Privacy Policy

This policy explains what personal data Roost collects, how we use it, and the choices you have. We try to keep it short and clear. If anything's unclear, email hello@roostonline.co.uk and we'll explain.

Who runs Roost

Roost is operated by Nathan Imhasly ("we", "us"), based in the United Kingdom. You can contact us any time at hello@roostonline.co.uk.

Data we collect

To make Roost work, we store the following:

• Account info — your email and a hashed password (never the password in plain text).
• Family content — the family name, profiles you create, kanban cards, comments, photos you attach, chat messages, voice notes, calendar events, meals, shopping list items, chores, pocket-money balances and transactions, and contacts you add.
• Subscription state — whether your trial / subscription is active, and an opaque customer ID from RevenueCat (for verifying purchases). We do not see your card details.
• Diagnostic logs — short-lived server logs (request IDs, timestamps, error stacks) used to fix bugs.

Roost does not use third-party analytics, ad networks, or trackers.

What we don't collect

• Location data.
• Contacts on your phone (we only store contacts you type in to Roost yourself).
• Browsing history outside Roost.
• Anything from the camera or microphone unless you explicitly attach a photo or record a voice note inside the app.

How we use it

• To run the app — show your family their boards, sync between devices, deliver notifications.
• To support you — if you email us, we may look at your data to help diagnose a problem.
• To bill you — verify your subscription with Apple's App Store and RevenueCat.

We do not sell your data. We do not advertise inside Roost. We do not share data with third parties except the processors listed below.

Processors we use

Some companies process data on our behalf. We've picked them for security and privacy:

• Supabase — database, authentication, file storage. Hosted in the EU. supabase.com/privacy
• Apple — App Store billing and authentication. apple.com/legal/privacy
• RevenueCat — subscription management. revenuecat.com/privacy
• Resend — transactional email (e.g. weekly recap if you opt in). resend.com/legal/privacy-policy
• Anthropic — when you ask for AI meal ideas, we send your dietary preferences and the meal slot to Anthropic's API. We do not send any names, photos, or other identifying content. anthropic.com/legal/privacy

Your choices and rights

Under UK GDPR you have the right to:

• See your data — email us and we'll send you a copy.
• Correct anything inaccurate.
• Delete your account and everything in it. Email hello@roostonline.co.uk with the subject "Delete my account" and we'll process it within 30 days.
• Export your data (in JSON).
• Object to a particular use.
• Complain to the UK ICO at ico.org.uk.

Children

Roost is intended for family use. Children may have profiles created for them by a parent. The parent who owns the account is responsible for any child data they enter (names, ages, photos). We do not collect data from children directly. If you believe a child has signed up without parental consent, email us and we will delete the account.

Security

Data is encrypted in transit (TLS) and at rest. Passwords are hashed (bcrypt). Photos and voice notes are stored in a private bucket with row-level security — only members of the same family can access them.

Retention

We keep your data while your account is active. If you cancel and don't sign in for 12 months, we'll send a reminder email and then delete your account. You can request immediate deletion at any time.

Changes

If we update this policy materially, we'll email account holders before the change takes effect. Day-to-day clarifications will just appear here with the "Last updated" date refreshed.

Contact

Email hello@roostonline.co.uk.