Privacy Policy | Root Payroll

At Root Payroll ("Root," "we," "us," or "our"), we respect your privacy and are committed to protecting the sensitive financial and personal information you entrust to us. This Privacy Policy outlines how we collect, use, store, and share information when you use our payroll software services (the "Services").

Because we process payroll, we handle some of the most sensitive data in existence—Social Security Numbers, Bank Account Coordinates, and Tax IDs. We treat this responsibility with the highest level of security and care.

1. Information We Collect

We collect information necessary to perform payroll calculations, generate tax filings, and facilitate payments. This includes data about you (the "Employer") and your staff (the "Employees" or "Contractors").

1.1 Information Provided by You

Employer Identity Data: Company legal name, DBA, Employer Identification Number (EIN), business address, and authorized officer details.
Employee/Payee PII: Names, dates of birth, Social Security Numbers (SSNs), home addresses, filing statuses (W-4 data), and wage information.
Financial Data: Bank account routing and account numbers for the business and its employees (for Direct Deposit/ACH generation).
Tax Data: State Unemployment Insurance (SUI) rates, local tax jurisdiction IDs, and prior payroll history.

1.2 Information Collected Automatically

Device & Usage Data: IP address, browser type, and login timestamps. We use this specifically for fraud detection and risk management (e.g., detecting if a payroll is run from a suspicious location).
Cookies: We use session cookies to keep you logged in securely. We do not use third-party advertising cookies to track you across the web.

2. How We Use Your Information

We do not sell your data. We use your data strictly to provide the Services you have requested. Specifically, we use it to:

Calculate Taxes: To determine precise withholding amounts for Federal, State, and Local jurisdictions based on geocoded addresses.
Generate Filings: To populate IRS Forms (941, 940, W-2, 1099) and state equivalents.
Facilitate Payments: To generate NACHA files or EFTPS instructions that allow your bank to move funds to employees and tax agencies.
Risk & Compliance: To verify identities (KYC/KYB), detect potential fraud (e.g., ghost employees), and comply with anti-money laundering (AML) laws.
Billing: To process your subscription fees via our payment processor.

3. How We Share Your Information

We only share your information with third parties when it is necessary to execute a payroll function or required by law. We do not sell data to insurance brokers, lenders, or marketers.

Recipient Category	Reason for Sharing
Government Agencies (IRS, State Depts of Revenue)	We submit tax returns, new hire reports, and W-2s on your behalf as your Reporting Agent.
Banking Partners (e.g., Plaid, Dwolla, ODFIs)	To verify bank account ownership and facilitate ACH money movement instructions.
Physical Mail Processors (e.g., Lob)	If you use our "Mail Checks" feature, we transmit payee name, address, and check amount to print and mail physical checks.
Tax Filing APIs (e.g., VENDOR TBD)	To electronically file year-end forms (W-2/1099) with the SSA and IRS.
Billing Processors (e.g., Stripe)	To process your monthly subscription payments.

4. Data Security (SSN Protection Policy)

We implement bank-grade security measures to protect your data.

4.1 Encryption

All sensitive data (SSNs, Bank Accounts, EINs) is encrypted at rest using AES-256 standards in our database. Data in transit is protected via TLS 1.2+ (HTTPS).

4.2 Access Controls

We enforce strict Role-Based Access Control (RBAC). Employee SSNs are masked in the user interface by default. Only authorized personnel with a specific business need can access unmasked data.

4.3 No System is Impenetrable

While we strive to use commercially acceptable means to protect your Personal Information, no method of transmission over the Internet, or method of electronic storage, is 100% secure. We cannot guarantee its absolute security.

5. Data Retention

Because payroll data is required for tax audits, we retain your information for substantial periods.

Tax Records: We retain payroll logs, tax forms, and transaction history for a minimum of four (4) years after the tax becomes due or is paid, whichever is later, in accordance with IRS record-keeping requirements.
After Termination: If you cancel your subscription, we mark your account as "Inactive" but retain the data to allow you to access historical W-2s or tax forms if audited. We may delete data after the statutory retention period expires.

6. Your Role as Data Controller

IMPORTANT: For the purpose of data privacy laws (such as CCPA or GDPR), the Employer (You) are the "Data Controller" of your employees' data. Root Payroll acts as the "Data Processor."

If your employee requests to delete their data, you must acknowledge that certain data (like W-2 history) cannot be legally deleted due to federal tax retention laws. As the Controller, you are responsible for responding to your employees' privacy requests and informing them that their data is shared with government agencies for tax purposes.

7. Children's Privacy

Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you are employing a minor, you represent that you are complying with all applicable child labor laws and are authorized to provide their data for payroll purposes.

8. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice in the Root Payroll dashboard prior to the change becoming effective. Your continued use of the Service after such changes constitutes your acceptance of the new Privacy Policy.

9. Contact Us

If you have questions about this Privacy Policy or our security practices, please contact our Data Privacy Officer at:

Root Payroll
Attn: Privacy Team
Email: privacy@rootpayroll.com