherbschool.com.

16.2 California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

California residents have rights including:

Right to Know: Request what personal information is collected, used, shared, or sold.

Right to Delete: Request deletion of personal information collected from the user (with specific exceptions).

Right to Correct: Request correction of inaccurate personal information.

Right to Opt-Out: Opt out of "sales" or "sharing" of personal information (including for targeted advertising).

Right to Non-Discrimination: The Company shall not discriminate against users for exercising their California privacy rights through differential pricing or service quality.

Right to Limit Use: Request that the Company limit use and disclosure of sensitive personal information.

To submit a California privacy request, users should contact cameron@deeprootsherbschool.com and include proof of residency.

16.3 Other US State Privacy Laws

Additional state privacy laws may apply in Colorado, Connecticut, Utah, Virginia, and other jurisdictions. Users in these states may have rights similar to those described above. For information on specific state rights, contact the Company.

16.4 Canadian Privacy Laws (PIPEDA)

Users in Canada are protected under the Personal Information Protection and Electronic Documents Act (PIPEDA). Users have rights to access, correct, and request deletion of personal information and may lodge complaints with the Office of the Privacy Commissioner of Canada.

17. EMAIL COMMUNICATIONS AND CAN-SPAM COMPLIANCE

17.1 Consent Requirements

The Company sends commercial emails, including newsletters, promotional materials, and product updates, only to users who have:

  • Explicitly opted in to receive such communications

  • Purchased products or services from the Company and consented to receive related communications

17.2 CAN-SPAM Compliance

All commercial emails from the Company comply with the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM). Specifically:

  • All emails include the Company's physical business address

  • Subject lines accurately reflect content and are not false or misleading

  • Commercial messages are clearly identified as advertisements or promotions

  • Each email includes a functional, clear opt-out or unsubscribe mechanism

  • Unsubscribe requests are processed within ten (10) business days

17.3 Email Service Providers

The Company uses third-party email service providers including ConvertKit, ManyChat, and Infusionsoft/Keap to send emails. These providers maintain their own privacy policies and are required to comply with CAN-SPAM and other applicable regulations.

17.4 Transactional Emails

Transactional emails (order confirmations, receipts, account updates, password resets) may be sent to users regardless of opt-out status, as these are necessary for business and legal compliance.

18. USER RIGHTS REGARDING PERSONAL INFORMATION

18.1 Access and Verification

Users may request information about what personal information the Company holds about them. To submit such a request:

  • Email cameron@deeprootsherbschool.com

  • Include full name and email address

  • Clearly describe what information is requested

  • Provide verification of identity if required

The Company shall respond within 30 days with information about personal data held.

18.2 Correction and Updates

Users may correct, update, or modify personal information by:

  • Logging into their account and updating information directly

  • Emailing cameron@deeprootsherbschool.com with a description of the correction needed

  • Providing verification of the correction

The Company shall respond within 30 days.

18.3 Deletion Requests

Users may request deletion of their personal information by emailing cameron@deeprootsherbschool.com. Requests should include:

  • Full name and email address

  • Specific information to be deleted or request for complete account deletion

  • Statement of reason for deletion request (optional)

The Company shall respond within 30 days and comply unless deletion is not feasible or legally permissible.

18.4 Opt-Out of Marketing

Users may opt out of marketing communications by:

  • Clicking the unsubscribe link at the bottom of any email

  • Emailing cameron@deeprootsherbschool.com with request to unsubscribe

  • Adjusting notification preferences in their account

The Company shall process opt-out requests within ten (10) business days.

18.5 Opt-Out of Analytics and Targeting

Users may opt out of analytics tracking and targeted advertising as described in Section 11 above.

19. ACCOUNT SECURITY AND USER RESPONSIBILITIES

19.1 User Responsibility

Users who create accounts on the Company's platform are responsible for:

  • Creating and maintaining a strong, unique password

  • Keeping password information confidential

  • Not sharing account credentials with third parties

  • Immediately notifying the Company of any unauthorized access

  • All activities occurring under their username and password

19.2 Company Limitation of Liability

The Company is not liable for:

  • Loss, theft, or unauthorized use of account credentials

  • Data breaches resulting from user negligence or failure to protect password information

  • Unauthorized account access by third parties when the Company has implemented reasonable security measures

  • Impacts of users sharing credentials with others

19.3 Unauthorized Use

Users shall notify the Company immediately of any unauthorized or improper use of their account by contacting cameron@deeprootsherbschool.com.

20. MINORS AND CHILDREN

The Company does not knowingly collect personal information from individuals under age sixteen (16). If the Company becomes aware that personal information from someone under age 16 has been collected, it shall delete such information within a reasonable timeframe.

If a parent or guardian believes their child has provided personal information without consent, they should contact the Company immediately at cameron@deeprootsherbschool.com.

21. CHANGES TO THIS POLICY

21.1 Updates and Modifications

The Company may update this Privacy Policy at any time to reflect:

  • Changes in business operations or services

  • Changes in applicable laws or regulations

  • Improvements in privacy practices

  • User feedback and requests

21.2 Notification of Changes

  • The Company will post the updated Policy on its website with a new "Last Updated" date

  • Material changes will be communicated to users by email or prominent notice on the website

  • For material changes, the Company may require explicit opt-in consent

21.3 Continued Use

Users' continued use of the Company's services following the posting of changes constitutes acceptance of the revised Policy.

22. CONTACT INFORMATION

For questions, concerns, or requests regarding this Privacy Policy or the Company's privacy practices, users should contact:

Email: cameron@deeprootsherbschool.com
Mailing Address: Deep Roots Apotheke & Clinic LLC, Birmingham, Alabama

The Company shall respond to inquiries within ten (10) business days.

For additional information, visit the Company's website or Terms of Use.

Effective as of: April 3, 2026

Last Updated: April 3, 2026