This page explains what data we collect, why, where it goes, how long we keep it, and what rights you have. It applies to roam-code.com and all paid Roam services (Roam Review, Roam Cloud, Roam Self-Hosted). It does not apply to the open-source CLI when run locally — that runs entirely on your machine and sends nothing to us.
1. Who we are
The data controller is Cranot (Dimitris), a sole-trader operating from Athens, Greece.
Contact: [email protected]
Privacy + data-subject requests: [email protected]
Security disclosures: [email protected]
2. What runs locally vs. what touches our servers
The open-source CLI (roam-code on PyPI)
runs entirely on your machine. It writes a SQLite file inside your
repo's .roam/ directory. It does not phone home,
send telemetry, or transmit any source code. No data crosses
the network.
The paid services collect different things, listed below.
3. What this website (roam-code.com) collects
- No analytics, no cookies, no tracking pixels. We don't run Google Analytics, Plausible, PostHog, or any equivalent. The page sets no first-party cookies.
- Standard server logs via Cloudflare (IP address, User-Agent, requested path, timestamp, response code). Retained for 30 days for security + abuse-prevention purposes. Legal basis: legitimate interest (GDPR Art. 6(1)(f)) — operating a website securely.
- Email contents you send us at hello@ or security@. We retain these as long as the conversation is operationally relevant, then delete. Legal basis: contract performance or legitimate interest, depending on the message.
4. What Roam Cloud collects (paid SaaS)
- Metrics only. Health scores, complexity numbers, dependency counts, language breakdown, file-role counts, repo size. Never the source code itself.
- Account data. Email, name, organisation name, subscription tier. Provided by you at signup.
- Billing data. Handled by Stripe under their privacy policy. We see card-brand, last 4 digits, billing country — not the full card number.
Legal basis: performance of the contract you signed by subscribing.
5. What Roam Review collects (paid GitHub App)
- Pull-request diffs are processed in our cloud (or in your own infrastructure if you self-host). Diffs are held in memory for the duration of the analysis, then discarded.
- Repository metadata required to post comments back (repo name, PR number, commit SHA, author).
- GitHub installation token stored encrypted at rest, revocable by uninstalling the App.
Legal basis: performance of the contract. Roam Review does not retain source code after analysis. The audit-trail JSONL Roam emits contains metadata (verdict, finding count, confidence) — never the diff text.
6. Sub-processors
- Cloudflare (US/EU) — DNS, CDN, edge compute, server logs. privacy policy
- Stripe (US/EU) — payment processing for paid tiers. privacy policy
- GitHub (US) — for Roam Review only, the App auth + comment-posting layer. privacy policy
- Hosting provider for Roam Cloud + Roam Review backend (Hetzner / DigitalOcean / similar EU-based provider; specifics in the DPA).
We will keep this list current. Material changes will be announced 30 days in advance to subscribers, allowing you to object.
7. International transfers
Some sub-processors are US-based (Cloudflare, Stripe, GitHub). Transfers happen under the EU Standard Contractual Clauses (2021/914) and / or the EU-US Data Privacy Framework. We do not transfer source code outside the EEA from the CLI (it stays local) or from Roam Cloud (metrics only).
8. Retention
- Server logs: 30 days
- Email correspondence: as long as operationally relevant, then deleted on a 12-month rolling basis
- Account data: until account deletion + 30 days for backup expiry
- Billing records: 7 years (Greek tax law requirement)
- Audit-trail records (Roam Review): 1 year by default; longer on Self-Hosted per your retention policy
9. Your rights
Under the GDPR you have the right to:
- Access the personal data we hold about you
- Have inaccurate data corrected
- Have data erased ("right to be forgotten")
- Restrict processing
- Receive your data in a portable format
- Object to processing based on legitimate interest
- Withdraw consent (for any processing based on consent)
- Lodge a complaint with your local data protection authority. In Greece, that's the Hellenic Data Protection Authority (www.dpa.gr).
To exercise any of these rights, email [email protected]. We respond within 30 days.
10. Automated decision-making
Roam analyses code and emits findings. None of those findings result in a legal or similarly significant decision about you as an individual. We do not engage in profiling or automated decision-making within the meaning of GDPR Art. 22.
11. Children
Roam is a developer tool not directed at children under 16. We do not knowingly collect data from children.
12. Changes to this policy
Material changes will be announced at least 30 days in advance to active subscribers. The effective date at the top of this page tracks the latest version.
Questions? [email protected].