Privacy Policy

How Rooted and Routed Podcast collects, uses, stores, and protects your personal data — in compliance with Indian law.

Last updated: May 21, 2026

This Privacy Policy explains how Rooted and Routed Podcast ("we", "our", "us") collects, uses, discloses, stores, and protects your personal data when you visit rootedandrouted.com or interact with our services. We comply with the Digital Personal Data Protection Act, 2023 (DPDPA), the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the "SPDI Rules").

1. Who we are (Data Fiduciary)

Under the DPDPA, we are the "Data Fiduciary" — the entity that determines the purpose and means of processing your personal data. The podcast is hosted and operated by Sabiya Pathan Withoeck, India. You can reach us at info@rootedandrouted.com.

2. What personal data we collect

We collect only the minimum data necessary to operate the site:

  • Contact form data — name, email address, message subject, and the content of any message you send via our Contact page.
  • Newsletter sign-up — your email address, if you choose to subscribe.
  • Technical data — your IP address, browser type, device type, referrer URL, and pages visited. Collected automatically by our hosting provider and analytics for security and aggregate traffic measurement.
  • Cookies and similar technologies — limited to essential cookies for site functionality. We do not use third-party advertising or behavioural tracking cookies.

We do notknowingly collect any "sensitive personal data or information" as defined in Rule 3 of the SPDI Rules — no financial information, health information, biometric data, sexual orientation, or political opinions. Do not submit such data via the contact form.

3. Why we collect it (Purposes of processing)

  • To respond to enquiries you send via the contact form.
  • To deliver our newsletter, if you have subscribed.
  • To maintain site security, prevent abuse, and detect fraud.
  • To measure aggregate site usage and improve content.
  • To comply with legal obligations under Indian law.

4. Legal basis (Consent)

Under Section 6 of the DPDPA, our primary legal basis for processing your personal data is your free, specific, informed, unconditional, and unambiguous consent, given when you fill in the contact form, subscribe to the newsletter, or otherwise voluntarily provide your information. You may withdraw consent at any time by emailing us — see Section 9 below.

For limited security and analytics purposes, we may rely on "legitimate uses" under Section 7 of the DPDPA (e.g. responding to a query you have initiated, ensuring the site is secure).

5. Who we share data with (Data Processors)

We share limited personal data with the following third-party service providers, each of whom acts as a Data Processor on our behalf:

  • Vercel Inc. (USA) — site hosting and content delivery.
  • Sanity.io (Norway) — content management system; stores editorial content and the error log only.
  • Email services — when you email us, your message is delivered via standard email infrastructure.

Each provider is contractually required to process personal data only on our instructions and to maintain reasonable security safeguards consistent with Rule 8 of the SPDI Rules and Section 8 of the DPDPA.

Embedded third-party media — YouTube videos, Spotify and Apple Podcasts players — may set their own cookies and process limited data when you choose to play them. Please review each platform's privacy policy directly: YouTube/Google, Spotify, Apple.

6. Cross-border transfer of personal data

Because our hosting and CMS providers operate servers outside India, your personal data may be transferred to and stored in countries that may not have data protection laws equivalent to India's. Under Section 16 of the DPDPA, the Central Government may restrict transfers to specific countries; we will comply with any such notifications issued from time to time. By using our site you acknowledge that your personal data may be processed outside India for the limited purposes set out in Section 3.

7. How long we keep it (Data retention)

  • Contact form emails — retained for up to 24 months after our last substantive correspondence with you, or until you request deletion.
  • Newsletter subscribers — retained until you unsubscribe.
  • Technical / log data — retained for up to 12 months.

In line with Section 8(7) of the DPDPA, we erase personal data once the purpose for which it was collected is no longer served, unless retention is required by Indian law.

8. How we protect it (Reasonable Security Practices)

We implement the "reasonable security practices and procedures" required by Section 8(5) of the DPDPA and Rule 8 of the SPDI Rules. These include:

  • HTTPS / TLS encryption for all site traffic.
  • HSTS, Content-Security-Policy, X-Frame-Options, and other modern HTTP security headers.
  • Rate limiting on API endpoints to prevent abuse.
  • Restricted, role-based access to the content management system.
  • Regular software updates and dependency security audits.
  • Error and access logging for incident investigation.

9. Your rights as a Data Principal

Under Chapter III of the DPDPA, you have the following rights:

  • Right to information — to know what personal data we hold about you and how we process it (Section 11).
  • Right to correction and erasure — to request correction, completion, updating, or erasure of your personal data (Section 12).
  • Right to grievance redressal — to raise complaints about how we handle your data (Section 13).
  • Right to nominate — to nominate another individual to exercise your rights in the event of your death or incapacity (Section 14).
  • Right to withdraw consent — at any time, as easily as you gave it (Section 6(4)).

To exercise any of these rights, email us at info@rootedandrouted.com. We will respond within a reasonable period and no later than the statutory timelines set under the DPDPA.

10. Grievance redressal

Under Section 8(10) of the DPDPA and Rule 5(9) of the SPDI Rules, we have appointed a Grievance Officer to address any concerns you may have about the processing of your personal data.

Grievance Officer: Sabiya Pathan Withoeck
Email: info@rootedandrouted.com
Response time: We aim to acknowledge complaints within 7 working days and resolve them within 30 days, in line with Rule 5(9) of the SPDI Rules.

If your complaint is not satisfactorily resolved, you may approach the Data Protection Board of India once it is operational under Chapter V of the DPDPA.

11. Children's data

In line with Section 9 of the DPDPA, we do not knowingly collect personal data from children under the age of 18 years without the verifiable consent of a parent or lawful guardian. We do not engage in tracking, behavioural monitoring of, or targeted advertising directed at children. If you believe we may have collected such data inadvertently, please contact us and we will delete it promptly.

12. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in law, technology, or our services. The "Last updated" date at the top will always indicate the current version. Material changes will be highlighted on the site for at least 30 days.

13. Contact

Questions about this Privacy Policy can be sent to info@rootedandrouted.com.

Newsletter

Get the latest news in your inbox

Stay informed and up-to-date with the latest episodes delivered straight to your inbox.