Roost← Back to home

Privacy Policy

Last updated: May 15, 2026

1. Who we are

Roost ("we," "us," "our") is a virtual pet platform where real-world activities feed digital creatures. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our website, mobile application, API, and related services (collectively, the "Service").

By using the Service you agree to the practices described here. If you do not agree, please do not use the Service.

2. Data we collect

2.1 Account data

When you create an account we collect:

  • Email address
  • Password (stored as a one-way bcrypt hash; never in plain text) — or OAuth token if you sign in via Google
  • Optional display name, avatar URL, and bio

2.2 Integration data

When you connect a third-party service (e.g., GitHub, Google Calendar, Google Fit, Strava, Fitbit, Spotify, Plaid) we store:

  • OAuth access and refresh tokens (encrypted at rest using AES-256)
  • Provider account identifiers
  • Activity data pulled from the provider (e.g., Google Calendar events, Google Fit workouts and activity metrics, GitHub commits, Strava activities, listening history)

You control what flows in. Every integration has a sync toggle. You can pause or disconnect any provider at any time without losing your account. Multi-type integrations (e.g., Fitbit, Google Fit) also offer per-data-type toggles (workouts yes, sleep no).

When you disconnect an integration, we delete the associated OAuth tokens immediately. If you revoke access from the third-party provider's settings (e.g., Google Account permissions), we detect the revocation on our next sync attempt and mark the connection as inactive. At that point the tokens are no longer usable by anyone — the provider has already invalidated them server-side, and the bytes remain encrypted at rest with AES-256-GCM. The encrypted token bytes are fully removed from our database when you disconnect the integration or delete your account.

2.3 Activity & game data

  • Activities with structured metadata and derived metrics
  • Creature stats (XP, happiness, energy, stage, traits)
  • Feed events linking activities to creatures
  • Goals, goal entries, streaks
  • Tags you create and attach to activities or goals
  • Reminders and calendar data

2.4 Journal data

If you use the journal feature, we store the content you submit:

  • Text entries: Whatever you type into a journal entry, including titles, body text, and tags.
  • File attachments: Files you upload to a journal entry (PDF, Markdown, plain text, or Word). Originals are stored in encrypted blob storage and parsed text is stored alongside the entry. Maximum size and supported types are documented in the journal UI.
  • Audio recordings: Audio you record or upload to a journal entry. The audio file is stored in encrypted blob storage and is automatically deleted 30 days after creation; the text transcription is retained with the entry. See §6 for the transcription service providers.

2.5 Browser extension data

If you install the Roost browser extension, we store the clips, highlights, and notes you explicitly save through it. The extension does not silently collect your browsing history — it only stores content you affirmatively send to Roost. Captured clips are stored in the same journal data model described in §2.4.

2.6 Social data

If you use social features, we store friend relationships and their status. Your profile is private by default; you must explicitly opt in to make it public.

2.7 Public sharing surfaces

Roost lets you publish a shared repo — a curated collection of your content — to a public URL that anyone with the link can read without signing in. Only content you explicitly add to a shared repo becomes public; nothing is shared by default. You can unpublish a shared repo at any time, which removes the public URL and revokes read access. Note that public content that was visible while the URL was live may have been cached or copied by third parties outside our control before you unpublished.

2.8 Sensitive data minimization

  • Browser history: We store domain-level summaries, not full URLs.
  • Financial data: We store aggregates (spending categories, totals), not individual transaction details.
  • Chat imports: We classify and tag messages; we do not store full transcripts.

2.9 Automatically collected data

Like most web services, our servers log IP addresses, browser type, operating system, referring URLs, and page-view timestamps. We use this data for security, debugging, and aggregate analytics only.

3. How we use your data

We use your data to:

  1. Operate the Service — sync activities, compute creature XP, track goals.
  2. Provide AI-powered features — summarize activities and shape MCP responses (with your explicit consent on a per-domain basis).
  3. Send notifications — in-app alerts for evolution events, streaks, and social activity. Email notifications for account-related events such as data exports and calendar invites (you can manage notification preferences in Settings).
  4. Improve the Service — aggregated, anonymized usage patterns help us understand which features are valuable.
  5. Prevent abuse — rate limiting, fraud detection, enforcing our Terms of Service.

We do not sell your personal data. We do not use your data for advertising. We do not share your data with third-party data brokers. Ever.

4. AI and MCP access controls

Roost exposes data to AI assistants via the Model Context Protocol (MCP). Access is gated by multiple layers of user control:

  1. Per-domain AI toggles: You choose which life domains (coding, fitness, finance, wellness, etc.) your AI assistant can query. Disabled domains are completely invisible to AI — it cannot discover or access them.
  2. Per-integration sync toggles: You control which connected services actively sync data into Roost. Disabling sync keeps the OAuth connection alive but stops new data from entering the system.
  3. Per-integration AI access toggles: You can allow an integration to sync data into Roost while blocking AI from reading that data.
  4. Field-level AI blocking: For fine-grained control, you can block specific categories of metadata fields from being visible to AI on a per-integration basis.

All layers default to "enabled," giving you full functionality out of the box, but you can restrict access at any time from the Settings → Privacy & Permissionspage. A cascade rule applies: disabling sync for an integration also blocks AI access to that integration's data.

4b. Google API Services — Limited Use disclosure

Roost's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, Roost:

  • Only uses Google user data to provide and improve user-facing features that are prominent in Roost's user interface (syncing activities, powering creatures, tracking goals, and generating insights).
  • Does not transfer Google user data to third parties except as necessary to provide or improve user-facing features, to comply with applicable laws, or as part of a merger, acquisition, or asset sale with prior notice. In practice, the only third-party processor that receives Google user data is OpenAI, which receives normalized calendar event title strings (e.g., "morning standup") as part of our domain-classification pipeline. OpenAI operates under their API data-usage policy, which prohibits using API inputs to train their models. See §6 for the full processor list.
  • Does not use Google user data for serving advertisements.
  • Does not allow humans to read Google user data unless you have given affirmative consent, it is necessary for security purposes, or it is required by law.

5. Legal bases for processing (GDPR & UK GDPR)

If you are in the European Economic Area (EEA) or the United Kingdom, we process your data under:

  • Contract (Art. 6(1)(b)): Processing necessary to provide the Service you signed up for — syncing activities, computing creature stats, tracking goals.
  • Consent (Art. 6(1)(a)): Optional integrations you choose to connect; marketing emails (opt-in only).
  • Legitimate interest (Art. 6(1)(f)): AI/MCP data access as part of the core Service functionality (you can restrict this at any time via per-domain, per-integration, and field-level controls in Settings); security logging; abuse prevention; aggregated analytics to improve the Service.

You may withdraw consent at any time by adjusting your settings or contacting us.

6. Who we share data with

We share data with a small number of named service providers (processors) for specific named purposes, listed below. None of these processors use your data for advertising, and none use API inputs to train their own models. We do not sell, rent, share, or trade your personal data to any data broker or advertiser.

  • Third-party integration providers: Only to the extent required by the OAuth flow (e.g., exchanging tokens). We do not send your Roost data back to providers.
  • Hosting and database (Vercel, Neon / managed PostgreSQL): Application code runs on Vercel and your data is stored in a managed PostgreSQL database. These processors act on our instructions under data processing agreements.
  • File storage (Vercel Blob): Journal file attachments and audio recordings are stored in Vercel Blob. Downloads are gated by our auth-aware proxy — the underlying blob URLs are never returned to clients.
  • Domain classification (OpenAI):When you connect a calendar integration (e.g., Google Calendar, Outlook Calendar) and Roost cannot classify an event using local keyword rules, we send the normalized event title — and only the normalized title, not descriptions, attendees, or attachments — to OpenAI's text-embedding-3-smallembeddings API to find the nearest matching life domain. OpenAI's API data-usage policy prohibits using API inputs to train their models.
  • Audio transcription (Groq; OpenAI Whisper as fallback):If you record or upload audio to a journal entry, the audio buffer is sent to Groq's Whisper-compatible transcription API to produce a text transcript. If Groq is unavailable (rate-limit or server error), the request falls back to OpenAI's Whisper API. Neither provider uses API inputs to train their models.
  • Error monitoring (Sentry): When the Service throws an unhandled exception, we send the stack trace and request metadata to Sentry for triage. We strip Authorization and Cookieheaders before sending, but other payload data — including event titles, journal text, or activity data — may incidentally appear in stack traces or captured local variables. Roost does not attach user identifiers (user ID, email, session token) to Sentry events, so events are pseudonymous and cannot be looked up by user; they age out according to Sentry's independent retention schedule (typically 90 days). These traces are used only for debugging and are not used for any other purpose.
  • AI assistants via MCP / API (your choice): Roost exposes data to AI assistants you connect via the Model Context Protocol or our REST API. Which assistant receives the data is entirely your choice — we do not pre-select a model provider. You control what each assistant can read through the per-domain, per-integration, per-AI-access, and field-level toggles described in §4. Data only leaves Roost in response to a request the assistant makes on your behalf.
  • Email delivery: Transactional email (data exports, calendar invites, account events) is delivered through a third-party email provider acting on our instructions.
  • Public shared repos (your choice): If you publish a shared repo under §2.7, the content you placed in that repo becomes readable by anyone with the URL until you unpublish it.
  • Law enforcement: Only when legally compelled by valid legal process.

7. Data retention

  • Structured activity data: Retained indefinitely while your account is active, unless you delete it.
  • Engagement events: Retained for 90 days, then automatically deleted.
  • OAuth tokens: Retained while the integration is connected. Revoked and deleted when you disconnect.
  • Account data: Retained until you delete your account. Upon deletion, personal data is purged promptly, except where retention is required by law.
  • Server logs: Retained for up to 90 days for security and debugging.

8. Your rights

8.1 Rights under GDPR & UK GDPR

If you are in the EEA or UK, you have the right to:

  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erase your data ("right to be forgotten") (Art. 17)
  • Restrict processing (Art. 18)
  • Data portability — receive your data in a structured, machine-readable format (Art. 20)
  • Object to processing based on legitimate interest (Art. 21)
  • Withdraw consent at any time without affecting prior processing (Art. 7(3))
  • Lodge a complaint with your local supervisory authority

8.2 Rights under the California Consumer Privacy Act (CCPA / CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect and how it is used
  • Delete your personal information
  • Opt out of sale or sharing — we do not sell or share your personal information as defined by the CCPA, so there is nothing to opt out of
  • Non-discrimination — we will not penalize you for exercising your rights
  • Correct inaccurate personal information
  • Limit use of sensitive personal information — we do not use sensitive personal information for purposes beyond what is necessary to provide the Service

8.3 Rights under other US state privacy laws

Residents of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws have similar rights to access, delete, correct, and opt out of targeted advertising (which we do not engage in). We honor all such requests.

8.4 How to exercise your rights

Submit data export or deletion requests directly at /data-privacy or email us at jarzucker@gmail.com. We will respond within 30 days (or sooner where required by law). We may ask you to verify your identity before processing a request.

9. International data transfers

Roost is operated from the United States. If you are located outside the US, your data will be transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission, the UK International Data Transfer Agreement (IDTA), or other lawful transfer mechanisms to safeguard your data.

10. Security

We protect your data through:

  • AES-256 encryption of OAuth tokens at rest
  • Bcrypt hashing of passwords (never stored in plain text)
  • HTTPS/TLS for all data in transit
  • Scoped API keys for MCP access
  • Cascading deletes — when you delete your account, all related data in our database and file storage is removed. Pseudonymous error events at our monitoring provider (Sentry) age out per their independent retention schedule and are not tied to your user identity.
  • Granular privacy controls that limit data exposure at every layer

No system is 100% secure. If we discover a breach affecting your personal data, we will notify you and any applicable regulatory authority within the timeframes required by law.

11. Children's privacy

Roost is not directed at children under 16 (or under 13 in jurisdictions where COPPA applies). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Cookies and similar technologies

We use strictly necessary cookies for authentication (session tokens). We do not use advertising cookies, tracking pixels, or third-party analytics cookies. Because our cookies are strictly necessary for the Service to function, they do not require consent under the ePrivacy Directive.

13. Do Not Track

We honor Do Not Track (DNT) browser signals. Since we do not track users across third-party websites or serve targeted advertising, our practices already align with DNT principles.

14. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or an in-app notice at least 30 days before the changes take effect. The "Last updated" date at the top reflects the most recent revision.

15. Contact us

If you have questions about this Privacy Policy or want to exercise your data rights:

  • Email: jarzucker@gmail.com

For GDPR-related inquiries, you may also contact your local data protection authority. A list of EEA supervisory authorities is available at edpb.europa.eu.

Roost — Creatures that grow as you do
Terms of UseHome