This statement describes how Roomzie complies with applicable data protection laws and regulations, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), India's Digital Personal Data Protection Act (DPDPA 2023), and the Children's Online Privacy Protection Act (COPPA).
4.1 GDPR Compliance (European Users)
If you are located in the European Economic Area (EEA), the following applies:
Legal Bases for Processing
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Account creation and login | Contract performance | Art. 6(1)(b) |
| Compatibility matching | Contract performance + Consent | Art. 6(1)(b) + Art. 9(2)(a) |
| Marketing emails | Consent (opt-in only) | Art. 6(1)(a) |
| Fraud prevention and security | Legitimate interests | Art. 6(1)(f) |
GDPR Rights
EU users have rights to access, rectify, erase, restrict processing, data portability, and object to processing. Submit requests to hello@roomziee.com. We respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.
Sensitive Data Under GDPR
4.2 CCPA Compliance (California Residents)
If you are a California resident, you have the following rights under the CCPA:
- Right to Know: request disclosure of personal information we collect and why
- Right to Delete: request deletion of personal information we hold about you
- Right to Opt-Out: Roomzie does not sell personal information. No opt-out is required.
- Right to Non-Discrimination: exercising your CCPA rights will not result in reduced service
To submit a CCPA request, email hello@roomziee.com with the subject "CCPA Request". We will verify your identity and respond within 45 days.
4.3 DPDPA 2023 Compliance (Indian Users)
Roomzie acknowledges the requirements of India's Digital Personal Data Protection Act 2023 (DPDPA). For Indian users:
- We collect only the data necessary for the purpose declared at the time of collection
- We obtain consent before collecting personal data and maintain consent records
- You have the right to correct inaccurate data and to erase your data upon request
- You may nominate a person to exercise your rights in the event of your death or incapacity
- We do not transfer personal data of Indian users to jurisdictions not approved under DPDPA rules without appropriate safeguards
For DPDPA-related requests, contact hello@roomziee.com.
4.4 COPPA Compliance (Children Under 13)
Roomzie does not knowingly collect personal information from children under the age of 13. Our Platform requires users to be at least 16 years old. Age is verified through date of birth collection at registration.
If we discover a user is under 13, we will immediately delete their account and all associated data. If you believe a child has registered on our Platform, contact hello@roomziee.com immediately.
4.5 Email Marketing Compliance
Roomzie complies with CAN-SPAM (US), GDPR (EU), and CASL (Canada) for email communications:
- Marketing emails are only sent to users who explicitly opt in during registration
- Pre-checked marketing opt-in boxes are not used — all consent is active
- Every marketing email includes a working unsubscribe link
- We record opt-in date, source, and consent text for every subscribed user
- Transactional emails (verifications, password resets, match notifications) are sent without marketing opt-in as they are necessary for Platform operation
- Our sender identity includes our business name and contact email in every footer
4.6 App Store Data Declarations
Roomzie declares all collected data categories in both Apple App Store and Google Play Store privacy forms, including data collected by third-party SDKs. Our declarations are kept consistent with this Privacy Policy at all times.
4.7 Data Processing Agreement (DPA)
Property managers who use Roomzie process tenant personal data as part of their leasing operations. By using the Property Manager features of Roomzie, you agree that:
- You are the data controller for your tenants' personal information
- Roomzie acts as a data processor on your behalf for the purpose of tenant matching
- You are responsible for obtaining any necessary consents from tenants under applicable law in your jurisdiction
- You will not use tenant data obtained through Roomzie for any purpose other than facilitating roommate matching and leasing
Property managers in the EU may request a formal Data Processing Agreement (DPA) by contacting hello@roomziee.com.
4.8 Security Standards
Roomzie maintains the following technical and organisational security measures:
- Encryption at rest: AES-256 encryption on all database records
- Encryption in transit: TLS 1.2+ enforced on all connections
- Authentication: Supabase Auth with JWT tokens and session management
- Password security: bcrypt hashing with minimum 8-character requirements
- Access control: Role-based permissions (student / property manager / admin)
- File security: File type validation and 5MB size limit on all uploads
- Rate limiting: Login and registration endpoints are rate-limited
- Audit access: Regular review of who has access to production data
4.9 Breach Notification
In the event of a data breach affecting personal data:
- We will notify affected users by email within 72 hours of discovering the breach
- We will notify the relevant supervisory authority as required by applicable law
- Our notification will include: nature of the breach, data affected, steps we are taking, and recommended actions for affected users
4.10 Contact and Complaints
Data Protection Contact
Email: hello@roomziee.com
Subject line: Data Protection Request
Website: roomziee.com
Response time: 30 days for standard requests. For urgent security issues, we aim to respond within 24 hours.
Questions about this policy?
Email us at hello@roomziee.com.