1. Introduction
Roomsy ("the App," "we," "us," or "our") is a mobile application developed by Nikolas Ayala, an independent developer based in New Jersey. This Privacy Policy explains how we collect, use, and protect your personal information when you use Roomsy. By using the App you agree to the practices described here. The App is intended for users located in the United States.
2. Information We Collect
We collect the following categories of information:
- Account information: name, email address, gender identity, budget range, and housing preferences you provide at registration. If you create an account with an email and password, we send you a verification email to confirm your email address before you can access the App.
- Profile content: profile photos you upload and any "About Me" text you write.
- Location and housing listing data (manually entered): users may enter any location text in their profile or listing, including a full address, city/state, neighborhood, or other free-text location. Homeowners and apartment dwellers may enter listing location and housing details (including rent amount, rent contribution amount, expense split type, and current lease term). Users looking for a place may enter a preferred move location and ideal lease term. We use this information to enable profile display and matching. We do not access your device's GPS or precise location at any time.
- Messages: the content of messages you send to your matches. We do not sell or share message content. Messages are private between matched users during normal operation, but may be reviewed by us in response to reports of abuse, safety concerns, or legal process.
- Device identifier: a device-based identifier provided by platform services (such as Apple's identifierForVendor or an equivalent on Android), which we hash using SHA-256 before storage. We use this hashed identifier to prevent banned users from re-registering and to enforce one account per device. We do not store your advertising identifier (IDFA or Google Advertising ID); advertising identifiers are accessed directly by Google AdMob for advertising purposes as described below and are not retained by us.
- Push notification token: a Firebase Cloud Messaging (FCM) token used solely to deliver push notifications (new matches, messages, likes) to your device.
- Usage data: swipe history and match records stored to power the matching experience. These are not sold or used for profiling outside the App.
- Analytics data: Firebase Analytics automatically collects app usage data such as session duration, screen views, device type, OS version, and approximate geographic region (country/city level). This data does not include personally identifiable information and is used solely to improve the App.
- Advertising identifiers: Your device's advertising identifier (IDFA on iOS; Google Advertising ID on Android) and related device signals (such as IP address and app activity) may be collected by Google AdMob directly from your device to serve and measure advertisements. We do not store advertising identifiers on our servers. You may reset or limit ad tracking through your device settings (iOS: Settings → Privacy & Security → Tracking; Android: Settings → Google → Ads).
- Post-deletion archive: a limited set of account fields is retained for 7 days after you delete your account for legal and fraud-investigation purposes. See Section 12 for details on what is retained, how long it is kept, and how to request its deletion.
3. How We Use Your Information
- To create and manage your account.
- To show you compatible roommate profiles based on your stated location and preferences.
- To display user-submitted listing and housing profile fields (including location text, rent fields, expense split type, and lease terms) to other users for matching purposes.
- To enable real-time chat between matched users.
- To send push notifications about activity in the App.
- To verify your identity and enforce our ban policy.
- To serve advertisements via Google AdMob.
- To analyze app usage and improve the App via Firebase Analytics.
- To improve and troubleshoot the App.
4. Profile Visibility and Matching Display
Profile information that a user enters in the App's profile editing flow is visible to other users both before and after a match. This includes profile text and housing-related fields such as rent amount, rent contribution amount, expense split type, current or ideal lease terms, and listing or move location text exactly as entered by the user. We do not normalize or restrict location text input.
Certain preference or filtering settings used to control who a user sees while swiping are used internally for matching and are not displayed to other users.
5. Data Storage
Your profile data, match records, swipe history, and messages are stored in Firebase Firestore (Google LLC). Your profile images are stored in Firebase Storage (Google LLC). These services are governed by Google's privacy policy.
6. Security
We use reasonable administrative, technical, and organizational safeguards designed to protect personal information, including access controls, authentication protections, and limiting access to information on a need-to-know basis. No method of transmission or storage is completely secure, but we take steps intended to reduce the risk of unauthorized access, alteration, or disclosure.
7. Law Enforcement and Legal Process
Roomsy may disclose personal information when required to do so by law or legal process, including valid subpoenas, court orders, warrants, or other lawful requests from government or law enforcement authorities. We may also disclose information when we believe in good faith that disclosure is necessary to: (a) comply with applicable law; (b) protect our rights, property, or safety; (c) protect users or the public; or (d) investigate, prevent, or address suspected fraud, abuse, or illegal activity. See Section 12 for how legal process affects data retention.
8. Data Breach Notification Compliance
If we become aware of a data breach involving personal information, Roomsy will provide notice to affected individuals and, where required, regulators or other authorities, in accordance with applicable data breach notification laws. This includes compliance with U.S. state requirements, including California breach notification laws, and any required timelines under applicable law. We will provide notice without unreasonable delay and include available details about the incident, categories of information involved, and recommended protective steps.
9. Third-Party Services
The App uses the following third-party services, each governed by its own privacy policy:
Google's Privacy Policy: https://policies.google.com/privacy
- Firebase (Google LLC): Authentication, Firestore database, Firebase Storage (profile images), Cloud Functions, Cloud Messaging, and Firebase Analytics. Google acts as our service provider / processor for these services, and Google's privacy policy applies to data processed by Firebase.
- Google AdMob: Advertising SDK. Google AdMob may collect advertising identifiers, device signals, and app activity to serve personalized or non-personalized ads depending on your consent choices. When required by applicable law, we will present an in-app privacy choices prompt before serving ads, allowing you to consent to or decline personalized advertising. You may also change your ad preferences at any time through the in-app privacy controls in our FAQ screen, or through your device settings (iOS: Settings → Privacy & Security → Tracking; Android: Settings → Google → Ads). Google's advertising practices are governed by Google's Privacy Policy.
- Google Play / Apple App Store: App distribution and age-based access enforcement. These platforms apply their own privacy practices independently and may act as independent controllers for platform-level processing.
10. Third-Party Data Handling
Roomsy relies on a limited set of known partners, including Google Firebase, Google AdMob, and related analytics services, to operate the App. These partners process data only as needed to provide their services under their applicable policies and terms. We do not share personal information with unknown or unauthorized third parties. Apple platform services are used subject to Appleās applicable privacy and platform rules.
11. Age Verification
Roomsy is rated 18+ on the Apple App Store and targets users 18 and older on Google Play. We use Google's Play Age Signals API and Apple's Declared Age Range API, where available through platform services, to support age assurance and ineligible-age access prevention. Both platforms independently enforce age-based access controls at the account and device level. Users identified as ineligible based on platform age signals (Play Age Signals API or Apple's Declared Age Range API) won't be able to access the App.
12. Data Retention & Deletion
When you delete your account, we delete your active profile, profile photos, swipe history, match records, and messages from our active systems within 7 days of your deletion request. Residual copies may persist briefly in routine system backups before being overwritten in the normal course of operations.
Post-Deletion Archive. After your active account data is deleted, we retain a limited JSON archive of certain account fields in a separate, access-restricted Firebase Storage bucket for 7 days. After 7 days, the archive is automatically and permanently deleted by a Firebase Storage lifecycle rule. We retain this short-term archive solely to respond to legal claims or legal process that reference a deleted account, and to investigate fraud or abuse if a deleted user's activity is reported to us within that window.
The archive may include the following fields, only if you provided them:
- Your unique account identifier
- Your unique SHA-256 hashed device identifier
- Name and email address
- Free-text content from your "About Me" section
- Age and gender identity
- Lease term and matching type
- Preferred state, current location, and move location (as entered by you)
- Budget range, your contribution, and total rent
- The date your account was deleted
The archive does not include your profile photos, messages, swipe history, or match records. Access to the archive bucket is restricted to the Developer, and the bucket is configured so that no client application or external service can read or write to it.
Ban Enforcement Records. If your account was banned for violating our Terms, we retain the following information in a separate access-restricted collection to prevent re-registration: a SHA-256 hashed device identifier, the email address associated with the banned account, the time of the ban, and the reason for the ban. Ban enforcement records are retained for as long as necessary to enforce the ban and are separate from the 7-day Post-Deletion Archive described above.
Extended Retention in Limited Circumstances. We may retain data longer than the periods described above when necessary for legal, safety, or security purposes:
- Legal preservation and legal process: If we receive a subpoena, court order, preservation letter, law enforcement request, or other legal process before the 7-day archive deletion occurs, we will download and retain data covered by that request for as long as legally required. We may also retain data when reasonably necessary to establish, exercise, or defend legal claims, or to comply with applicable law.
- Active safety investigations: If you are the subject of an open user report, abuse investigation, or safety review at the time of deletion, we may download and retain relevant data from the archive before it is automatically deleted, until the investigation concludes and any resulting enforcement actions are complete.
- DMCA records: We retain records of copyright takedown notices, counter-notices, and related communications as required to maintain our safe harbor protections under 17 U.S.C. § 512.
- Fraud and abuse prevention: We may retain limited records necessary to detect, investigate, and prevent fraudulent activity, scams, or abuse of the App.
Because the automated 7-day deletion runs regardless of legal or investigative needs, any data retained beyond 7 days for the purposes above is downloaded and stored separately before the automated deletion occurs. When a legal, safety, or security reason for extended retention ends, we delete the retained data in accordance with this policy.
Requesting Deletion of Archived Data. You may request deletion of your post-deletion archive or ban enforcement records at any time by emailing reportstonick@gmail.com. We will honor your request unless an exception under applicable law applies — for example, an active legal hold, an open safety investigation, or ongoing ban enforcement. See Section 16 for your full privacy rights.
13. Children's Policy
Roomsy is intended solely for users 18 years of age or older. We do not knowingly collect personal information from anyone under 18. Parents or guardians who believe their child has created an account should contact us at reportstonick@gmail.com.
14. Push Notifications
We use Firebase Cloud Messaging to send you push notifications. You can disable notifications at any time through your device's notification settings. Disabling notifications does not affect your ability to use the App.
15. State Privacy Law Notice (NJDPA, Virginia, Colorado, Connecticut, Utah)
Depending on where you live, you may have additional privacy rights under applicable U.S. state privacy laws, including the New Jersey Data Protection Act (NJDPA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and Utah Consumer Privacy Act (UCPA). We will honor consumer privacy rights as required by law in your state.
16. Your Rights
You may request access to, correction of, deletion of, or portability of your personal data at any time by emailing us at reportstonick@gmail.com. You may also opt out of targeted advertising, sale, or certain profiling activities as required by law in your state. We will respond within the time required by applicable law and may request information needed to verify your identity before acting on a request. Deletion requests are subject to the retention exceptions described in Section 12, including our 7-day post-deletion archive, ban enforcement records, legal preservation, and active safety investigations.
17. Appeals
If we deny your privacy request, you may appeal by replying to our decision email within 30 days (or the period required by applicable law). We will review and respond within the time required by law in your state. If your appeal is denied, you may contact your state attorney general or other authorized regulator.
18. California Residents (CCPA)
If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with the following rights regarding your personal information:
- Right to Know: You may request details about the personal information we collect, use, and disclose.
- Right to Correct: You may request correction of inaccurate personal information that we maintain about you.
- Right to Delete: You may request deletion of your personal information. You can do this directly by deleting your account within the App. Certain data may be retained in our 7-day post-deletion archive or in ban enforcement records as described in Section 12, subject to the exceptions permitted under applicable law.
- Right to Limit Use of Sensitive Personal Information: You may request that we limit the use and disclosure of sensitive personal information collected about you.
- Right to Opt-Out of Sale or Sharing: We do not sell personal information. We may share certain identifiers with advertising partners, such as Google AdMob, for targeted advertising, as those terms are defined under applicable law. You may opt out of this sharing through our in-app privacy choices.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
To submit a CCPA request, contact us at reportstonick@gmail.com.
19. Privacy Choices and Ad Preferences
If you use the App on a device where AdMob state privacy messaging or GDPR consent is applicable, we will present an in-app privacy choices prompt before serving ads. This prompt asks whether you consent to the collection and use of your advertising identifier and related device signals by Google AdMob for the purpose of serving you personalized advertisements. If you decline, ads may still be shown but will not be personalized based on your interests or activity.
You can review or change your ad privacy choices at any time through the FAQ screen in the App. Changes take effect for future ad requests.
20. FTC Compliance
We do not engage in deceptive or unfair data practices. We do not sell personal information. We may share limited identifiers with advertising partners, such as Google AdMob, for targeted advertising where permitted by law and user choice. Advertisements served through Google AdMob are clearly presented as ads. Our data practices are consistent with FTC guidelines and Section 5 of the FTC Act.
21. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, the revised policy will be posted on this page with an updated effective date. Continued use of the App after changes take effect constitutes acceptance of the updated policy.
22. Contact
Questions or concerns? Email reportstonick@gmail.com.