← Back to Home

Archived version — April 21, 2026. This Privacy Policy has been superseded. Read the current Privacy Policy.

Roost — Privacy Policy (Archived)

Effective Date: April 21, 2026 | Last Updated: April 21, 2026

1. Introduction

Good Egg LLC, a Virginia limited liability company ("we," "us," "our," or "Company"), respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, share, and protect your information when you use the Roost mobile application and related services (collectively, the "Service").

By using the Service, you consent to the collection and use of your information as described in this Privacy Policy. If you do not agree, do not use the Service.

1.1 Data Controller

The data controller for your personal information is:

Good Egg LLC
Virginia, United States
Email: contact@roostsocial.app

A postal address is available on request. For users in the European Economic Area (EEA) and the United Kingdom: we have not appointed a representative under GDPR Article 27 or the UK GDPR. You may exercise all rights described in this Policy by contacting us at the email above, and we will respond within 30 days.

2. Information We Collect

2.1 Account Information

When you create an Account, we collect:

Name: First and last name (from your authentication provider or as you enter it).
Email address: From your Google or Apple Sign-In account.
Username: Chosen by you during onboarding.
Profile photo/avatar: Your selected pigeon avatar.

2.2 Authentication Data

The Service supports two authentication methods: Sign in with Apple and Sign in with Google. Whichever you choose, we receive:

A stable account identifier from Apple or Google used to recognize you on return visits.
Basic profile information — typically your name and email address. If you use Sign in with Apple, you may choose Apple's "Hide My Email" option, in which case we receive a private relay address rather than your real email.
Authentication tokens for secure session management.

We do not receive your Apple or Google password, and we do not post to, read from, or otherwise act on your Apple or Google account outside of the sign-in exchange.

Note: We do not receive or store any biometric data (such as Face ID or fingerprint data). Biometric authentication, if used to unlock your device or confirm sign-in, is handled entirely by your device.

2.3 Consent and Compliance Data

Age verification confirmation (18+ attestation).
Terms of Use acceptance timestamp and version.
Privacy Policy acceptance timestamp and version.
Location data consent record.

2.4 Location Information

We collect precise GPS location data from your device. This is essential to the core functionality of the Service.

Specifically, we collect:

GPS coordinates: Real-time latitude and longitude for calculating pigeon flight paths and delivery times.
City information: Derived from GPS coordinates using geocoding services (Mapbox).
Location accuracy metadata: Precision and timing of location readings for quality assurance.

How location is shared with other users:

Your location is not continuously visible to friends. Friends only see location information through pigeon interactions — specifically, the endpoint of a flight on the map when you send or receive a pigeon.
The precision of that endpoint matches the setting you choose in Settings > Location Privacy: precise, city-level (approximate), or hidden.
Flight paths reveal general geographic direction between sender and recipient but otherwise use obfuscated intermediate points.

2.5 Messages and Communications

Messages are stored in plaintext. The Service does not currently offer end-to-end encryption. Data is encrypted at rest (via Firebase/Google Cloud encryption) and encrypted in transit (TLS), but message content is readable by authorized backend systems for the purpose of service delivery and legal compliance.

We store and process:

Message content: Text of messages sent through the Service.
Media files: Photos, videos, and other media shared in messages.
Message metadata: Timestamps, delivery status, read receipts.
Conversation data: Participant lists and conversation history.
Flight data: Real-time tracking data for message delivery via virtual pigeons.

2.6 Social and Interaction Data

Friend connections and friendship status (pending, accepted, blocked).
Blocked user lists.
User reports for content or conduct violations.

2.7 App Usage and Analytics

Device information: Device type, operating system version, app version.
Usage patterns: Features used, session frequency, time spent in app (collected in aggregate).
Performance data: Limited app exception and performance signals (via Firebase Analytics).
In-app purchase history: Transaction records and Virtual Items owned.
Pigeon data: Virtual pigeon collection, stats, and training activities.

2.8 Technical Data

Device identifiers: Unique device ID for push notification delivery.
Network information: IP address (for security monitoring and fraud prevention).
Push notification tokens: For delivering notifications to your device via Apple Push Notification service (APNs).

3. How We Use Your Information

3.1 Core Service Functionality

Location services: Calculate pigeon flight paths, delivery times, and map rendering.
Messaging: Deliver and store messages between users via virtual pigeons.
Social features: Connect users, manage friendships, enable communication.
Account management: Authenticate users, maintain profiles, process settings changes.

3.2 Safety and Security

Fraud prevention: Detect unauthorized access and suspicious activity.
Content moderation: Review reported content and enforce community guidelines.
Safety features: Enable blocking, reporting, and user protection.
Security monitoring: Protect against technical attacks and unauthorized data access.

3.3 Service Improvement

Analytics: Understand usage patterns to improve features (data is aggregated and anonymized where possible).
Performance optimization: Identify and fix bugs and performance issues.
Feature development: Inform design of new features based on aggregate usage data.

3.4 Legal Compliance

Enforce our Terms of Use.
Respond to valid legal process (subpoenas, court orders, law enforcement requests).
Maintain records as required by applicable law.

3.5 Automated Decision-Making

We do not engage in solely automated decision-making that produces legal effects concerning you or similarly significantly affects you. Automated systems we do use (such as spam detection, abuse signals, and rate limiting) are reviewed by humans where they result in account actions.

4. How We Share Your Information

4.1 With Other Users

The following information may be visible to other Service users:

Your username and profile information.
Your location as revealed through pigeon flight endpoints, at the precision level you choose.
Messages you send to them.
Your pigeon collection and stats (if not hidden in privacy settings).
Your online status (when enabled).

4.2 Sub-Processors

We share information with the following sub-processors who help us operate the Service. Each is bound by contractual obligations to protect your information and to use it only for the purposes we instruct.

Sub-Processor	Data Shared	Purpose
Google Firebase / Google Cloud	Authentication data, user profiles, text messages, analytics, exception/performance signals, push notification tokens	Database, authentication, analytics, exception/performance monitoring, serving Roost's static asset catalog (bird art, game assets), push notification routing (FCM → APNs), backend compute
Mapbox	GPS coordinates, device type	Map rendering, geocoding, location search
Apple	Authentication tokens, purchase transactions, push tokens	Sign-In with Apple, App Store, in-app purchases, push notification delivery to your device (APNs)
Google	Authentication tokens, basic profile (name, email)	Sign in with Google (OAuth) for Account creation and login

We will keep this list up to date and will notify users of material changes to our sub-processors through the Service or by email.

4.3 Analytics and Diagnostic SDKs

We use Firebase Analytics to understand product usage and to collect limited exception and performance signals. The SDK collects device identifiers and app events linked to a pseudonymous installation identifier rather than your real name. You can limit this collection through iOS App Tracking Transparency and your device's privacy settings.

4.4 Legal Requirements

We may disclose your information when required or permitted by law:

In response to valid legal process (subpoenas, court orders, search warrants).
To comply with regulatory requirements.
To protect the rights, property, or safety of Good Egg LLC, our users, or the public.
To prevent fraud, abuse, or illegal activity.
In connection with legal proceedings involving us.

4.5 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred to the successor entity, subject to the same privacy protections described in this Policy. We will notify you of any such transfer.

4.6 We Do Not Sell or Share Your Personal Information for Advertising

We do not sell, rent, or trade your personal information to third parties for their marketing purposes, and we do not "share" personal information for cross-context behavioral advertising as defined by the CCPA/CPRA.

5. Data Retention

5.1 Retention Periods

Data Type	Retention Period
Account profile data	Until Account deletion
Messages and media	Until deleted by sender or recipient, or Account deletion
Precise GPS coordinates	Until Account deletion (required for flight path calculation depending on your privacy level)
City-level location	Until Account deletion (required for flight path calculation depending on your privacy level)
Analytics data	Aggregated and anonymized; retained indefinitely for business analysis
Exception / performance signals (Firebase Analytics)	Retained per Firebase Analytics defaults (up to 14 months)
Purchase transaction records	7 years (legal/tax compliance)
Consent records	7 years after Account deletion (legal compliance)

5.2 Account Deletion

When you delete your Account:

Most personal data is deleted within 30 days.
Data may persist in encrypted backups for up to 90 days.
Certain records are retained as required by law (see table above).
Messages already delivered to other users remain in their conversations until they choose to delete them.

6. Data Security

6.1 Security Measures

We implement industry-standard security measures to protect your data:

Encryption at rest: All data stored in Firebase/Google Cloud is encrypted at rest using AES-256.
Encryption in transit: All data transmitted between your device and our servers uses TLS 1.2+.
Access controls: Database access is restricted to authorized systems and personnel via Firebase Security Rules and IAM policies.
Authentication security: OAuth 2.0 via Apple and Google; no passwords stored.
Monitoring: Automated security monitoring for anomalous access patterns.

6.2 Security Limitations

No system is completely secure. Despite our efforts, we cannot guarantee absolute protection against all security threats, unauthorized access, or data breaches. You use the Service at your own risk regarding data security.

6.3 Data Breach Response

In the event of a data breach affecting your personal information:

We will investigate and contain the breach promptly.
We will notify affected users without unreasonable delay, including information about what data was involved and recommended protective steps.
We will notify relevant supervisory authorities within the timeframes required by applicable law, including (where applicable) within 72 hours under GDPR/UK GDPR, and within the notification windows required by US state attorneys general, the UK ICO, Brazil's ANPD, Australia's OAIC, Canada's OPC, and other competent authorities.
We will document the breach and our response for compliance purposes.

7. Your Privacy Rights and Choices

7.1 In-App Privacy Controls

Location sharing: Control who sees your location and at what precision (Settings > Location Privacy).
Profile visibility: Manage what information is visible to other users.
Blocking: Block other users from contacting or finding you.
Notifications: Control notification types and frequency via device settings and in-app preferences.

7.2 Location Data

You can control location access through your device's system settings. Note: Disabling location services will prevent core Service functionality (flight path calculation and message delivery simulation).

If you previously granted location consent, you may withdraw it at any time by disabling location permissions in your device settings. Withdrawal of consent does not affect the lawfulness of processing performed before withdrawal.

7.3 Account Deletion

You may delete your Account at any time through Settings > Delete Account. See Section 5.2 for details on what happens to your data.

7.4 Universal Data Subject Rights

Regardless of where you live, you may request to exercise the following rights regarding your personal data, and we will honor them to the extent required by applicable law:

Access: Request a copy of the personal information we hold about you.
Correction: Request correction of inaccurate or incomplete information.
Deletion: Request deletion of your personal information.
Portability: Request a copy of your data in a portable, machine-readable format.
Restriction: Request that we limit how we process your data.
Objection: Object to certain types of data processing (e.g., processing based on legitimate interests).
Withdraw consent: Where processing is based on consent, withdraw your consent at any time.
Non-discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise any of these rights, contact us at contact@roostsocial.app. We will respond within 30 days (or sooner if required by applicable law). We may need to verify your identity before fulfilling certain requests.

8. International Data Transfers

The Service uses Google Firebase, which operates on Google Cloud infrastructure. Your data is stored and processed in the United States and may be processed in other countries where Google maintains data centers.

For users in the European Economic Area, United Kingdom, Brazil, or other jurisdictions with data transfer restrictions:

We rely on Standard Contractual Clauses (SCCs), the UK Addendum, and other approved transfer mechanisms to provide an adequate level of protection for international data transfers.
Google Cloud maintains compliance with applicable data protection frameworks.

By using the Service, you acknowledge and consent to the transfer of your data to the United States and other jurisdictions as described above.

9. Children's Privacy

The Service is not intended for anyone under 18 years of age (or the higher minimum age required by your local law). We do not knowingly collect personal information from anyone under this age.

We require age verification (18+ confirmation) during Account creation.
We comply with the Children's Online Privacy Protection Act (COPPA) in the United States, GDPR Article 8 in the European Union (which sets digital consent age at 16, or as low as 13 depending on the member state), the Age Appropriate Design Code in the United Kingdom, Brazil's LGPD child-protection provisions, and similar laws in other jurisdictions.
If we discover that a user under the applicable minimum age has created an Account, we will promptly terminate the Account and delete all associated data.
Parents or guardians who believe their child has provided information to us should contact us immediately at contact@roostsocial.app.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

10.1 Your California Rights

Right to Know: Request what personal information we collect, use, and disclose.
Right to Delete: Request deletion of your personal information.
Right to Correct: Request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is necessary.
Right to Limit Use of Sensitive Personal Information: See Section 10.2.
Right to Non-Discrimination: You will not be discriminated against for exercising your privacy rights.

We will respond to verifiable California requests within 30 days (the statute allows 45).

10.2 Sensitive Personal Information

Under the CPRA, precise geolocation data is classified as "sensitive personal information." We collect precise geolocation solely to provide core Service functionality (pigeon flight path calculation and message delivery). We do not use precise geolocation for profiling, advertising, or any purpose unrelated to Service operation. You may limit the use of your precise geolocation by adjusting your device's location settings or your in-app privacy controls.

10.3 Categories of Personal Information Collected

Category (CCPA)	Examples	Collected?
Identifiers	Name, email, username	Yes
Commercial information	Purchase history, Virtual Items	Yes
Internet/network activity	App usage, session data	Yes
Geolocation data	GPS coordinates, city	Yes
Sensory data	Photos, media in messages	Yes
Inferences	Usage preferences	Yes (limited)
Biometric data	Fingerprints, face data	No
Financial information	Payment card numbers	No (handled by Apple)

11. Other U.S. State Privacy Rights

If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon, Montana, Delaware, Iowa, New Hampshire, New Jersey, Tennessee, or another U.S. state with a comprehensive consumer privacy law, you may have rights similar to those described in Section 7.4, including rights to access, correct, delete, and obtain a portable copy of your personal data, and (where applicable) to opt out of targeted advertising, sale of personal data, and certain profiling. We do not engage in sale of personal data, targeted advertising based on personal data, or profiling with legal or similarly significant effects. To exercise your rights, email contact@roostsocial.app.

12. European Data Protection (EU/EEA GDPR)

If you are located in the European Economic Area (EEA), the following provisions apply.

12.1 Legal Basis for Processing

Processing Activity	Legal Basis
Account creation, messaging, core features	Contract performance (Art. 6(1)(b))
Precise GPS location collection	Consent (Art. 6(1)(a)), explicit and withdrawable
Push notifications (service-related)	Contract performance / consent
Analytics and performance monitoring	Legitimate interest (Art. 6(1)(f))
Security monitoring and fraud prevention	Legitimate interest (Art. 6(1)(f))
Legal compliance and record-keeping	Legal obligation (Art. 6(1)(c))

12.2 Your GDPR Rights

You have the rights listed in Section 7.4, plus the right to lodge a complaint with your national supervisory authority. A directory of EU supervisory authorities is available from the European Data Protection Board.

12.3 EU Representative

We have not appointed an EU Representative under Article 27 of the GDPR. Please direct all requests, inquiries, and complaints to contact@roostsocial.app. We will respond within 30 days.

13. United Kingdom Data Protection (UK GDPR)

If you are located in the United Kingdom, your rights under the UK GDPR and the Data Protection Act 2018 substantially mirror those described in Section 12, including rights of access, rectification, erasure, restriction, portability, and objection. The supervisory authority is the Information Commissioner's Office (ICO), to whom you have the right to lodge a complaint. We have not appointed a UK Representative; please contact contact@roostsocial.app to exercise any UK GDPR right.

14. Canada (PIPEDA and Quebec Law 25)

If you are located in Canada, you have rights under the federal Personal Information Protection and Electronic Documents Act (PIPEDA), and, if you are a Quebec resident, under Quebec's Law 25 (Act respecting the protection of personal information in the private sector). These include rights of access, correction, deletion, and withdrawal of consent. Complaints can be directed to the Office of the Privacy Commissioner of Canada or, for Quebec residents, the Commission d'accès à l'information du Québec.

15. Australia (Privacy Act and APPs)

If you are located in Australia, you have rights under the Privacy Act 1988 and the Australian Privacy Principles (APPs), including rights of access and correction. Complaints can be directed to the Office of the Australian Information Commissioner (OAIC).

16. Brazil (LGPD)

If you are located in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD), including rights to confirmation of processing, access, correction, anonymization or deletion, portability, information about sharing, and withdrawal of consent. Complaints can be directed to the Autoridade Nacional de Proteção de Dados (ANPD). To exercise your rights, contact contact@roostsocial.app.

17. Other Jurisdictions

If you are located in a jurisdiction with its own comprehensive data protection law — including Japan (APPI), South Korea (PIPA), India (DPDPA), South Africa (POPIA), Switzerland (FADP), Singapore (PDPA), or elsewhere — you may have rights substantially similar to those described above. You may exercise any such rights by contacting us at contact@roostsocial.app, and we will respond within the timeframe required by applicable law (and in any event within 30 days).

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through:

In-app notifications.
Email to the address associated with your Account.

Continued use of the Service after notification constitutes acceptance of the updated Privacy Policy. If you do not agree, you must stop using the Service and delete your Account. Previous versions of this Policy are available upon request.

19. Contact Information

For privacy-related questions, data access requests, or to exercise your privacy rights, contact us at:

Email: contact@roostsocial.app

Response time: We respond to privacy requests within 30 days (or sooner if required by applicable law).

BY USING THE ROOST SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY AND CONSENT TO THE COLLECTION AND USE OF YOUR INFORMATION AS DESCRIBED HEREIN.