Privacy Policy
Last Updated: January 11, 2025
1. Introduction
Welcome to Roamates, a product of Ephileo ("we," "our," or "us"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application Roamates (the "App"). Please read this privacy policy carefully. By using the App, you agree to the collection and use of information in accordance with this policy.
If you do not agree with the terms of this privacy policy, please do not access the App.
2. Information We Collect
2.1 Personal Information You Provide
When you register for an account or use our App, we may collect the following personal information:
- Name (First and Last): To identify you within the App and display to other users in your groups
- Email Address: For account creation, authentication, password recovery, and account-related communications
- Phone Number (optional): For contact matching to help you find friends on Roamates
- Profile Photo (optional): To personalize your profile and help friends identify you
- Password: For account authentication (stored securely using industry-standard hashing)
2.2 Information from Third-Party Authentication
If you choose to sign in using Google, we receive:
- Google Sign-In: Name, email address, profile picture
We only receive the information you authorize Google to share with us.
2.3 Location Data
With your explicit consent, we collect:
- Precise Location: GPS coordinates (latitude and longitude) for real-time location sharing with friends and groups
- Location Accuracy: Metadata about the precision of your location data
- Timestamp: When your location was last updated
You have full control over location sharing:
- Location sharing is optional and disabled by default
- You can enable/disable location sharing at any time
- You can choose which groups or individuals can see your location
- You can stop sharing your location instantly
2.4 Contacts Data
When you use the friend discovery feature:
- We access your device contacts only with your permission
- Contact emails and phone numbers are hashed using SHA-256 on your device before transmission
- We never store your raw contacts — only cryptographic hashes are sent to our servers
- Hashes are used solely to match you with existing Roamates users
2.5 Financial and Expense Data
When you use expense tracking features, we collect:
- Expense amounts and descriptions
- Currency preferences
- Payment records between users
- Group expense splits and balances
2.6 Device and Technical Information
We automatically collect:
- Device Tokens: For push notification delivery via Firebase Cloud Messaging
- Device Information: Device type, operating system, device name
- Platform: iOS or Android
2.7 Usage Data
We collect information about how you interact with the App:
- Activity logs (expenses created, payments made, group actions)
- Timestamps of actions
- Feature usage patterns
3. How We Use Your Information
We use the information we collect to:
| Purpose | Legal Basis |
|---|---|
| Create and manage your account | Contract performance |
| Enable expense tracking and splitting with friends | Contract performance |
| Facilitate location sharing between users | Consent |
| Send push notifications about expenses, payments, and group activities | Legitimate interest |
| Help you find friends who use Roamates | Consent |
| Authenticate your identity and secure your account | Contract performance |
| Prevent fraud and ensure security | Legitimate interest |
| Improve and optimize the App | Legitimate interest |
| Respond to your inquiries and provide support | Contract performance |
4. How We Share Your Information
4.1 With Other Users
Based on your settings and actions, we share:
- Your name and profile photo with group members
- Your location with users you've chosen to share with
- Expense and payment information with relevant group members
4.2 With Service Providers
We use trusted third-party services to operate the App:
| Service | Purpose | Data Shared |
|---|---|---|
| Firebase Cloud Messaging | Push notifications | Device tokens, notification content |
| Google Sign-In | Authentication | OAuth tokens |
| Google Maps | Location display and places search | Location coordinates |
4.3 Legal Requirements
We may disclose your information if required to:
- Comply with applicable laws or legal processes
- Protect and defend our rights or property
- Prevent or investigate possible wrongdoing
- Protect the personal safety of users or the public
4.4 We Do NOT
- Sell your personal information to third parties
- Share your data with advertisers
- Use your data for targeted advertising
- Share your information with data brokers
5. Data Security
We implement appropriate technical and organizational measures to protect your data:
- Passwords are hashed using bcrypt with industry-standard security
- Authentication tokens use JWT with short expiration times
- Refresh tokens are securely stored and rotated on each use
- Contact data is hashed using SHA-256 before transmission
- Data in transit is encrypted using TLS/HTTPS
- Sensitive data on device is stored in iOS Keychain / Android Secure Storage
6. Data Retention
We retain your information for as long as necessary to provide our services:
| Data Type | Retention Period |
|---|---|
| Account information | Until account deletion |
| Access tokens | 15 minutes |
| Refresh tokens | 30 days |
| Location data | Until you disable sharing or delete account |
| Expense records | Until deleted by user or account deletion |
| Activity logs | Duration of account existence |
| Device tokens | Until device is unregistered or account deletion |
7. Your Rights and Choices
7.1 Access and Control
You have the right to:
- Access your personal data stored in your profile
- Update your name, email, phone number, and profile photo
- Control location sharing (enable/disable at any time)
- Control which groups and individuals can see your location
- Delete expenses and payment records you've created
- Leave groups you no longer wish to be part of
7.2 Device Permissions
You can control the following permissions on your device:
- Location: Required only for location sharing feature
- Contacts: Required only for friend discovery
- Notifications: Required only for push notifications
You can revoke these permissions at any time through your device settings.
7.3 Account Deletion
To delete your account and all associated data, please contact us at privacy@ephileo.us. Upon request, we will:
- Delete your account and personal information
- Remove your data from active databases
- Note: Some information may be retained in backups for a limited period
7.4 Rights for EEA/UK Residents (GDPR)
If you are located in the European Economic Area or United Kingdom, you have additional rights:
- Right to erasure ("right to be forgotten")
- Right to data portability
- Right to restrict processing
- Right to object to processing
- Right to withdraw consent at any time
- Right to lodge a complaint with a supervisory authority
7.5 Rights for California Residents (CCPA)
California residents have the right to:
- Know what personal information is collected
- Know whether personal information is sold or disclosed
- Say no to the sale of personal information (we do not sell your data)
- Access your personal information
- Request deletion of your personal information
- Equal service and price (non-discrimination)
8. Children's Privacy
Roamates is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. If we discover that a child under 13 has provided us with personal information, we will delete such information from our servers.
9. International Data Transfers
Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that are different from the laws of your country.
When we transfer data internationally, we ensure appropriate safeguards are in place to protect your information in accordance with this privacy policy.
10. Third-Party Links
The App may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party services you access.
11. Push Notifications
We may send you push notifications regarding:
- Expense and payment updates
- Group activity notifications
- Friend requests and social updates
- Location sharing updates
- Important account information
You can opt out of push notifications through your device settings at any time.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by:
- Posting the new Privacy Policy in the App
- Updating the "Last Updated" date at the top of this policy
- Sending you a notification for significant changes
Your continued use of the App after any changes constitutes acceptance of the updated Privacy Policy.
13. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:
Email: privacy@ephileo.us
Website: https://ephileo.us
Summary of Data Collection
| Category | Data Collected | Purpose | Linked to Identity | Used for Tracking |
|---|---|---|---|---|
| Contact Info | Name, Email | Account & authentication | Yes | No |
| Location | Precise GPS | Location sharing with friends | Yes | No |
| Identifiers | User ID | Account identification | Yes | No |
| Contacts | Hashed emails/phones | Friend discovery | No (hashed) | No |
| Financial | Expenses, payments | Expense splitting | Yes | No |
Roamates by Ephileo
Copyright 2025 Ephileo. All Rights Reserved.