Privacy Policy

Boulderoot, Inc. (“Boulderoot,” “we,” “us”) provides personalized meal planning, ingredient sourcing focused on clean and regenerative farming practices, and in-home professional chef services delivered by our team. This policy explains what information we collect, why we collect it, who processes it on our behalf, and the rights you have over it. It applies to our website, our mobile application, and the services we deliver to your home.

1. SMS messaging (A2P 10DLC)

We use SMS to send authentication codes and operational notifications related to your service.

• Mobile number non-sharing. We do not share mobile phone numbers with third parties or affiliates for marketing or promotional purposes.
• Message frequency. You may receive SMS messages as part of authentication — typically 1–3 per sign-in session, with additional messages if you request to resend your code. We do not use SMS for marketing or promotional purposes.
• Carrier disclosure. Message and data rates may apply.
• Opting out. Reply STOP to any message to opt out of SMS. Reply HELP for help. Opting out of SMS does not affect your access to other Boulderoot services; we will continue to reach you by email and in-app messaging.

2. Information we collect

We collect the following categories of personal information:

• Account data: phone number, first and last name, and email address (collected at signup or checkout).
• Profile data: dietary preferences, allergens, health goals, and household size.
• Address data: delivery address and kitchen access notes (collected during service setup, so we can deliver ingredients and schedule chef visits).
• Order and usage data: meal plans, saved recipes, and chef session history.
• Payment data: handled by a PCI-compliant payment processor. We do not store payment card numbers on our systems.
• Device data: push notification tokens, application version, and operating system version.
• Communications: messages sent through in-app chat (processed through our internal team communication infrastructure), voicemails, and SMS replies to support.

3. Why we collect it

• Authentication. Your phone number is used to send one-time verification codes that sign you into your account.
• Service delivery. Address data is used to coordinate ingredient delivery and chef visits. Dietary information is used to plan meals and place sourcing orders.
• Payment processing. Your email is shared with our payment processor to send receipts and to support two-factor authentication of payment events.
• Support. Communications and device data let us respond to questions and diagnose issues.
• Service improvement. When we are wired up to product analytics tools, we use anonymized usage data to understand how the app is used and where to improve it.

4. Third parties that process your data

We use the following service providers. Each has its own privacy practices and processes data under a contract with us.

• Payment processing.
• SMS authentication delivery.
• Calendar scheduling sync — for coordinating chef visits and consultations.
• Transactional email delivery.
• Cloud database and authentication infrastructure.
• Push notification delivery — to your device.
• Error tracking and product analytics — when enabled.
• Mobile app distribution.

For a specific list of the vendors we work with in any of these categories, email privacy@boulderoot.com. We update this list when we add a new vendor that handles personal data.

5. Your rights

Boulderoot launched in Colorado, and the Colorado Privacy Act (CPA) applies to our service. We extend the same rights to residents of California (CCPA) and other U.S. states with comparable laws. You have the right to:

• access the personal data we hold about you;
• request that we delete that data (the “right to be forgotten”);
• correct inaccurate data;
• opt out of the sale of personal data.

We do not sell personal data and we do not share it for cross-context behavioral advertising.

To exercise any of these rights, email privacy@boulderoot.com or use the in-app Delete Account flow. We respond within 45 days as required by the CPA and CCPA, and we may extend that period once where the law allows.

6. Children

Boulderoot is intended for users 18 years of age or older. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact privacy@boulderoot.com and we will delete it.

7. Data retention

• Active accounts. We retain your data for as long as your subscription is active and as needed to operate the service.
• Cancelled or deleted accounts. When you request deletion through the in-app Delete Account flow, we anonymize your profile data and cancel your subscription immediately. This action is not reversible.
• Backups. Routine backups age out within a 7-day retention window, after which no copies of your deleted data remain. We do not preserve deleted data in long-term archives.

8. Security

• Data is encrypted in transit using TLS and at rest at our infrastructure providers.
• We use phone-based one-time-passcode authentication; we do not store passwords.
• Payment card numbers are handled by a PCI-compliant payment processor and never stored on our systems.
• We work to protect your information, but no system is 100% secure. We will notify you of a material breach as required by law.

9. Contact and jurisdiction

You can reach us at support@boulderoot.com for general questions and privacy@boulderoot.com for privacy requests.

This policy is governed by the laws of the State of Colorado, USA.

10. Changes to this policy

When we make material changes, we will notify you in advance through an in-app banner and by email to the address on your account. The “Last reviewed” date at the top of this page reflects the current version. Continued use of Boulderoot after a change takes effect means you accept the updated policy.

Last reviewed: May 8, 2026.