Privacy Policy

1. Scope

This policy applies to information we process as a service provider for organisations that deploy ROAM (“Customers”) and, where applicable, to individuals who use the Service under a Customer account (“Users”). Customers are responsible for their own privacy notices to Users and for the lawfulness of processing Customer Content they place in the Service.

2. Information we collect

Depending on how you use the Service, we may collect:

• Account and identity data — name, email, username, role, organisation, authentication factors, session tokens, and audit identifiers tied to your account.
• Operational and security data — IP addresses, device identifiers, client versions, connection metadata, logs of API calls, workspace mounts, lease and lock events, and similar telemetry needed to operate and secure the Service.
• ROAM Guard and audit events — structured security findings when enabled, such as paths relative to a workspace, destination classifications, process signing metadata, hashes and sizes (not file contents), timestamps, and associated user or workspace identifiers. See our product documentation for the current scope of ROAM Guard.
• Support and communications — messages you send to us, ticket content, and call or email records where you contact us.
• Website usage — basic server logs for the marketing site and status pages (for example, requested URLs, timestamps, and referrer), unless you use additional analytics we describe at collection time.

We do not intentionally collect sensitive categories of personal information (such as health or biometric data) through the Service unless you choose to include them in Customer Content or communications.

3. How we use information

We use information to:

• provide, maintain, and improve the Service;
• authenticate users, enforce access controls, and investigate security incidents;
• generate audit trails and monitoring visible to authorised Customer administrators;
• communicate about the Service, incidents, and updates;
• comply with law and respond to lawful requests;
• protect our rights and the safety of users and systems.

We may use aggregated or de-identified data that cannot reasonably identify you for analytics, reliability, and product development.

4. Legal bases (where applicable)

Where privacy laws require a legal basis (for example, in the EEA, UK, or Australia), we rely on performance of a contract with the Customer or you, legitimate interests in operating and securing the Service (balanced against your rights), compliance with legal obligations, and consent where we ask for it explicitly.

5. How we share information

We may share information with:

• Service providers — hosting, email, monitoring, and infrastructure vendors bound by confidentiality and data-processing terms, only as needed to operate the Service.
• Customers and their administrators — Users’ activity and audit data visible within the Customer’s ROAM deployment.
• Professional advisers and authorities — lawyers, auditors, insurers, or regulators when required or reasonably necessary.
• Business transfers — a successor entity in a merger, acquisition, or asset sale, subject to this policy or a successor notice.

We do not sell personal information for money.

6. International transfers

We and our providers may process information in Australia and other countries. Where required, we use appropriate safeguards (such as contractual clauses) for cross-border transfers.

7. Retention

We retain information for as long as needed to provide the Service, meet legal and contractual obligations, resolve disputes, and enforce agreements. Retention periods vary by data type and Customer configuration. Customers may export or delete certain data through administrative tools; residual copies may persist in backups for a limited period.

We are not responsible for loss of data whether caused by user error, hardware failure, network issues, third parties, or discontinuation of the Service. You and your organisation should maintain independent backups of critical material.

8. Security

We implement technical and organisational measures designed to protect information, including encryption in transit, access controls, and monitoring. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

9. Your rights and choices

Depending on your location, you may have rights to access, correct, delete, restrict, or object to certain processing, and to lodge a complaint with a supervisory authority. Australian residents may have rights under the Privacy Act 1988 (Cth) and applicable Australian Privacy Principles. Many requests must be submitted by or through your Customer administrator because we act on their instructions. You may also contact us directly at privacy@roam.site.

10. Children

The Service is not directed at children under 16, and we do not knowingly collect their personal information. Contact us if you believe we have done so and we will take appropriate steps to delete it.

11. Cookies and similar technologies

The Service and login surfaces may use cookies or local storage for session management and security. We do not use third-party advertising cookies on the core Service. The public marketing site minimises tracking; any change will be reflected here or in a just-in-time notice.

12. Changes

We may update this policy by posting a new version at roam.site/privacy and updating the effective date. Material changes may be communicated by email or in-product notice where appropriate. Continued use after the effective date constitutes acceptance where permitted by law.

13. Contact

Privacy enquiries: privacy@roam.site
General contact: hello@roam.site