Privacy Policy !
ROOTSY MARKETPLACE INC.
PRIVACY POLICY
Effective Date: January 2026
Last Updated: May 2026
1. PURPOSE, SCOPE, AND APPLICABLE LAWS
This Privacy Policy and Cookie Policy (“Policy”) explains how Rootsy Marketplace Inc. (“Rootsy,” “we,” “our,” or “us”) collects, uses, discloses, retains, and protects personal information when users access or use the Rootsy website, marketplace platform, mobile applications, buyer accounts, seller dashboards, checkout tools, shipping tools, support channels, and related services (collectively, the “Platform”).
This Policy applies to buyers, sellers, seller applicants, visitors, newsletter subscribers, and anyone accessing or interacting with the Platform.
Rootsy operates in compliance with applicable privacy laws.
Nothing in this Policy limits or excludes rights under applicable privacy, consumer protection, or anti-spam legislation that cannot be contracted away. If there is a conflict between this Policy and a more specific privacy commitment made to you in writing, the more specific commitment governs.
This Policy is incorporated into Rootsy’s Buyer Terms & Conditions and Seller Terms & Conditions. In the event of a conflict between this Policy and a more specific privacy commitment made to you in writing, the more specific commitment governs.
2. WHO WE ARE AND PRIVACY CONTACT
Rootsy Marketplace Inc. is an Ontario-based company operating an online marketplace platform connecting independent Canadian sellers with buyers across Canada.
Rootsy has designated a Privacy Officer responsible for overseeing personal information practices and responding to privacy inquiries and complaints.
Privacy Officer Contact:
contact@rootsy.ca
Mailing Address:
Rootsy Marketplace Inc.
1218 Mineola Gardens
Mississauga, ON
L5G 3Y3
You may contact our Privacy Officer to:
- Request access to your personal information
- Request correction of inaccurate information
- Withdraw consent, subject to legal or contractual restrictions
- Submit a privacy complaint
- Exercise any applicable rights under applicable privacy law
3. PERSONAL INFORMATION WE COLLECT
3.1 Information You Provide Directly
Rootsy may collect personal information that you provide directly, including:
- Account registration information, such as name, email address, phone number, password, and province or region
- Buyer information, such as shipping address, delivery instructions, order preferences, and payment method details
- Payment method details processed by Stripe. Rootsy does not store full credit card numbers.
- Seller information, such as business name, business address, GST/HST number, bank account details, business registration information, product category information, insurance documents, licence documents for regulated product categories, and required compliance documents
- Support and communication information, such as messages, support tickets, return requests, dispute submissions, photos or videos submitted as evidence, and communications with Rootsy
- Reviews, ratings, and feedback submitted through the Platform
- Marketing consent and communication preferences
- Age verification information for age-restricted products, where applicable
3.2 Information Collected Automatically
Rootsy may automatically collect certain information when you access or use the Platform, including:
- Device and browser information, such as IP address, device type, device identifier, browser type and version, operating system, app version, and screen resolution
- Usage data, such as pages visited, products viewed, search queries, links clicked, referral source, session duration, cart and checkout activity, and navigation patterns
- Cookies and similar technologies, as described in Section 10 of this Policy
- Location data, including approximate location derived from IP address and precise location only where you have expressly enabled this
- Transaction data, such as order history, payment status, shipping records, return and refund history, and dispute records
3.3 Information from Third Parties
Rootsy may receive personal information from third parties, including:
- Payment processors, such as transaction status, payment authorization results, and fraud signals from Stripe
- Logistics providers, such as delivery status, carrier tracking events, and delivery confirmation from third-party carriers and logistics providers
- Fraud prevention providers, such as risk signals to help detect and prevent fraudulent orders and account misuse
- Identity verification providers, where verification is required for restricted categories. For example, where alcohol or another age-restricted product is involved, identity verification providers may share verification results
4. HOW WE USE PERSONAL INFORMATION
Rootsy uses personal information for the following purposes:
Operating the Platform
- Creating and managing buyer and seller accounts
- Processing orders and payments
- Coordinating shipping and logistics
- Facilitating returns, refunds, and dispute resolution
- Providing customer support
Communicating with You
- Sending order confirmations
- Sending shipping notifications
- Sending refund updates
- Sending account alerts
- Responding to support requests
- Sending other transactional and operational communications
Verifying Identity and Preventing Fraud
- Verifying buyer and seller identity
- Confirming business registration, licences, and tax information
- Detecting and preventing fraudulent orders
- Detecting payment misuse, chargeback abuse, and account takeover
Regulatory Compliance
- Complying with legal obligations, including tax reporting
- Responding to product safety requirements
- Sending recall notifications
- Responding to regulatory requests, court orders, and law enforcement requests
Improving the Platform
- Analyzing how users interact with the Platform
- Improving search, navigation, checkout, listings, and seller tools
- Diagnosing technical errors
- Measuring platform performance
Marketing and Promotional Communications
- Sending commercial electronic messages
- Sending promotional offers, newsletters, and seller outreach
- Sending marketing messages only where you have provided CASL-compliant consent
Age Verification and Regulated Product Compliance
- Verifying buyer age for alcohol and other age-restricted products
- Maintaining compliance records as required by law
Personalizing Your Experience
- Displaying relevant product recommendations
- Displaying promotional content
- Displaying marketplace features based on browsing and purchase history
Seller Performance Monitoring
- Monitoring seller fulfilment rates
- Monitoring shipment timeliness
- Monitoring seller-caused cancellation rates
- Monitoring inventory accuracy
- Monitoring return and refund rates
- Monitoring dispute and chargeback rates
- Monitoring response times
- Monitoring listing quality and product compliance
- Maintaining marketplace standards and account health
Subscription, Billing, and Payout Administration
- Processing seller subscription fees
- Processing commissions
- Calculating payouts
- Processing refund and chargeback deductions
- Recovering negative balances
- Managing related financial administration
Rootsy will not use your personal information for a purpose other than those described above without your consent or as required or permitted by law.
5. CONSENT AND LEGAL BASIS
Rootsy relies on consent as the primary legal basis for collecting and using personal information, except where another legal ground applies, such as legal obligation or legitimate interest to the extent recognized under applicable law.
Where consent is required, Rootsy will obtain it before or at the time of collection.
You may withdraw consent at any time, subject to legal or contractual restrictions. Withdrawal of consent may affect Rootsy’s ability to provide services to you.
To withdraw consent, contact our Privacy Officer or use the relevant account, unsubscribe, or preference controls on the Platform.
6. HOW WE DISCLOSE PERSONAL INFORMATION
Rootsy may share personal information with the following parties:
Sellers
Rootsy may share personal information with sellers to facilitate order fulfilment, shipping, return, refund, and dispute processes. Sellers may receive buyer name, shipping address, order details, and return reason as needed for transaction purposes.
Sellers are prohibited from using buyer information for off-platform marketing or non-transaction purposes. Sellers must not add buyer contact information to mailing lists, SMS lists, or marketing systems without a valid legal basis. Sellers must protect buyer information with reasonable security measures. Sellers must immediately notify Rootsy of any actual or suspected breach involving buyer information.
Buyers
Rootsy may share seller contact information with buyers where necessary to resolve disputes, coordinate returns, or for other transaction-related purposes.
Service Providers
Rootsy may share personal information with service providers for payment processing, logistics, communications, customer support, analytics, fraud prevention, and other operational functions.
Legal and Regulatory Authorities
Rootsy may share personal information where required by law, court order, regulatory requirement, or government request. Rootsy may also share personal information where necessary to prevent fraud, criminal activity, or harm, or where required to cooperate with product safety recalls or investigations.
Rootsy may also disclose personal information to payment processors, logistics providers, or intellectual property rights holders where disclosure is necessary in connection with fraud, unsafe products, intellectual property infringement, or other enforcement action.
Business Transactions
In connection with a merger, acquisition, corporate restructuring, sale of assets, or financing, personal information may be transferred as part of the transaction, subject to appropriate confidentiality protections.
Rootsy does not sell or rent personal information for money, and does not trade personal information for advertising value. Rootsy does not share personal information with advertisers for the purpose of targeted advertising based on personal profiles.
7. THIRD-PARTY SERVICE PROVIDERS
Rootsy uses service providers to operate the Platform. Each provider processes personal information on Rootsy’s behalf and in accordance with contractual data processing requirements. Some providers process data in the United States or other countries outside Canada.
Stripe
Purpose: Payment processing, seller payouts, and fraud prevention.
Data Processed: Payment card data, PCI-DSS compliant payment information, bank account details, transaction records, and identity verification results.
Location: United States.
Resend
Purpose: Transactional and marketing email delivery.
Data Processed: Email address, name, email content, and open/click tracking data.
Location: United States.
Twilio
Purpose: SMS and communication services, including OTP and notifications.
Data Processed: Phone number and SMS message content.
Location: United States.
Freshdesk or Equivalent
Purpose: Customer support, ticketing, and helpdesk management.
Data Processed: Support ticket content, order details, contact information, and communications.
Location: United States.
Analytics Provider, such as Google Analytics
Purpose: Website and platform analytics and performance monitoring.
Data Processed: Device data, browsing behavior, session data, and IP address where anonymized.
Location: United States.
Logistics Providers and Carriers
Purpose: Shipping coordination, tracking, label generation, and delivery.
Data Processed: Buyer name, shipping address, order details, tracking events, and delivery confirmation.
Location: Canada and United States.
Fraud Prevention Provider
Purpose: Risk scoring, bot detection, and account protection.
Data Processed: IP address, device data, behavioral signals, and transaction patterns.
Location: United States or Canada.
Email Marketing Provider, such as Klaviyo or Mailchimp
Purpose: Marketing and promotional email campaigns, audience segmentation, and campaign performance tracking.
Data Processed: Email address, name, marketing consent status, purchase history, and open/click tracking data.
Location: United States.
Rootsy may add, remove, or replace service providers at any time. Material changes to providers who handle personal information will be reflected in an updated version of this Policy. Each provider’s privacy practices are governed by their own privacy policies. Links are available on request.
When personal information is transferred to service providers outside Canada, it may be subject to the laws of the country where it is processed, including lawful access by courts, regulators, law enforcement, or government authorities.
Rootsy uses contractual, technical, and organizational safeguards appropriate to the nature of the information and the service provider.
8. NO SALE OF PERSONAL INFORMATION
Rootsy does not sell, rent, or trade your personal information to third parties for their own commercial purposes. This applies to buyers, sellers, and all users of the Platform.
9. MARKETING, CASL COMPLIANCE, AND COMMUNICATIONS
Rootsy may send commercial electronic messages, including promotional emails, newsletters, platform updates, and seller campaign communications, only where you have provided express or implied consent as required under CASL.
9.1 Express Consent
Express consent is obtained through a clear, unchecked opt-in at account registration or another designated consent mechanism. The consent request will describe what types of commercial messages you will receive.
9.2 Implied Consent
Where you have made a purchase through the Platform, implied consent to receive commercial messages may exist for a period of 2 years from the date of your most recent transaction, as permitted under CASL. Implied consent does not extend beyond this period without your express consent.
Seller CASL Obligations
Sellers who obtain buyer contact information through the Platform may only send commercial electronic messages to buyers where a valid CASL basis exists. Implied consent arising from a buyer transaction expires 2 years from the date of the most recent transaction. Sellers must maintain documented consent records and must not use Rootsy-obtained buyer information to send commercial messages without a valid legal basis.
9.3 Required Elements in Commercial Messages
Every commercial electronic message sent by Rootsy will include:
- Identification of Rootsy as the sender
- Rootsy’s mailing address or web address
- A clearly displayed, functional unsubscribe mechanism
9.4 Unsubscribe
You may unsubscribe from marketing and promotional emails at any time by:
- Clicking the unsubscribe link in any commercial electronic message
- Contacting us at contact@rootsy.ca
All unsubscribe requests are processed within 10 business days as required under CASL.
Unsubscribing from marketing communications does not affect transactional and operational messages, which we may continue to send in connection with your orders, account, shipping, refunds, disputes, security, legal notices, or support.
9.5 Consent Records
Rootsy maintains records of marketing consent, including consent type, consent date, and consent source, for the period required under CASL.
Sellers may not use buyer information obtained through Rootsy to send their own commercial electronic messages without a valid independent CASL basis.
10. COOKIES AND SIMILAR TECHNOLOGIES
10.1 What Cookies Are
Cookies are small text files placed on your device, browser, or application when you visit the Platform.
Rootsy also uses similar technologies including pixels, web beacons, tracking URLs, local storage, session storage, device identifiers, analytics scripts, security scripts, and consent-management tools.
For simplicity, this section refers to all of these as “cookies.”
Cookies help Rootsy recognize your browser or device, keep you logged in, remember preferences, operate the shopping cart and checkout, protect account security, prevent fraud, understand how users interact with the Platform, and support marketing where permitted.
10.2 Cookies We Use — Categories and Purposes
Strictly Necessary Cookies
Purpose: Required for the Platform to function, including login, authentication, cart, checkout, payment flow, fraud prevention, and consent storage.
Examples: Session tokens, cart identifiers, security cookies, and consent preference storage.
Can You Opt Out? No. These cookies are required for Platform operation.
Security and Fraud Prevention Cookies
Purpose: Used to detect and prevent fraud, account takeover, bot activity, payment abuse, and suspicious behavior.
Examples: Risk scoring tools, bot detection scripts, login security cookies, and device fingerprinting.
Can You Opt Out? No. These cookies are required for Platform security.
Functional Cookies
Purpose: Used to remember user preferences, including language, region, display settings, recently viewed products, delivery location, and seller dashboard preferences.
Examples: Preference cookies and recently viewed product cookies.
Can You Opt Out? Yes. Opting out may affect convenience features.
Analytics and Performance Cookies
Purpose: Used to understand Platform usage, diagnose errors, measure performance, and improve features, including through tools such as Google Analytics.
Examples: Page view tracking, session duration, error logging, and checkout flow analytics.
Can You Opt Out? Yes. These cookies may be managed through cookie preferences.
Marketing and Advertising Cookies
Purpose: Used to measure campaign effectiveness, retargeting, and promotional performance where consent is provided.
Examples: Advertising pixels, campaign tracking, and referral source tracking.
Can You Opt Out? Yes. These cookies may be managed through cookie preferences.
Personalization Cookies
Purpose: Used to display relevant product recommendations, promotions, and content based on browsing and purchase history.
Examples: Browsing history cookies and recommendation engine identifiers.
Can You Opt Out? Yes. These cookies may be managed through cookie preferences.
Consent Management Cookies
Purpose: Used to store your cookie consent choices and prevent repeated prompts.
Examples: Consent banner preference cookie and consent timestamp.
Can You Opt Out? No. These cookies are required to remember your choices.
10.3 Cookie Consent
Where required by applicable law, Rootsy will request consent before setting non-essential cookies.
Strictly necessary and security cookies may be used without consent because they are required to operate the Platform and provide services you have requested.
You may manage your cookie preferences using Rootsy’s cookie preference tool where available, or through your browser or device settings.
10.4 Browser and Device Controls
Most browsers allow you to view, block, delete, and manage cookies.
Mobile devices allow you to reset advertising identifiers, limit ad tracking, manage app permissions, and control location permissions.
Disabling cookies may affect Platform functionality including login, shopping cart, checkout, seller dashboard, shipping calculations, fraud prevention, and account security.
Rootsy is not responsible for Platform issues caused by your browser or device privacy settings.
10.5 Effect of Disabling Cookies
If you disable or block cookies, some parts of the Platform may not function properly, including:
- Account login
- Cart retention
- Checkout
- Payment processing
- Seller dashboard access
- Fraud prevention
- Account security
Unsubscribing from marketing emails does not disable website cookies. Website cookies must be managed separately through your cookie preferences or browser settings.
11. SECURITY SAFEGUARDS
Rootsy uses reasonable administrative, technical, and organizational safeguards to protect personal information against unauthorized access, use, disclosure, loss, theft, alteration, or misuse.
Safeguards include:
- Access controls
- Encryption in transit and at rest where appropriate
- Secure transmission protocols
- Monitoring and logging
- Authentication mechanisms
- Vendor security requirements
- Security review procedures
Payment card data is processed by Stripe in accordance with PCI-DSS standards. Rootsy does not store full credit card numbers, CVV codes, or payment card security codes on Rootsy-controlled systems.
No method of online transmission or storage is completely secure. Rootsy cannot guarantee absolute security.
You are responsible for protecting your account credentials, password, and device access.
If Rootsy becomes aware of a security breach or confidentiality incident involving your personal information that may create a real risk of significant harm, Rootsy will notify you and the applicable regulator as required by law.
12. DATA RETENTION
Rootsy retains personal information for as long as reasonably necessary to fulfill the purposes for which it was collected, or as required or permitted by law.
Retention periods depend on:
- The purpose of collection
- The type of information
- Legal obligations, including tax record-keeping requirements under the Income Tax Act
- Dispute and chargeback risk periods
- Fraud prevention needs
- Consent-management requirements
- Audit requirements
General retention guidelines:
- Active account information is retained for the duration of your account plus a reasonable post-closure period
- Order, payment, and transaction records are retained for a minimum of 7 years for tax and accounting purposes
- Marketing consent records are retained for the period required under CASL
- Cookie-related analytics records are retained for periods appropriate to their purpose
When personal information is no longer required, Rootsy will delete or anonymize it in accordance with its data disposal procedures.
Note for Sellers
Rootsy’s platform records do not replace sellers’ independent obligations to maintain business, tax, accounting, order, inventory, shipment, and compliance records as required by applicable law.
Certain categories of personal information collected by Rootsy are treated with heightened care, including government-issued identity documents, financial account information, and age verification information.
Rootsy limits the collection of sensitive personal information to what is necessary for the applicable purpose, restricts access to authorized personnel and systems, and applies additional security controls proportionate to the sensitivity of the information.
Rootsy may use de-identified or aggregated information, from which all personal identifiers have been removed, for analytics, platform improvement, research, and business reporting purposes.
De-identified information is not personal information and is not subject to this Policy. Rootsy will not attempt to re-identify de-identified information and will require by contract that any service provider receiving de-identified information refrain from doing so as well.
Rootsy uses automated processing in connection with certain Platform functions, including fraud detection and prevention, seller performance monitoring, and product recommendation personalization.
These processes may involve the automated analysis of personal information to assess risk, evaluate account health, or deliver personalized content.
Where a decision is made exclusively by automated means and produces legal or similarly significant effects on you, you may, to the extent required by applicable privacy law, request that the decision be reviewed by a person with the authority to modify it.
To make such a request, contact our Privacy Officer at contact@rootsy.ca.
13. SELLER PRIVACY OBLIGATIONS
Sellers who receive personal information about buyers through the Platform act as independent controllers of that information with respect to their own business activities and bear their own independent obligations under applicable privacy law.
Rootsy is not responsible for how sellers handle buyer personal information once it has been shared for transaction purposes.
Sellers who receive buyer personal information through the Platform must:
(a) Use buyer personal information only for the transaction purposes for which it was disclosed, including order fulfilment, shipping, returns, refunds, and dispute resolution, and not for any off-platform marketing, solicitation, or other non-transaction purpose without a valid independent legal basis.
(b) Not add buyer contact information to any mailing list, SMS list, marketing platform, or commercial messaging system without a valid, documented legal basis under applicable law.
(c) Maintain their own privacy policy to the extent required by applicable law governing their business.
(d) Implement reasonable technical and organizational security measures to protect buyer personal information against unauthorized access, use, disclosure, loss, or misuse.
(e) Immediately notify Rootsy’s Privacy Officer at contact@rootsy.ca upon becoming aware of any actual or suspected breach or unauthorized access involving buyer personal information obtained through the Platform.
(f) Maintain documented records of any consent obtained from buyers in connection with commercial or marketing communications, and provide those records to Rootsy upon request.
(g) Not transfer or disclose buyer personal information to third parties except as required for transaction fulfilment or as permitted by applicable law.
(h) Comply with all applicable privacy laws in connection with their handling of buyer personal information received through the Platform.
Rootsy reserves the right to suspend or terminate seller accounts where Rootsy reasonably believes a seller has violated these obligations.
Sellers are solely responsible for any losses, claims, regulatory proceedings, fines, or penalties arising from their own mishandling of buyer personal information.
14. CROSS-BORDER PROCESSING
Rootsy is a Canadian business. Some service providers, including Stripe, Resend, Twilio, Freshdesk, and analytics providers, process personal information in the United States.
When information is processed outside Canada, it may be subject to the laws of the processing country, including lawful access by courts, law enforcement, and government authorities under those laws.
Rootsy uses contractual protections, such as data processing agreements, technical safeguards, and appropriate organizational controls when sharing personal information with service providers outside Canada.
Some of Rootsy’s service providers are companies incorporated or operating in the United States and are subject to U.S. federal and state laws that may permit U.S. government authorities, courts, or law enforcement agencies to compel access to personal information held by those providers, including information about Canadian users, without notice to the affected individual.
By using the Platform, you acknowledge that personal information transferred to U.S.-based service providers may be subject to such access.
Rootsy conducts appropriate due diligence and implements contractual and technical safeguards when engaging U.S.-based service providers, but cannot guarantee that such access will not occur.
15. YOUR RIGHTS AND CHOICES
Subject to applicable law, you have the following rights regarding your personal information:
Access
You may request access to the personal information Rootsy holds about you and how it is used.
Correction
You may request correction of inaccurate, incomplete, or outdated personal information.
Withdrawal of Consent
You may withdraw consent to uses of your personal information where Rootsy relies on consent, subject to legal or contractual restrictions and reasonable notice.
Complaint
You may submit a privacy complaint to Rootsy’s Privacy Officer or, if not resolved, to the Office of the Privacy Commissioner of Canada or another applicable government privacy office.
To exercise these rights, contact our Privacy Officer at contact@rootsy.ca.
Rootsy will respond within a reasonable timeframe as required by applicable law.
Rootsy may require identity verification before processing a request.
Rootsy may decline a request where permitted by law, including where granting access would reveal third-party personal information or where the request would compromise an investigation.
16. CHILDREN AND MINORS
The Platform is intended for users who are at least 18 years old.
Rootsy does not knowingly collect personal information from anyone under 18.
If Rootsy becomes aware that a minor has used the Platform, Rootsy may delete or restrict related information, close the account, cancel orders, and take appropriate action.
For age-restricted products, including alcohol, Rootsy uses age gates, date-of-birth confirmation, and identity verification.
Completion of an age gate does not replace identity verification required at delivery.
17. PRIVACY INCIDENTS AND BREACH NOTIFICATION
Rootsy has a Privacy Incident Response process for managing confidentiality incidents involving personal information.
In the event of a breach or confidentiality incident:
- Rootsy will assess whether the incident creates a real risk of significant harm to affected individuals
- Rootsy will notify affected individuals and report to applicable regulatory authorities where and as required by applicable privacy law
- Rootsy will comply with all applicable timelines for regulatory notification and individual notification as required under applicable privacy law
- Rootsy will maintain records of all privacy incidents, including incidents that do not meet the notification threshold, for a minimum of 2 years or longer if required under applicable law
If you believe that a privacy incident has occurred affecting your personal information, please contact our Privacy Officer immediately at contact@rootsy.ca.
Sellers who become aware of any actual or suspected breach or unauthorized access to buyer personal information obtained through the Platform must notify Rootsy’s Privacy Officer immediately at contact@rootsy.ca.
18. CHANGES TO THIS POLICY
Rootsy may update this Policy from time to time to reflect changes in law, business operations, Platform features, service providers, cookies, analytics tools, security practices, or consent requirements.
Updates take effect when posted on the Platform or otherwise communicated, unless a later effective date is stated.
Where required by applicable privacy law, Rootsy will notify you of material changes and, where required, seek renewed consent.
Continued use of the Platform after updates take effect constitutes acceptance of the updated Policy, to the extent permitted by law.
We recommend reviewing this Policy periodically.
19. CONTACT INFORMATION
For privacy inquiries, access requests, correction requests, consent withdrawal, privacy complaints, or any questions about this Policy, contact:
Rootsy Marketplace Inc.
Privacy Officer: Sameer Hinduja
Email: contact@rootsy.ca
Buyer and Seller Support:
support@rootsy.ca
Mailing Address:
1218 Mineola Gardens
Mississauga, ON
L5G 3Y3

