This Privacy Policy explains what personal data we collect when you use Roam, how we use it, who we share it with, and the rights you have over it. If you have any questions, contact us at [email protected].
Roam (the "app") is operated by Luboš Dušek ("we", "us", "our"), based in the United Kingdom.
For the purposes of the EU General Data Protection Regulation (GDPR) and the UK GDPR, we are the data controller for the personal data described in this policy.
We collect only the data necessary to provide Roam and improve your experience.
Roam uses Sign in with Apple as its only authentication method. When you sign in, Apple provides us with:
| Data | When we receive it | Why |
|---|---|---|
| A stable Apple user identifier unique to you and to Roam | Every sign-in | To recognise you across sessions and devices |
| Your email address (real or Apple's "Hide My Email" relay) | First sign-in only | To contact you about your account, service notices, and (with consent) marketing |
| Your name | First sign-in only, if you choose to share it | Displayed as your username in-app; can be changed later |
If you choose "Hide My Email", Apple gives us a relay address like [email protected]. Emails we send are forwarded to your real inbox via Apple. We never see your real email in that case.
As you use the app, we store:
For transparency, Roam does not collect:
We never see your payment details. All in-app purchases are processed by Apple. We only receive a confirmation that a purchase succeeded, along with the product identifier and transaction ID, never your card number, expiry, or billing address. Refund requests are handled by Apple directly at reportaproblem.apple.com.
Apple's built-in crash reporting may send anonymised crash logs to us via App Store Connect if you have enabled "Share With App Developers" in your iOS Settings → Privacy & Security → Analytics & Improvements. You can opt out at any time in that same setting. We use these reports solely to diagnose and fix bugs.
We use your data to:
If you are in the European Union, the United Kingdom, or another jurisdiction covered by similar laws, we rely on the following legal bases under Article 6 of the GDPR:
| Processing activity | Legal basis |
|---|---|
| Creating and maintaining your account, authenticating you, providing the app's features | Contract (Article 6(1)(b)) |
| Processing in-app purchases and subscriptions | Contract (Article 6(1)(b)) |
| Storing purchase records for tax and accounting | Legal obligation (Article 6(1)(c)) |
| Fraud prevention, service security, preventing abuse | Legitimate interest (Article 6(1)(f)) |
| Sending marketing emails | Consent (Article 6(1)(a)), you can withdraw at any time |
| Sending service notices about your account | Contract (Article 6(1)(b)) |
We share your data only with the third parties necessary to operate Roam. We do not sell your personal data to anyone, and we do not share it with advertising networks.
| Third party | What they process | Where |
|---|---|---|
| Apple Inc. | App distribution, Sign in with Apple, in-app purchases, App Store Connect analytics | Global |
| Anthropic PBC (Claude API) | The contents of your itinerary generation request, city, dates, preferences, interests, optional hotel address. Used solely to generate the itinerary, then discarded by Anthropic per its data retention policy. | United States |
| Supabase Inc. | Our primary database and authentication backend. Stores your account data, trip history, purchase history, subscription status, and profile picture. | United Kingdom |
| Open-Meteo | Weather forecasts for trip destinations. We do not send any personal data, only the destination city name. | European Union |
When you share a trip with another user via a share code or invite them to collaborate, they will see the trip contents and (for collaborators) the username of the person who originally created it. Only share trips containing personal information with people you trust.
We may disclose your data if required to do so by law (for example, in response to a court order or lawful request from a government authority), or where we believe in good faith that disclosure is necessary to protect our legal rights, the safety of users, or the integrity of the service.
Some of our service providers are based outside your country of residence. Specifically, Anthropic is based in the United States. When we transfer your data to providers outside the European Economic Area (EEA) or the United Kingdom, we rely on Standard Contractual Clauses adopted by the European Commission to ensure your data receives an equivalent level of protection.
Supabase stores data in the United Kingdom. If this is inside the EEA, no international transfer is required for core account storage.
| Data | Retention period |
|---|---|
| Account data (Apple user ID, email, name, profile picture, preferences) | Until you delete your account |
| Trips and itineraries | Until you delete them, or until you delete your account |
| Purchase history and subscription records | 7 years after the transaction (required for tax and accounting) |
| Marketing consent records | Until you withdraw consent or delete your account |
| Crash reports and diagnostic data | 90 days |
| Backups | Removed within 30 days after account deletion |
When you delete your account (via Profile → Settings → Delete account → Delete account & data, or by emailing us), we remove your account data from our active systems immediately. Backups containing residual data are overwritten within 30 days. Purchase records are kept for legal accounting purposes.
We take reasonable measures to protect your data, including:
No system is 100% secure. If we become aware of a data breach that affects your personal data, we will notify you and the appropriate authorities as required by law (within 72 hours under GDPR).
You have the following rights over your personal data:
To exercise any of these rights, email us at [email protected]. We will respond within 30 days (or earlier if required by applicable law).
If you are a California resident, you have additional rights under the California Consumer Privacy Act (as amended by the California Privacy Rights Act):
To exercise your California rights, email [email protected].
Regardless of where you live, you can:
Roam is not intended for children under 13 years old (or the equivalent minimum age in your country, 16 in some EU countries). We do not knowingly collect personal data from children under this age. If you believe a child has provided us with personal data, please contact us at [email protected] and we will delete it.
If you opt in during sign-up or via Profile → Settings → Email updates, we may send you occasional emails about new features, travel tips, and special offers. You can unsubscribe at any time by:
Unsubscribing from marketing emails does not affect essential service communications (such as purchase receipts or account notifications), which we send based on our contract with you.
We may update this Privacy Policy from time to time. When we make material changes that affect how we handle your personal data, we will notify you (for example, by email or through an in-app notice) and update the "Last updated" date at the top of this document.
We recommend reviewing this policy periodically to stay informed about our data practices.
If you have any questions, concerns, or requests about this Privacy Policy or your personal data, please contact us:
If you are in the EEA/UK and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority (see section 9.1).