This Privacy Policy describes how Roamify (Pvt) Limited ("Roamify", "we", "us", "our") collects, uses, shares, and protects information when you use the Roamify website at roamify.net, the Roamify Traveler iOS app, the Roamify Driver mobile app, and any other product or service that links to this policy (together, the "Services").
Roamify is incorporated in Sri Lanka. Our registered office is at 276, Remuna, Horana, 12400, Sri Lanka. For any privacy question, write to admin@roamify.net.
By using the Services, you agree to the practices described here. If you do not agree, please do not use the Services.
1. Who this policy applies to
We provide travel-planning, booking, and on-trip services to three groups of users, and our handling of your data depends on which one you are:
- Travelers — people who plan, book, or take trips through Roamify (website + iOS Traveler app).
- Drivers, Guides and/or Tour Operators, and Driver+Guides — workforce members who deliver services to Travelers (Driver mobile app).
- Visitors — anyone who browses our website without an account.
Where a section applies only to one group, we say so.
2. Information we collect
2.1 Information you provide directly
| Type | Examples | When we collect it |
|---|---|---|
| Account & identity | Name, email, phone number, password (hashed by our auth provider), profile photo | When you sign up, sign in, or update your profile |
| Traveler trip data | Destinations, travel dates, party size, dietary needs, accessibility needs, preferences, free-text prompts you send to the AI Planner | When you build or save a trip |
| Workforce data | Government-issued ID, driving licence, vehicle registration, insurance documents, tour-guide licence (where applicable), tour-operator licence or business registration (where applicable), bank or mobile-money account for payouts, emergency contact | When you onboard as a Driver, Guide and/or Tour Operator, or Driver+Guide |
| Payment information | Card details and billing address — processed by PayPal, we receive only a transaction reference and the last 4 digits/brand | At checkout |
| Communications | Messages you send via contact forms, support chat, or email | Whenever you contact us |
| Reviews & feedback | Star ratings, written reviews, photos you upload | When you review a trip, driver, or experience |
2.2 Information we collect automatically
- Location data
- Traveler app: precise location while the app is in use, only after you grant permission, to power maps, nearby suggestions, and "I'm here" check-ins.
- Driver app: precise location while you are on duty (clocked in to an active assignment), so we can route Travelers to you, dispatch jobs, and provide live-tracking to the assigned Traveler. We do not collect location when you are off duty.
- Device & technical data: device model, OS version, app version, language, time zone, crash logs, IP address.
- Usage data: pages and screens viewed, features used, search queries, AI Planner prompts and outcomes, referrer URL.
- Cookies & similar technologies: see Section 9.
2.3 Information from third parties
- Identity verification providers (e.g., for workforce KYC) where required by law.
- PayPal sends us payment confirmations, refunds, and dispute notices.
- Sign-in providers (Apple, Google, Facebook) — if you choose social sign-in, we receive the basic profile fields you authorise (typically name, email, profile photo, and the provider's user ID).
- Public sources (government licence registries) — to verify driver, guide and/or tour operator credentials.
2.4 Sensitive information
We try to avoid sensitive personal data. However, if you voluntarily share dietary, medical, accessibility, or religious preferences to help us tailor your trip, we treat them with extra care and use them only for trip personalisation.
3. How we use your information
We use your information to:
- Run the Services — create your account, plan and book trips, dispatch drivers, guides and/or tour operators, process payments, generate AI itineraries, deliver in-app chat and notifications.
- Verify workforce — confirm that drivers, guides and/or tour operators meet legal and Roamify-standard requirements (licences, insurance, vehicle roadworthiness).
- Process payments and pay out workforce — through PayPal and our payout partners.
- Improve the Services — analyse usage, debug crashes, A/B test features, train internal heuristics. We do not train external third-party AI models on your personal data (see Section 5.4).
- Communicate with you — confirmations, trip updates, safety alerts, support replies. With your consent, we also send marketing emails — you can unsubscribe in one click.
- Keep the Services safe — detect fraud, abuse, harassment, and policy violations; protect drivers and travelers; investigate incidents.
- Comply with law — tax records, anti-money-laundering checks, lawful requests from authorities, and legal claims.
3.1 Legal bases (for EEA / UK users)
We rely on the following legal bases under GDPR:
- Contract — to deliver the Service you signed up for.
- Legitimate interests — to improve, secure, and personalise the Services, where this does not override your rights.
- Consent — for marketing emails, push notifications, optional location tracking outside on-duty hours, and non-essential cookies. You can withdraw consent at any time.
- Legal obligation — for tax, accounting, KYC, and similar requirements.
4. The Roamify AI Planner
The AI Planner uses OpenAI's API to generate trip suggestions from your prompt.
- The prompt and trip parameters you submit (destinations, dates, preferences) are sent to OpenAI to generate the response.
- OpenAI processes the request under its own terms; per OpenAI's API data-usage policy at the date of this document, data sent via the API is not used to train its public models.
- We do not send your name, email, payment information, or location to OpenAI — only the prompt text and structured trip parameters you provided.
- If you do not want to use the AI Planner, you can use the manual planning tools instead.
5. How we share your information
We share information only as described below. We do not sell your personal data.
5.1 Between users to deliver a trip
When you book a service, we share with the assigned driver, guide and/or tour operator your name, profile photo, pickup and drop-off points, party size, and any relevant preferences (e.g., wheelchair access). Drivers, guides and/or tour operators see your live location only during an active assignment.
When a driver, guide and/or tour operator accepts your booking, we share with you their name, photo, vehicle details (where applicable), licence reference, rating, and live location while en route.
5.2 Service providers ("processors")
We use vetted vendors who process data on our behalf, under contract, only for the purposes we specify:
| Vendor | Purpose | Data shared | Location |
|---|---|---|---|
| Google (Firebase Auth, Firestore, Cloud Storage, Cloud Functions) | Authentication, database, file storage, serverless compute | Account data, app data, file uploads | EU / US / Asia |
| Google Maps Platform | Maps, geocoding, routing | Coordinates, search terms | Global |
| PayPal | Card and wallet payments worldwide | Card details, billing info | Global |
| Facebook Login (Meta Platforms) | Optional social sign-in | OAuth profile fields you authorise | Global |
| Google Sign-In | Optional social sign-in | OAuth profile fields you authorise | Global |
| Apple Sign-In | Optional social sign-in (iOS) | Apple-relay email and name (if shared) | Global |
| Meilisearch Cloud | Search across destinations and experiences | Indexed catalog data, search queries | EU |
| OpenAI | AI itinerary generation | Prompt text + structured trip parameters only | US |
| Apple Push Notification Service, Firebase Cloud Messaging | Push notifications | Device token + notification payload | Global |
| Resend | Transactional and marketing email | Email address, name | EU / US |
| Firebase Crashlytics | Crash diagnostics | Device metadata, stack traces | US |
| Firebase Phone Auth (if enabled) | One-time passcodes for sign-in | Phone number, verification code | US |
A current, full list is available on request at admin@roamify.net.
5.3 Legal and safety
We may disclose information to courts, regulators, or law enforcement when we believe in good faith that the disclosure is required by law, necessary to comply with a lawful request, or necessary to protect the rights, property, or safety of Roamify, our users, or the public.
5.4 Business transfers
If Roamify is involved in a merger, acquisition, financing, reorganisation, or asset sale, your information may be transferred as part of that transaction. We will notify you and give you choices before your data becomes subject to a different privacy policy.
6. International data transfers
Roamify is based in Sri Lanka. Many of our service providers operate globally. Your data may be processed in countries other than where you live, including the United States, the European Union, and elsewhere in Asia.
Where we transfer personal data out of the EEA, UK, or Sri Lanka, we use safeguards such as Standard Contractual Clauses and vendor commitments equivalent to the Sri Lanka Personal Data Protection Act No. 9 of 2022 (PDPA) and GDPR Article 46.
7. How long we keep your information
We keep personal data only as long as we need it:
- Account data — for as long as your account is active. After deletion, we keep a minimal record (account ID, deletion timestamp) for 12 months to prevent re-registration abuse.
- Trip and booking data — 7 years from the trip date for tax, accounting, and dispute purposes (Sri Lanka tax retention).
- Payment records — 7 years (statutory). This includes the per-item line-item ledger we keep on each trip and the account-wide credit balance we keep on your user profile, so that top-up payments and account-credit movements (see Section 3.5 of the Terms) can be calculated and audited.
- Workforce KYC data — for the duration of the working relationship plus 5 years.
- Marketing preferences — until you unsubscribe, plus a suppression record so we don't accidentally re-add you.
- Crash logs and analytics — up to 90 days in identifiable form, then aggregated.
- Support communications — 3 years.
- AI Planner prompts — 90 days in identifiable form, then deleted or aggregated.
When we no longer need data, we delete or anonymise it.
8. Your rights
Subject to your jurisdiction, you have the following rights:
- Access — get a copy of your personal data.
- Correction — fix data that is wrong or incomplete.
- Deletion — ask us to delete your data (subject to legal retention).
- Restriction / objection — limit or object to certain processing, including direct marketing.
- Portability — receive your data in a structured, machine-readable format.
- Withdraw consent — at any time, where we rely on consent.
- Complain — to your local data-protection authority.
For Sri Lanka users, the supervisory authority is the Data Protection Authority of Sri Lanka established under the PDPA. EEA users may complain to their national authority; UK users to the ICO; California users may exercise CCPA/CPRA rights including the right to opt out of "sales" or "sharing" — though we do not sell data.
To exercise any right, email admin@roamify.net from the email on file, or use the in-app "Delete my account" option. We respond within 30 days.
9. Cookies and similar technologies
Our website uses:
- Strictly necessary cookies — sign-in, session, security, load balancing. Always on.
- Functional cookies — language, currency, last viewed destination. On by default; you can disable in your browser.
- Analytics cookies — Roamify currently runs without third-party analytics on the marketing site. If we add analytics (e.g., Google Analytics 4 or Plausible), we will update this policy and surface a consent prompt before the analytics tag loads.
- Marketing cookies — Roamify does not currently set marketing or retargeting cookies. If this changes, the consent banner will let you opt in or out before any are placed.
When non-essential cookies are present, we show a consent banner on your first visit. You can change your choices anytime at the "Cookie preferences" link in the footer.
Our mobile apps use platform identifiers (IDFA on iOS, AAID on Android) only with your permission, in line with Apple's App Tracking Transparency and Google Play guidelines.
10. Children
The Services are not intended for anyone under 16 years old. We do not knowingly collect data from children under 16. Parents who book travel for minors are responsible for the data they provide on the minor's behalf. If you believe we hold data about a child, email admin@roamify.net and we will delete it.
11. Security
We use industry-standard safeguards: TLS in transit, encryption at rest on Firestore and Cloud Storage, password hashing by Firebase Auth, principle-of-least-privilege access for staff, audit logs on admin actions, rate limiting and bot protection, and incident-response procedures.
No system is 100% secure. If we become aware of a breach affecting your personal data, we will notify you and the relevant authority as required by law, normally within 72 hours.
12. Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top reflects the latest version. For material changes, we will give you reasonable advance notice by email or in-app banner. Continued use of the Services after the effective date means you accept the updated policy.
13. Contact us
Roamify (Pvt) Limited 276, Remuna, Horana, 12400, Sri Lanka Email: admin@roamify.net Data Protection Officer: Roamify has not formally appointed a Data Protection Officer. Privacy enquiries are handled by the Roamify privacy team at admin@roamify.net.
To request deletion of your account and personal data, see our Data Deletion page.
This policy is provided in English. If translated, the English version prevails in case of conflict.