Roost — Privacy Policy
Last updated: May 15, 2026
Roost ("we", "us", "the app") is a mobile application that helps couples, families, and roommates track shared expenses. This Privacy Policy explains what information we collect, how we use it, and your rights over your data.
1. Who runs Roost
Roost is developed and operated by Eitan Sarikov.
Contact for any privacy or support questions: roost@flycricket.support
2. What we collect
We collect only what we need to run the app.
Account information. When you create an account we collect your email address, your chosen password (stored only as a hashed value — we never see your plaintext password), and an optional display name.
Workspace and expense data. Anything you enter in Roost is stored on our servers and associated with your account: expenses, income, categories, recurring expenses, workspaces you create or are invited to, your role in each workspace, and invitations you send.
Voice recordings (only if you use voice entry). When you tap the microphone to dictate an expense, the app records a short audio clip and sends it to our server to be transcribed into text. The audio file is forwarded to OpenAI for transcription and then discarded — we do not retain the audio recording. The resulting text is treated like any other expense you typed.
Chat messages (only if you use the chat entry feature). When you describe an expense in plain language, your message text is sent to our server and forwarded to OpenAI's API, which extracts the amount, category, and date. We retain the message text as part of your chat history within your account.
Stored only on your device (never sent to our servers):
Your language, currency, and theme preferences.
Whether you've enabled Face ID / Touch ID for the app.
Which workspace is currently active.
A short-lived authentication token used to keep you signed in.
We do not collect or use:
Location data.
Contacts, photos, calendar, health, or other system data.
Advertising identifiers (IDFA).
Third-party analytics, behavioral tracking, or marketing cookies.
3. Face ID and Touch ID
Roost can be unlocked with Face ID or Touch ID. This authentication is performed entirely on your device by Apple's LocalAuthentication framework. We never receive or store your biometric data — Apple does not share it with apps. The app only receives a yes/no result from the operating system.
4. Third parties we share data with
We share data only with the service providers we need to operate Roost. We never sell your personal data, and we never share it with advertisers.
Railway (railway.com/legal/privacy) — hosts our backend application and PostgreSQL database, where your account and expense data are stored.
OpenAI (openai.com/policies/privacy-policy) — processes chat messages and audio recordings to extract or transcribe expense details. Per OpenAI's API data usage policy, this data is not used to train OpenAI's models.
Resend (resend.com/legal/privacy-policy) — sends transactional emails such as workspace invitations and account-related notifications. Resend processes the recipient email address and message content for delivery.
Apple — when you install or update Roost, Apple's App Store handles distribution. We may receive aggregated, anonymous metrics from App Store Connect; we do not receive individual user identifiers.
5. Where your data is stored
Account and expense data is stored on servers operated by Railway in the United States. If you access Roost from a different region, your data may be transferred to and processed in the United States.
OpenAI and Resend process data on their own infrastructure in line with their respective privacy policies (linked above).
6. How long we keep data
We keep your account and expense data for as long as your account exists.
If you delete your account, we delete your user record, expenses, income, recurring entries, the workspaces you own, and your memberships in other workspaces from our active systems within 30 days. Routine backups may retain residual copies for a short period before being overwritten.
7. Your rights — deleting and exporting your data
You can delete your account at any time from inside the app: Settings → Account → Delete account. This permanently removes your data as described in Section 6.
You can also email us at roost@flycricket.support to request:
A copy of the personal data we hold about you (data access).
Correction of data that is inaccurate.
Deletion of your data.
Restriction of processing.
Withdrawal of consent for any processing based on consent.
We will respond within 30 days.
If you are in the EU or UK you have rights under the GDPR (and UK GDPR). If you are in California you have rights under the CCPA / CPRA. The rights above apply to you, and you may also lodge a complaint with your local data protection authority.
8. Children
Roost is not directed at children under 13 (or under 16 in the European Union). We do not knowingly collect personal data from children. If you believe a child has provided us data, please email us and we will delete it.
9. Security
We use industry-standard security practices: HTTPS for all network traffic, password hashing with bcrypt, encrypted at-rest storage where supported by our hosting provider, JWT-based short-lived authentication tokens, and the iOS Keychain for credentials stored on-device. No system is perfectly secure — if we become aware of a breach affecting your data, we will notify you and the relevant authorities as required by law.
10. Changes to this policy
We may update this policy from time to time. When we do, we will update the "Last updated" date at the top. Material changes will be announced in-app or by email to the address associated with your account.
11. Contact
All privacy and support questions: roost@flycricket.support
Verify before publishing:
Confirm your Railway project is actually in the US. If it's in Amsterdam/Singapore/etc., change Section 5 to that region.
Confirm the "Settings → Account → Delete account" path exists in your build (commit 83b978d suggests it does, but double-check the actual menu label).