Privacy Policy

This page explains what data we collect, why, where it goes, how long we keep it, and what rights you have. It applies to roam-code.com and paid or early-access Roam services when enabled (PR Replay, planned Roam Review and Cloud, and private-deployment pilots). It does not apply to the open-source CLI when run locally — that runs entirely on your machine and sends nothing to us.

1. Who we are

The data controller is Cranot (Dimitris), a sole-trader operating from Athens, Greece.

Contact: hello@roam-code.com
Privacy + data-subject requests: hello@roam-code.com
Security disclosures: security@roam-code.com

2. What runs locally vs. what touches our servers

The open-source CLI (roam-code on PyPI) is 100% local, no API key, no vendor cloud endpoint. It writes a SQLite file inside your repo's .roam/ directory. It does not phone home, send telemetry, or transmit any source code. No data crosses the network. The same local-only stance is contractually committed in DPA §6.

The paid services collect different things, listed below.

3. What this website (roam-code.com) collects

• No analytics, no cookies, no tracking pixels. We don't run Google Analytics, Plausible, PostHog, or any equivalent. The page sets no first-party cookies.
• Standard server logs via Cloudflare (IP address, User-Agent, requested path, timestamp, response code). Retained for 30 days for security + abuse-prevention purposes. Legal basis: legitimate interest (GDPR Art. 6(1)(f)) — operating a website securely.
• Email contents you send us at hello@ or security@. We retain these as long as the conversation is operationally relevant, then delete. Legal basis: contract performance or legitimate interest, depending on the message.

4. What Roam Cloud collects (planned paid SaaS)

• Metrics only. Health scores, complexity numbers, dependency counts, language breakdown, file-role counts, repo size. Never the source code itself.
• Account data. Email, name, organisation name, subscription tier. Provided by you at signup.
• Billing data. Handled by Stripe under their privacy policy. We see card-brand, last 4 digits, billing country — not the full card number.

Legal basis: performance of the contract you signed by subscribing.

5. What Roam Review collects (planned paid GitHub App)

• Pull-request diffs are processed ephemerally in our cloud when the service is enabled. Private-deployment pilots are scoped separately when hosted processing is blocked by policy. Diffs are held in memory for the duration of the analysis, then discarded.
• Repository metadata required to post comments back (repo name, PR number, commit SHA, author).
• GitHub installation token stored encrypted at rest, revocable by uninstalling the App.

Legal basis: performance of the contract. Roam Review does not retain source code after analysis. The audit-trail JSONL Roam emits contains metadata (verdict, finding count, confidence) — never the diff text.

6. Sub-processors

The canonical sub-processor list with location, processing purpose, and transfer basis is in DPA §5. At the effective date above:

• Stripe, Inc. (USA) — payment processing, receipts, refunds, billing records. Billing-contact and transaction metadata only; no source code. Transfer basis: Stripe SCCs where applicable. privacy policy
• GitHub, Inc. (USA / global) — for PR Replay only when Controller chooses GitHub collaborator, deploy-key, GitHub App, or webhook access; for the planned Roam Review GitHub App, the auth + comment-posting layer. Transfer basis: GitHub SCCs where applicable. privacy policy
• Cloudflare (US/EU) — DNS, CDN, edge compute, and standard server logs for the public website at roam-code.com. No source code, no customer data. privacy policy
• Hosting provider for Roam Cloud + Roam Review backend — [TBD: HOSTING_PROVIDER] (EU-based; to be selected and disclosed before paid general availability; named in the DPA at GA). During early access there is no production backend processing customer data, and PR Replay v1 has no hosted sub-processor for analysis (the CLI is local-only).

New sub-processors are added with at least 14 calendar days' prior notice, unless emergency replacement is necessary to maintain security or service continuity, per DPA §5. Controllers may object on reasonable data-protection grounds; if the objection cannot be resolved, the affected service may be terminated with any refund required by the Agreement.

7. International transfers + edge caching

Some sub-processors are US-based (Cloudflare, Stripe, GitHub). The Processor's primary PR Replay processing location is Greece (EU) per DPA §11. Where personal data is transferred outside the EEA, transfers happen under an applicable GDPR Chapter V safeguard — typically the EU Standard Contractual Clauses (2021/914), an adequacy decision, or the EU-US Data Privacy Framework. We do not transfer source code outside the EEA from the CLI (it stays local) or from Roam Cloud (metrics only).

The static site at roam-code.com is served from Cloudflare's global edge network; cached copies of the public HTML may exist at any Cloudflare POP worldwide. No personal data is processed by the static site itself — only the standard server logs listed above.

8. Retention

Website + paid-service retention windows:

• Server logs: 30 days
• Email correspondence: as long as operationally relevant, then deleted on a 12-month rolling basis
• Account data: until account deletion + 30 days for backup expiry
• Billing records: 7 years (Greek tax law requirement)
• Audit-trail records (Roam Review, when enabled): 1 year by default; private-deployment pilot retention follows the order form

PR Replay-specific retention is set by DPA §7:

• Temporary repository clones, git bundles, indexes, and derivative working files: deleted within 7 calendar days after report delivery or service termination (deletion confirmation available on request).
• Final delivered report: retained up to 90 days for follow-up questions, unless earlier deletion is requested.
• Engagement ledger entries: retained up to 2 years for audit defence, reconciliation, and dispute handling.
• Anonymised aggregate product metrics: retained only where no client, repo, contributor, code, identifier, or quote can be reconstructed.

9. Your rights

Under the GDPR (Articles 15-22) you have the right to:

• Access the personal data we hold about you (Art. 15)
• Have inaccurate data rectified (Art. 16)
• Have data erased — "right to be forgotten" (Art. 17)
• Restrict processing (Art. 18)
• Receive your data in a portable format (Art. 20)
• Object to processing based on legitimate interest (Art. 21)
• Not be subject to a decision based solely on automated processing (Art. 22)
• Withdraw consent (for any processing based on consent)
• Lodge a complaint with your local data protection authority. In Greece, that's the Hellenic Data Protection Authority (search the EDPB members directory for current contact details).

When Roam processes personal data on a customer's behalf under the paid services, we act as the GDPR Article 28 processor under the Data Processing Agreement; the customer is the controller and is the primary point of contact for data-subject requests in that flow. For requests about data we hold as a controller (website logs, paid-tier accounts, support correspondence), email hello@roam-code.com. We respond within 30 days.

10. Automated decision-making

Roam analyses code and emits findings. None of those findings result in a legal or similarly significant decision about you as an individual. We do not engage in profiling or automated decision-making within the meaning of GDPR Art. 22.

11. Children

Roam is a developer tool not directed at children under 16. We do not knowingly collect data from children.

12. Changes to this policy

Material changes will be announced at least 30 days in advance to active subscribers. The effective date at the top of this page tracks the latest version.

13. Related documents

• Trust & compliance posture — procurement-overview companion to this page (framework status, sub-processor list, security contact, vulnerability disclosure, data-flow diagram).
• Security policy — threat model, secure-coding posture, vulnerability disclosure terms, PGP key.
• Terms of Service — paid-service contract terms.
• Data Processing Agreement (DPA) — GDPR Article 28 processor agreement for paid engagements.
• PR Replay Statement of Work — incorporates the DPA by reference.
• GitHub source — the Apache 2.0 CLI that produces every evidence artifact.

Questions? hello@roam-code.com.