Roomie

Privacy Policy

Effective date: March 22, 2026

This policy explains what personal data Roomie collects, how it is used, and what choices users have. It is written to match the current implementation of this site, including account registration, login sessions (including Google sign-in), live chat, password reset email flows, room activity features, the in-app profile/settings modal, the private one-to-one direct messaging feature available to registered users, the in-room poll feature, and third-party advertising provided by Google AdSense.

Quick summary

Roomie collects account details you submit directly (or received from Google when you sign in with Google), keeps login sessions active with cookies, stores chat room content, private direct messages, and poll data, and uses browser storage to assign a stable visitor identifier. Roomie also provides an in-app profile/settings modal that can display your account details and (for registered users) allows you to request account deletion from within the app. The direct messaging feature is available to registered users only; guests cannot send or receive direct messages. Registered users can create polls within chat rooms; poll questions, options, and individual votes (tied to user identifiers) are stored in the database. Roomie loads the Google AdSense advertising script, which may set its own cookies and collect data according to Google's privacy policy.

1. Information Roomie collects

Roomie may collect the following categories of data:

  • Account details, including username, email address, and password when you register.
  • Authentication and session data, including the session cookie used to keep you signed in.
  • Live chat and room activity, including messages, room identifiers, your display name, and related timestamps.
  • Guest account identifiers created when you use the site without registering.
  • Password reset and account verification records, including temporary verification tokens and expiry times.
  • Browser-side identifiers stored in local storage for visitor tracking and socket connection management.
  • Direct message data, including message content, sender and recipient user identifiers, the sender's display name at the time of sending, and server-side timestamps recording when a message was created, delivered to an active session, and read by the recipient.
  • Technical data that your browser necessarily sends when using the service, such as IP address, browser user-agent string, and request headers. Roomie examines user-agent strings server-side to detect automated crawlers and bots.
  • An ephemeral per-tab identifier generated by the browser each time you open a new tab. This identifier is sent to the server as part of the real-time connection handshake and is used to filter duplicate messages. It is not persisted and is discarded when the tab closes.
  • Poll data, including poll questions, answer options, vote records (linked to user identifiers), the creator's display name, a unique share slug, timestamps, and whether the poll has been closed.
  • Data collected by the Google AdSense advertising script loaded on the site, which may include cookies, device identifiers, and browsing activity. This data is collected and processed by Google under its own privacy policy.
  • If you sign in with Google, Roomie receives your Google account email address, display name, and Google account identifier from Google's OAuth service.

2. How Roomie uses information

  • To create and verify user accounts.
  • To authenticate users and maintain secure sessions.
  • To provide chat rooms, room history, online user indicators, and guest access.
  • To send account verification and password reset emails.
  • To deliver, store, and display private one-to-one direct messages between registered users, including queuing undelivered messages and delivering them when the recipient reconnects.
  • To protect the service against abuse, spam, and repeated login attempts.
  • To operate and secure the underlying infrastructure, including database and session storage.
  • To allow registered users to create, vote on, and share polls within chat rooms, and to display poll results to room participants.
  • To detect automated crawlers and bots by examining browser user-agent strings, in order to distinguish genuine visitors from automated traffic.
  • To check for application updates by periodically comparing a server-generated instance identifier with the version the browser last received, and to show an in-app update banner when a newer version is available.

3. Google sign-in

Roomie offers sign-in through Google OAuth. When you use this option, Roomie receives your email address, display name, and Google account identifier from Google.

  • If an existing Roomie account already uses the same email address, the Google identifier is linked to that account automatically so you can sign in with either method.
  • If no matching account exists, a new Roomie account is created using your Google display name (sanitized and shortened) as the initial username. The account is marked as verified automatically.
  • Roomie stores which authentication methods are associated with your account (local password, Google, or both).

4. Cookies and local storage

Roomie currently uses a session cookie named chat.sid to keep authenticated sessions active. The current implementation configures this cookie as HttpOnly, Secure, SameSite, and with a maximum lifetime of about 24 hours.

Roomie also stores a persistent browser identifier in local storage under a key currently named radioio_visitor_id. This identifier helps distinguish browser visits and socket connections. The server maintains an in-memory map of active visitor identifiers to count unique visitors in real time; this map is not stored to a database and is lost when the server restarts. Unlike the session cookie, local storage remains on your device until you clear it or remove it through your browser settings.

The Google AdSense script loaded on the site may also set its own cookies. These cookies are managed by Google and are subject to Google's Privacy Policy.

5. Chat content and direct messages

Messages sent in Roomie chat rooms are user-generated content. Messages may be shown to other users in the same room and may also be included in room history returned by the application.

Polls are created by registered users within chat rooms. A poll's question, options, vote tallies, and the creator's display name are visible to all users in the room. Each user's vote is recorded by their user identifier and is stored in the database. Polls can be shared externally via a unique URL; when a social-media crawler visits the share link, Roomie serves Open Graph metadata (title, description, and a dynamically generated image) derived from the poll data.

Under the current implementation, guest messages are designed to expire automatically after about 24 hours. Messages associated with registered accounts are not automatically deleted by the current code and may remain stored until they are manually removed or the system changes.

Direct messages (DMs) are private, one-to-one messages exchanged between two registered users. DM content is stored in the database and is visible only to the sender and the intended recipient. The current implementation records whether a message has been delivered to the recipient's active socket session and whether the recipient has opened the conversation thread (read receipt). Guest users cannot send or receive direct messages. The conversation history API currently returns up to 200 of the most recent messages per thread; older messages beyond that limit may not appear in the UI but may remain stored in the database.

6. Data retention

  • Guest accounts are configured to auto-delete after about 24 hours.
  • Guest chat messages are cleaned up after about 24 hours.
  • Registration verification records and password reset records are temporary and are currently deleted after they expire, which is configured for about 30 minutes.
  • Registered account records, non-guest chat history, and poll data (including votes) are retained until removed by the operator or changed by future product updates.
  • Direct messages between registered users are not automatically deleted and may remain stored indefinitely until removed by the operator or changed by future product updates. This applies to both messages you have sent and messages others have sent to you.
  • Session records are stored in Redis with a current time-to-live of about 24 hours.

The server runs a periodic cleanup process (currently every 60 seconds) that hard-deletes expired guest messages, expired verification records, and expired password reset records from the database.

If you use the in-app account deletion feature, the current implementation deletes your registered account record from the database and ends your session. It does not automatically delete chat messages you previously sent in rooms, which may remain stored and visible in room history unless removed separately or the system changes. It also does not automatically delete direct messages you have sent to other users, or direct messages that other users have sent to you, which may remain stored unless removed separately by the operator.

7. Third parties and service providers

Roomie uses third-party infrastructure and libraries to operate the service. Based on the current implementation, these include:

  • Email delivery infrastructure used to send verification and password reset emails.
  • MongoDB for account, message, room, and token storage.
  • Redis for session and presence storage.
  • Socket.IO for real-time communication.
  • Google OAuth for optional sign-in via Google accounts.
  • Google AdSense for displaying advertisements. The AdSense script may collect data such as cookies, device identifiers, IP address, and browsing information. This data is processed by Google under Google's Privacy Policy. You can manage your ad personalisation preferences at Google Ads Settings.
  • A third-party content delivery network for Font Awesome assets loaded by the main site. When those assets load, the CDN may receive technical request data such as your IP address and browser details.

8. Security

Roomie uses password hashing, session cookies, security headers, request sanitization, and rate limiting as part of its current security controls. No method of storage or transmission is completely secure, so Roomie cannot guarantee absolute security.

9. Your choices and rights

Depending on your location, you may have rights to request access to personal data, correction of inaccurate data, deletion, restriction, objection, or data portability. You can also clear cookies and local storage in your browser at any time, although doing so may sign you out or reset parts of the user experience.

Account deletion: Registered users can request account deletion from the in-app profile/settings modal. Guest users do not have a registered account and therefore do not have an account to delete through this feature (guest identifiers are designed to expire automatically).

10. Children

Roomie is not intended for children under the age required by applicable law to consent to personal data processing on their own. If you believe a child has provided personal information without appropriate permission, the site operator should be contacted so the information can be reviewed and removed where appropriate.

11. Changes to this policy

This policy may be updated from time to time to reflect changes in the service, legal requirements, or data handling practices. The effective date at the top of this page will be updated when material changes are made.

12. Contact

For privacy questions or requests, contact the site operator at info@roomieverse.net.

Return to Roomie  ยท  Terms of Service