Roomie

Privacy Policy

Effective date: June 28, 2026

This policy explains what personal data Roomie collects, how it is used, and what choices users have. It is written to match the current implementation of the Roomie app, including account registration, login sessions (including Google sign-in), live chat, password reset email flows, room activity features, the in-app profile/settings modal, the private one-to-one direct messaging feature available to registered users, the in-room poll feature, a GIF, meme, and sticker feature powered by the Klipy API, push notifications delivered through Firebase Cloud Messaging, a user reporting feature available to registered users, a general feedback submission feature open to all users, and a voice message feature that allows users to record and send audio clips in chat rooms and direct messages.

Quick summary

Roomie collects account details you submit directly (or received from Google when you sign in with Google), keeps login sessions active with a session cookie, and stores chat room content, private direct messages, and poll data. Roomie also provides an in-app profile/settings modal that can display your account details and (for registered users) allows you to request account deletion from within the app. The direct messaging feature is available to registered users only; guests cannot send or receive direct messages. Registered users can create polls within chat rooms; poll questions, options, and individual votes (tied to user identifiers) are stored in the database. Registered users and guests can use the in-app picker (powered by Klipy) to search and send GIFs, memes, and stickers in chat rooms and direct messages; when the picker is used, a customer identifier and search query are sent to the Klipy API, and the picker may display sponsored content provided by Klipy. Roomie sends push notifications about new messages through Firebase Cloud Messaging (a Google service); your device's notification token is stored on our servers to deliver them, and limited message details pass through Google's infrastructure to your device. Registered users can report other users through the in-app reporting feature; report data (reporter and reported user identifiers, display names, reason, and any details provided) is stored in the database. Any user may submit general product feedback through the feedback form; feedback text and a creation timestamp are stored in the database. Registered users and guests can record and send voice messages in chat rooms and direct messages; audio files are uploaded to Roomie's servers and automatically deleted after 90 days.

1. Information Roomie collects

Roomie may collect the following categories of data:

  • Account details, including username, email address, and password when you register.
  • Authentication and session data, including the session cookie used to keep you signed in.
  • Live chat and room activity, including messages, room identifiers, your display name, and related timestamps.
  • Guest account identifiers created when you use the app without registering.
  • Password reset and account verification records, including temporary verification tokens and expiry times.
  • Direct message data, including message content, sender and recipient user identifiers, the sender's display name at the time of sending, and server-side timestamps recording when a message was created, delivered to an active session, and read by the recipient.
  • Technical data that your device necessarily sends when using the service, such as IP address, user-agent string, and request headers. Roomie examines user-agent strings server-side to detect automated crawlers and bots.
  • Poll data, including poll questions, answer options, vote records (linked to user identifiers), the creator's display name, a unique share slug, timestamps, and whether the poll has been closed.
  • If you sign in with Google, Roomie receives your Google account email address, display name, and Google account identifier from Google's OAuth service.
  • Search queries and a customer identifier (your account ID or username) sent to the Klipy API when you use the in-app picker to search or browse trending GIFs, memes, or stickers in a chat room or direct message conversation. The media URLs you select and send as messages are stored in the database as part of the message record. The picker may also display sponsored content (advertisements) served by Klipy.
  • User report data when a registered user submits a report, including the reporter's user identifier and display name, the reported user's identifier and display name, the selected report reason, any additional details provided, and a creation timestamp. Guests cannot submit reports.
  • Feedback text submitted through the in-app feedback form (up to 2,000 characters), along with a creation timestamp. Feedback may be submitted by any user, including guests.
  • Voice message audio files recorded and sent in chat rooms or direct messages. These files are uploaded to and stored on Roomie's servers.
  • Notification permission status and your device's Firebase Cloud Messaging (FCM) registration token. The app requests the operating system's notification permission (granted, denied, or default). To deliver push notifications, your device's FCM token is sent to and stored on Roomie's servers, linked to your account, and removed when you delete your account.

2. How Roomie uses information

  • To create and verify user accounts.
  • To authenticate users and maintain secure sessions.
  • To provide chat rooms, room history, online user indicators, and guest access.
  • To send account verification and password reset emails.
  • To deliver, store, and display private one-to-one direct messages between registered users, including queuing undelivered messages and delivering them when the recipient reconnects.
  • To protect the service against abuse, spam, and repeated login attempts.
  • To operate and secure the underlying infrastructure, including database and session storage.
  • To allow registered users to create, vote on, and share polls within chat rooms, and to display poll results to room participants.
  • To detect automated crawlers and bots by examining user-agent strings, in order to distinguish genuine visitors from automated traffic.
  • To facilitate GIF, meme, and sticker search and trending content by forwarding a customer identifier and your search query (if any) to the Klipy API, and to store these messages in the database as part of chat and direct message history.
  • To record and review user reports submitted by registered users, and to allow site administrators to investigate and resolve reported violations.
  • To collect and review general product feedback submitted through the feedback form.
  • To send push notifications (via Firebase Cloud Messaging) alerting you to new chat messages or direct messages when the app is in the background or closed, if you have granted notification permission.

3. Google sign-in

Roomie offers sign-in through Google OAuth. When you use this option, Roomie receives your email address, display name, and Google account identifier from Google.

  • If an existing Roomie account already uses the same email address, the Google identifier is linked to that account automatically so you can sign in with either method.
  • If no matching account exists, a new Roomie account is created using your Google display name (sanitized and shortened) as the initial username. The account is marked as verified automatically.
  • Roomie stores which authentication methods are associated with your account (local password, Google, or both).

4. Cookies and notifications

Roomie currently uses a session cookie named chat.sid to keep authenticated sessions active. The current implementation configures this cookie as HttpOnly, Secure, SameSite, and with a maximum lifetime of about 24 hours. On the native apps this cookie is stored on your device so you stay signed in between sessions.

Notifications: The app may ask your permission to send notifications. Roomie delivers push notifications through Firebase Cloud Messaging (FCM), a service operated by Google. When permission is granted, your device generates an FCM registration token that is sent to and stored on Roomie's servers and linked to your account so we can notify you of new chat messages or direct messages while the app is in the background or closed. When a notification is sent, limited details — such as the sender's nickname and a short preview of the message text (or an indication that an image was sent) — pass through Google's FCM infrastructure to your device; push notification content is therefore not end-to-end encrypted. Your token is removed when you delete your account, and you can revoke notification permission at any time through your device settings.

5. Chat content and direct messages

Messages sent in Roomie chat rooms are user-generated content. Messages may be shown to other users in the same room and may also be included in room history returned by the application.

Polls are created by registered users within chat rooms. A poll's question, options, vote tallies, and the creator's display name are visible to all users in the room. Each user's vote is recorded by their user identifier and is stored in the database. Polls can be shared externally via a unique URL; when a social-media crawler visits the share link, Roomie serves Open Graph metadata (title, description, and a dynamically generated image) derived from the poll data.

Under the current implementation, guest messages are designed to expire automatically after about 24 hours. Messages associated with registered accounts are not automatically deleted by the current code and may remain stored until they are manually removed or the system changes.

Direct messages (DMs) are private, one-to-one messages exchanged between two registered users. DM content is stored in the database and is visible only to the sender and the intended recipient. The current implementation records whether a message has been delivered to the recipient's active socket session and whether the recipient has opened the conversation thread (read receipt). Guest users cannot send or receive direct messages. The conversation history API currently returns up to 200 of the most recent messages per thread; older messages beyond that limit may not appear in the UI but may remain stored in the database.

6. Data retention

  • Guest accounts are configured to auto-delete after about 24 hours.
  • Guest chat messages are cleaned up after about 24 hours.
  • Registration verification records and password reset records are temporary and are currently deleted after they expire, which is configured for about 30 minutes.
  • Registered account records, non-guest chat history, and poll data (including votes) are retained until removed by the operator or changed by future product updates.
  • Direct messages between registered users are not automatically deleted and may remain stored indefinitely until removed by the operator or changed by future product updates. This applies to both messages you have sent and messages others have sent to you.
  • Voice message audio files are automatically deleted from the server after 90 days from the date they were uploaded, regardless of whether the associated message still exists.
  • Session records are stored in Redis with a current time-to-live of about 24 hours.

The server runs a periodic cleanup process (currently every 60 seconds) that hard-deletes expired guest messages, expired verification records, and expired password reset records from the database.

If you use the in-app account deletion feature, the current implementation deletes your registered account record from the database and ends your session. It does not automatically delete chat messages you previously sent in rooms, which may remain stored and visible in room history unless removed separately or the system changes. It also does not automatically delete direct messages you have sent to other users, or direct messages that other users have sent to you, which may remain stored unless removed separately by the operator.

7. Third parties and service providers

Roomie uses third-party infrastructure and libraries to operate the service. Based on the current implementation, these include:

  • Email delivery infrastructure used to send verification and password reset emails.
  • MongoDB for account, message, room, and token storage.
  • Redis for session and presence storage.
  • Socket.IO for real-time communication.
  • Google OAuth for optional sign-in via Google accounts.
  • Firebase Cloud Messaging (Google) for delivering push notifications. Your device's notification registration token and the notification content (the sender's nickname and a short message preview) are transmitted through and processed by Google under Google's Privacy Policy.
  • Klipy for GIF, meme, and sticker search and display, including sponsored content shown in the picker. When you use the picker, a customer identifier (your account ID or username) and any search query you enter are sent to the Klipy API. Media files are loaded directly from static.klipy.com. Data sent to Klipy is processed under Klipy's own privacy policy.

8. Security

Roomie uses password hashing, session cookies, security headers, request sanitization, and rate limiting as part of its current security controls. No method of storage or transmission is completely secure, so Roomie cannot guarantee absolute security.

9. Your choices and rights

Depending on your location, you may have rights to request access to personal data, correction of inaccurate data, deletion, restriction, objection, or data portability. You can also clear the app's stored data, including cookies, through your device settings at any time, although doing so may sign you out or reset parts of the user experience.

Account deletion: Registered users can request account deletion from the in-app profile/settings modal. Guest users do not have a registered account and therefore do not have an account to delete through this feature (guest identifiers are designed to expire automatically).

10. Children

Roomie is not intended for children under the age required by applicable law to consent to personal data processing on their own. If you believe a child has provided personal information without appropriate permission, the site operator should be contacted so the information can be reviewed and removed where appropriate.

11. Changes to this policy

This policy may be updated from time to time to reflect changes in the service, legal requirements, or data handling practices. The effective date at the top of this page will be updated when material changes are made.

12. Contact

For privacy questions or requests, contact the site operator at info@mail.roomieverse.net.

Account deletion request: Request that your Roomie account and associated data be deleted.

Deletion policy page: How to request account deletion and what data is deleted or retained.