Privacy Policy

1. Introduction

Roomeru ("Platform," "we," "us," or "our") is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our student housing marketplace.

By using Roomeru, you consent to the data practices described in this policy. If you do not agree with these practices, please do not use the Platform. This Privacy Policy should be read in conjunction with our Terms of Service.

2. Information We Collect

Account Information: When you create an account, we collect your full name, email address, phone number (optional), and a profile photo (optional). If you sign up using Google OAuth, we receive your name, email address, and profile picture from Google.

Student Verification Data: To verify your student status, we collect your .edu email address and the name of your educational institution. We do not access your academic records, grades, transcripts, or other educational information protected under FERPA.

Listing Information: Hosts provide property details including title, description, photos, pricing, location (address, city, state, and geographic coordinates), amenities, property type, and availability.

Booking & Transaction Data: We collect booking dates, pricing, and payment status. Financial payment processing is handled entirely by Stripe; we do not store your full credit card number, CVV, or bank account details on our servers. We store a Stripe customer identifier to link your account to your payment methods.

Reviews: When you leave a review, we collect the rating, comment text, and associate it with your profile and the relevant property and booking.

3. Information Collected Automatically

Error Monitoring: We use Sentry to detect and diagnose software errors. Sentry may collect your IP address, browser type, operating system, device information, and session replay data (a recording of your interactions with the page when an error occurs). Session replays are sampled at 10% of sessions and 100% of sessions where an error occurs.

Cookies & Authentication Tokens: We use essential cookies and local storage to maintain your authentication session through Supabase Auth. These are strictly necessary for the Platform to function and cannot be disabled. We do not use advertising cookies or third-party tracking cookies.

Server Logs: Our hosting infrastructure (Vercel) automatically collects standard server logs including IP addresses, request timestamps, URLs accessed, HTTP status codes, and referrer URLs. These logs are retained for operational and security purposes.

4. How We Use Your Information

We use the information we collect for the following purposes:

• Account Management: To create and maintain your account, verify your identity, and authenticate your sessions.
• Student Verification: To confirm your .edu email address and university affiliation, and to manage periodic re-verification.
• Booking Facilitation: To process booking requests, coordinate between Hosts and Guests, and manage check-in/check-out logistics.
• Payment Processing: To facilitate payments through Stripe Connect, manage escrow, and process refunds and Host payouts.
• Platform Safety: To detect and prevent fraud, enforce our Terms of Service, and maintain the security and integrity of the Platform.
• Communications: To send booking confirmations, verification emails, policy update notifications, and essential service messages. We do not send marketing emails without your explicit consent.
• Error Resolution: To diagnose and fix software bugs using error monitoring and session replay data.
• Legal Compliance: To comply with applicable laws, respond to legal requests, and enforce our agreements.

5. Information Sharing & Disclosure

We do not sell your personal information to third parties. We share your information only in the following circumstances:

Between Users: To facilitate bookings, we share limited information between Hosts and Guests. Hosts can see a Guest's first name, school name, and booking details. Guests can see Host profiles, property details, and reviews. Full contact information is shared only after a booking is confirmed.

Service Providers: We share data with third-party service providers who help us operate the Platform:

• Stripe: Payment processing. Stripe receives your name, email, and payment method details. Stripe's use of your data is governed by Stripe's Privacy Policy.
• Supabase: Database hosting and authentication. Your account data and Platform content are stored on Supabase infrastructure.
• Sentry: Error monitoring and session replay for debugging purposes.
• Vercel: Application hosting and content delivery.
• Google Maps: Geocoding services to determine property city and state for regulatory compliance. Google receives property addresses but not user identity information.

Legal Requirements: We may disclose your information if required by law, subpoena, court order, or government request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Platform before your information becomes subject to a different privacy policy.

6. Data Security

We implement appropriate technical and organizational measures to protect your personal information:

• All data transmitted between your browser and our servers is encrypted using TLS (HTTPS).
• Passwords are hashed and managed by Supabase Auth; we never store plaintext passwords.
• Payment card data is handled entirely by Stripe and never touches our servers (PCI DSS compliance is managed by Stripe).
• Database access is protected by Row Level Security (RLS) policies, ensuring users can only access their own data.
• Administrative access to production systems is restricted to authorized personnel and protected by strong authentication.

While we strive to protect your personal information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security and encourage you to use strong, unique passwords and to notify us immediately if you suspect unauthorized access to your account.

7. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you services. Specific retention periods include:

• Account Data: Retained until you request account deletion.
• Booking & Transaction Records: Retained for 7 years after the booking ends for tax, legal, and dispute resolution purposes.
• Reviews: Retained indefinitely as part of the Platform's public content, even after account deletion, though they will be anonymized.
• Error Monitoring Data: Sentry data is retained for 90 days.
• Server Logs: Retained for up to 30 days.

After account deletion, we may retain certain information in anonymized or aggregated form for analytics and Platform improvement, in a manner that cannot be used to identify you.

8. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Update or correct inaccurate personal information through your account settings or by contacting us.
• Deletion: Request deletion of your account and personal data, subject to our retention obligations.
• Portability: Request your data in a structured, commonly used, machine-readable format.
• Objection: Object to certain processing of your personal information.

To exercise any of these rights, contact us at privacy@roomeru.com. We will respond to your request within 30 days. We will not discriminate against you for exercising your privacy rights.

9. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

• Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to Non-Discrimination: We will not deny you services, charge different prices, or provide a different level of service for exercising your CCPA rights.
• No Sale of Personal Information: We do not sell personal information as defined under the CCPA. We do not use or share personal information for cross-context behavioral advertising.

To submit a CCPA request, email privacy@roomeru.com with the subject line "CCPA Request." We may need to verify your identity before processing your request.

10. Student Privacy (FERPA)

Roomeru respects student privacy under the Family Educational Rights and Privacy Act (FERPA). We want to be clear about what we do and do not access:

• We only verify that your email address belongs to a recognized educational institution (.edu domain).
• We do not access, request, or store any educational records, including grades, transcripts, enrollment details, financial aid information, or disciplinary records.
• We do not have any data-sharing agreements with educational institutions.
• Your university affiliation (school name) is collected solely for Platform features like school-based search filtering.

If your institution has questions about our data practices, they may contact us at privacy@roomeru.com.

11. Children's Privacy

The Platform is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child under 18 has provided us with personal information, please contact us at privacy@roomeru.com.

12. International Data Transfers

Roomeru is based in the United States and our services are directed to users within the United States. Your information is stored and processed in the United States. If you are accessing the Platform from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Platform, you consent to the transfer of your information to the United States.

13. Third-Party Links

The Platform may contain links to third-party websites or services, including Stripe for payment processing. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through the Platform.

14. Consent Tracking

When you accept our Terms of Service and Privacy Policy (for example, during account registration or when we update these documents), we record your acceptance in an audit log. This record includes the document version accepted, the timestamp, your IP address, your browser user agent, and the method of acceptance. This data is retained as a legal record of your consent and is not used for any other purpose.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. For material changes, we will:

• Provide at least 30 days' notice before the changes take effect.
• Notify you via email and through an in-app notification.
• Update the "Last updated" date and version number at the top of this page.
• For significant changes, require you to re-accept the updated policy before continuing to use the Platform.

Continued use of the Platform after changes take effect constitutes your acceptance of the revised Privacy Policy.

16. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: privacy@roomeru.com
• General Support: support@roomeru.com
• Mail: Roomeru Inc., Attn: Privacy Team