Privacy Policy

Roost is operated by Pete Jenkins, a sole trader based in the United Kingdom. If you have a privacy question, write to hello@getroost.io.

Account data. Your email address (used for sign-in, account recovery, and sharing invites) and, optionally, your display name.

Your content. Whatever you put into Roost — vault items, tasks, notes, lists, routines, and any attachments you upload. This is yours; we store it on your behalf.

Household membership. Which households you belong to and who else is in them, so shared items reach the right people.

Billing data. If you upgrade to Pro, we store your Stripe customer ID and subscription status. We never see or store your card number — Stripe handles that directly. iOS purchases go through Apple and RevenueCat, who tell us only whether you have an active subscription.

Device analytics (iOS app only). The iOS app uses Firebase Analytics to collect anonymous usage data — which screens are visited, session counts, device model, and OS version. This is collected without an advertising identifier (IDFA is disabled). We use this to understand how people use the app, not to profile individuals.

Marketing site analytics. The getroost.io website uses Google Analytics and Microsoft Clarity to measure page traffic and understand how visitors navigate the site. This data is separate from your Roost account and is not linked to it.

Server logs. Standard infrastructure logs (request paths, status codes, error messages, authentication events). We use these to diagnose problems and keep the service running.

We do not train AI on your content. The vault is not a corpus.

We do not sell, rent, or share your personal data with advertisers. Roost has no advertisers.

We do not scan your notes or vault items for marketing signals.

We do not use advertising identifiers. The iOS app is built with withoutAdIdSupport — Firebase Analytics on Roost cannot access your IDFA.

Personal items (iOS app). Vault items, tasks, notes, lists, and routines you keep private are encrypted on your device before they are uploaded. The encryption key lives in the iOS Keychain and never leaves your device. Roost cannot read your personal content — only you can.

Shared and household items. When you share an item with a household, it is encrypted at rest in our database. Row-level security (RLS) policies enforce that only the household members you have added can query that data, at the database layer rather than the application layer.

Web app. The web app uses server-side encryption with the same row-level security policies. Content is encrypted at rest; access is controlled by your authentication token on every request.

In transit. All connections to Roost use HTTPS.

Camera. Used to scan document covers, labels, and handwriting so Roost can pre-fill vault item fields. Only triggered when you tap a scan button — never in the background.

Contacts. Used so you can save a landlord, agent, or emergency contact straight from your phone book. Roost does not upload your contact list to any server.

Notifications. Used to deliver reminders for renewals, tasks, and routines. You can turn these off at any time in iOS Settings.

Personal items are visible only to you. End-to-end encryption on the iOS app means even Roost cannot read them.

Items shared with a household are visible to every current member of that household. If a member leaves, they lose access immediately at the database level.

Items shared with specific people are visible only to the email addresses you choose. You can change the list at any time.

We use a small set of processors to run the service. Each has access only to the data it needs:

• Supabase — database, file storage, and authentication. Data is stored encrypted at rest in the EU.
• Vercel — web application hosting. Sees HTTP requests and responses in transit.
• Stripe — web payment processing. Sees your email address, Pro plan choice, and payment method. The only party that sees your card details.
• Apple — iOS in-app purchases and Sign in with Apple. Tells us only whether you have an active subscription.
• RevenueCat — iOS subscription management. Receives your Supabase user ID and subscription status so the app can check whether you are on Pro. Does not receive your vault content.
• Resend — transactional email (sign-in codes, renewal reminders). Sees your email address and, for renewal emails, the item name and renewal date.
• Firebase (Google) — anonymous usage analytics on the iOS app. Receives device model, OS version, session data, and screen views. No IDFA. No vault content.
• Google Analytics — marketing site traffic (getroost.io only). Not linked to your Roost account.
• Microsoft Clarity — marketing site heatmaps and session replays (getroost.io only). Not linked to your Roost account.

Our database and file storage are hosted in the European Union via Supabase. Some processors (Stripe, Vercel, Apple, Google, Microsoft) operate global networks and may transfer data outside the UK and EU under standard contractual clauses or equivalent protections.

We keep your data for as long as your account is active. Household activity log entries are deleted automatically after 30 days.

When you delete your account, every row you own is removed within minutes. Database backups are rotated and purged within 30 days.

Under UK GDPR you can, at any time:

• Export your data as a JSON file from your profile page (Pro accounts).
• Delete your account and all its content from your profile page. This is immediate and cannot be undone.
• Edit or remove any item — every screen that shows content lets you update or delete it.
• Ask a question or raise a complaint by emailing hello@getroost.io.

If we do not resolve a concern to your satisfaction, you can complain to the Information Commissioner's Office at ico.org.uk.

Roost is not designed for children under 13. We do not knowingly collect data from under-13s. If you believe a child has created an account, email hello@getroost.io and we will delete it.

We will update this page when our privacy practices change. Material changes will be announced inside the app. The effective date at the top of this page reflects the most recent version.