Who we are
Beetroots Studio (“Beetroots”, “we”, “us”) operates beetroots.io and the client portal at beetroots.io/dashboard, and is the data controller for the personal data described here. For any privacy question or to exercise a right, contact [email protected].
What we collect & why
- Enquiry & booking details — Name, email, company, budget and message when you use the contact or booking forms. Lawful basis: legitimate interest and steps prior to a contract.
- Account & profile data — If you create a client account: authentication data via Clerk, plus the company, brand and contact details you add to your profile. Lawful basis: contract.
- Submissions & uploads — The briefs you submit and any files you upload (product shots, logos, footage, references) so we can produce your ads. Lawful basis: contract.
- Deliverables & usage data — The ads we produce for you and basic delivery/engagement metrics. Lawful basis: contract / legitimate interest.
- Billing data — Plan, invoices and payment status. Card details are handled by Stripe — we never store full card numbers. Lawful basis: contract / legal obligation.
- Analytics — Cookieless, aggregate metrics via Vercel (always on, no personal data); and, only with your consent, behavioural analytics via PostHog. Lawful basis: legitimate interest (cookieless) and consent (PostHog).
- Email preferences — Newsletter sign-ups via Resend. Lawful basis: consent.
Cookies & analytics
We use a small number of strictly necessary cookies to run the site and keep you signed in. Our top-line analytics (Vercel) are cookieless and collect no personal data, so they run for all visits. Deeper behavioural analytics (PostHog) load only after you opt in via the cookie banner, and you can withdraw consent at any time. For the full list of cookies and categories, see our Cookie Policy. You can re-open your choices through the “Cookie preferences” link in the footer.
Files you upload
Assets you upload to a brief or your profile (product shots, logos, footage, references) are stored with Cloudflare R2 and/or Mux solely to produce and deliver your ads. You confirm you have the rights to share them (see our Terms of Service). We do not use your uploads or deliverables to train third-party AI models.
Sub-processors
We share data only with the providers needed to run the service:
- Vercel — Website hosting, plus cookieless Web Analytics & Speed Insights (aggregate traffic and performance — no personal data, no cross-site tracking).
- Clerk — Account authentication and identity (name, email, OAuth identifiers, session).
- Neon (PostgreSQL) — Primary database — leads, bookings, accounts, profiles, submissions and billing records.
- Cloudflare R2 & Mux — Storage, encoding and delivery of video and files you upload (product shots, logos, references) and the ads we deliver.
- PostHog — Product analytics (page views, funnels, sessions) — only after you opt in via the cookie banner.
- Resend — Transactional and newsletter email delivery.
- Cal.com — Call scheduling and associated contact details.
- Cloudflare Turnstile — Bot protection on forms (privacy-preserving, no tracking cookies).
- Upstash — Rate limiting and asynchronous notification jobs.
- Stripe — Payment and subscription processing (introduced in a later phase).
Retention
- Enquiries & leads — up to 24 months from last contact, then deleted or anonymised.
- Account, profile, submissions & uploads — for as long as your account is active; deleted or anonymised within 90 days of account closure, unless we must keep them longer for legal reasons.
- Billing records — as required by tax and accounting law (typically 6–7 years).
- Analytics — retained per each provider's configured window; cookieless metrics are aggregate only.
How we protect your data
Data is encrypted in transit (TLS) and at rest with our providers, access is limited to those who need it, and the client portal is protected by authentication. No method of transmission or storage is perfectly secure, but we take reasonable measures to protect your information.
International transfers
Some providers operate outside your country, including the United States. Where data is transferred, it is protected by appropriate safeguards such as the EU/UK Standard Contractual Clauses.
Your rights
Subject to your jurisdiction (including the UK GDPR, EU GDPR, and laws such as the CCPA), you have the right to access, correct, delete, restrict, object to, or port your data, and to withdraw consent at any time. We do not sell your personal data. To exercise any right, email [email protected]. You also have the right to complain to your local data protection authority.
Children
Our services are for businesses and are not directed to anyone under 18. We do not knowingly collect data from children.
Changes
We'll post any material changes on this page and update the date above. Significant changes affecting your rights will be communicated where appropriate.