Privacy Policy

Effective 2026-05-23 · Version 1.0

1. At a Glance: What We Collect and What We Don't

Before the details, here is a plain summary of our data practices:

• We collect (stored on our servers): SHA-256 hash of your Firebase UID, your chosen display name, your Roach Code (random, system-generated), your X25519 public key, your persona ID (one value from a fixed list), your account creation timestamp, and a deletion timestamp if you delete your account.
• We collect (on your device only, never sent to us): your X25519 private key (in Android Keystore), your daily streak counter, your language preference, and cached profile data.
• We do NOT store in our database: the plaintext of any message you send or receive, your location, your contacts, your phone number, your real name (unless you voluntarily type it as your display name), your email address, device advertising IDs, browsing history, or any biometric data. (Your email address is stored by Firebase Authentication, our third-party sign-in provider, as described in Section 7. We do not read or retain it ourselves.)
• We do NOT serve advertising and do not share your data with advertisers or data brokers.
• Crash diagnostics (via Firebase Crashlytics) include your device model, Android OS version, and stack traces. They do not include message contents or your display name.

2. Who We Are and Legal Bases for Processing

Roachy is operated by Sandeep Dhami, an independent developer based in India. We are not a registered company. Contact: sandeep84397@gmail.com.

We process your personal data on the following legal bases:

• India (Digital Personal Data Protection Act 2023 — DPDP Act): We rely primarily on your consent under Section 6 of the DPDP Act, given when you create an account and accept this Privacy Policy, as our lawful basis for processing your personal data. For operating your account — specifically publishing your public key so that other users can encrypt messages addressed to you — we also rely on Section 7(a) (legitimate uses necessary for the performance of any function under law or for the provision of any service or benefit you have requested). You may withdraw consent at any time by deleting your account. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• European Union (GDPR): For EU residents, we process your data under Article 6(1)(b) (performance of a contract — the service cannot function without your Roach Code, public key, and display name), Article 6(1)(a) (consent — for optional features such as the persona quiz), and Article 6(1)(f) (legitimate interests — crash diagnostics necessary to maintain service stability, which does not outweigh your interests given the minimal data involved).
• Other jurisdictions: We rely on the equivalent consent or contractual necessity basis under your local law.

3. Data We Collect in Detail

Server-side data (stored in Cloudflare D1 database, operated by Cloudflare, Inc.):

• Hashed Firebase UID: We take the SHA-256 hash of your Firebase UID before storing it, so that our database does not contain the raw identifier. This is used to link your account across sessions without storing a direct identifier. We are working towards adding a server-side secret salt to this hash to further increase its resistance to reversal in the unlikely event of a database breach.
• Display name: A user-chosen string between 3 and 30 characters. You may use any name, including a pseudonym. If you include your real name, that is your choice — we do not require it.
• Roach Code: A random 6-character alphanumeric code assigned by the server at registration, using a Crockford-safe alphabet to avoid ambiguous characters. This is your public handle, visible to anyone who visits your public profile URL.
• X25519 public key (base64): The public half of your device-generated encryption keypair. Published to our servers so other users can encrypt messages addressed to you. Your private key never leaves your device.
• Persona ID: A single value from a fixed enumeration of persona archetypes, assigned after you complete the optional persona quiz. Raw quiz answers are never stored — only the resulting persona ID.
• Created-at timestamp: The date and time your account was created, stored in UTC.
• Soft-delete timestamp: If you request account deletion, a timestamp is recorded. Your data is then scheduled for permanent deletion in accordance with Section 8 of this policy.

On-device data (stored locally on your Android device, never transmitted to us):

• Private key: Your X25519 private key, stored exclusively in the Android Keystore. This key is hardware-backed on supported devices. It is never transmitted to our servers under any circumstances.
• Key backup (optional): If you opt in, your private key material may be backed up via Google Block Store to facilitate recovery on a new device. This backup is managed by Google and subject to Google's privacy policy. We do not receive a copy.
• Daily streak counter: A count of consecutive days you have opened the App, stored only on-device.
• Language preference: Your selected in-app language, stored only on-device.
• Cached profile data: Locally cached versions of your profile and persona data to allow offline display. This is derived from server data you have already provided.

Crash and diagnostic data (collected by Firebase Crashlytics on behalf of Google LLC, subject to Section 7):

• Device model and manufacturer
• Android OS version
• App version at time of crash
• Stack trace at time of crash
• Firebase installation ID (a pseudonymous identifier generated by the Firebase SDK, not your Firebase UID)

Crashlytics data contains no message contents, no display name, and no Roach Code.

Anti-abuse signal (via Google Play Integrity, one time at signup): At account creation, we request a Play Integrity attestation to verify that the App is running on a genuine Android device and has not been tampered with. The result is a pass/fail signal. We store an integrity_ok flag (1 or 0) in your account record. We do not store the raw attestation token.

4. Data We Do Not Collect

For the avoidance of doubt, we explicitly do not collect or have access to:

• The plaintext content of any 1:1 message. These are encrypted on your device with the recipient's public key before leaving the App. Our servers never see the plaintext and we cannot decrypt it.
• Your email address. Firebase Authentication stores your email as part of the authentication process; we never read it back from Firebase or store it in our own database.
• Your phone number.
• Your location (GPS, network-based, or inferred).
• Your contacts or address book. The App does not request the READ_CONTACTS permission.
• Your real name or photo, unless you voluntarily type your real name as your display name or include it in a broadcast message.
• Advertising IDs (Google Advertising ID or any equivalent). We do not use advertising SDKs.
• Browsing history or cross-app tracking data.
• Biometric data.
• Your private key. Ever.

5. How We Use Your Data

We use the data we collect for the following purposes and no others:

• Providing the service: Your hashed UID, display name, Roach Code, and public key are necessary to operate your account, allow others to find your public profile, and enable other users to encrypt messages to you.
• Displaying your persona: Your persona ID is displayed on your public profile card.
• Showing the cockroach count banner: The App displays the total number of registered users, refreshed from a cached aggregate count endpoint. This involves no individual user data.
• Crash diagnostics: Crashlytics data is used to identify, diagnose, and fix software bugs. It is not used for marketing or profiling.
• Anti-abuse at signup: The Play Integrity attestation is used once to reduce fake account creation. It is not used for ongoing monitoring.
• Account deletion: The soft-delete timestamp allows us to process deletion requests and verify completion.

We do not use your data for advertising, profiling, selling to third parties, or training machine learning models.

6. End-to-End Encryption: How It Works

Roachy implements end-to-end encryption (E2E) for 1:1 messages. Here is what that means in plain English:

• When you register, your device generates a pair of cryptographic keys: a public key and a private key. This uses the X25519 elliptic-curve algorithm.
• Your public key is uploaded to our server and is visible to anyone who knows your Roach Code. Think of it as a padlock that anyone can lock — only you can open it.
• Your private key never leaves your device. It is stored in the Android Keystore, which uses hardware-backed security on supported devices to prevent extraction even if the device is rooted.
• When someone sends you a 1:1 message, their App fetches your public key, performs an X25519 Diffie-Hellman key exchange to derive a shared secret, and encrypts the message content with AES-GCM (authenticated encryption). The resulting encrypted blob — packaged as an audio file (MP3 polyglot) or text string — is sent to you through your shared external channel (WhatsApp, Telegram, SMS, etc.). Our servers never see this message.
• When you receive a message, your device uses your private key to derive the same shared secret and decrypt the content locally.

Important limitation — Broadcast Mode: When you use the "Send to everyone" toggle (Broadcast Mode), the message is encrypted with a keypair whose private key is embedded in the App itself. This means anyone with the App can decrypt broadcast messages. Broadcast messages are effectively public. Do not send anything confidential in Broadcast Mode. See Section 6 of the Terms of Service for a full explanation.

7. Third-Party Processors

We rely on the following third-party service providers to operate Roachy. Each processes data under a data processing agreement or equivalent commitment. We have selected providers whose services are necessary to operate the App and have not integrated any advertising, analytics, or social media SDKs beyond those listed below.

• Firebase Authentication — Google LLC. Role: User sign-in via Google OAuth or email/password. Stores your email address and issues Firebase UIDs on Google's infrastructure. Privacy policy: https://policies.google.com/privacy
• Firebase Crashlytics — Google LLC. Role: Collects crash reports (device model, OS version, stack trace, Firebase installation ID). Does not receive message contents or your display name. Privacy policy: https://policies.google.com/privacy
• Google Play Integrity API — Google LLC. Role: One-time attestation at account signup to verify the App is running on a genuine, unmodified Android device. Result stored as a binary flag only. Privacy policy: https://policies.google.com/privacy
• Google Block Store — Google LLC. Role: Optional encrypted backup of your private key material to facilitate recovery on a new device. Only activated if you choose to enable it. We do not receive a copy of the backed-up key. Privacy policy: https://policies.google.com/privacy
• Cloudflare Workers + D1 + Cache — Cloudflare, Inc. Role: Hosts the Roachy API, stores the server-side data described in Section 3, and delivers public profile pages. Cloudflare may log request metadata (IP address, timestamp, HTTP method) for infrastructure security purposes in accordance with its own policies. Privacy policy: https://www.cloudflare.com/privacypolicy/

We do not use any other SDKs, analytics platforms, or advertising networks.

8. Data Retention and Deletion

How to delete your account

You can delete your Roachy account and all associated server-side data in two ways:

1. From the App (recommended): Open Roachy → tap Settings (gear icon, top-right of Home) → scroll to Delete account → confirm. The deletion is initiated immediately on confirmation; no further action is required from you. The App also wipes the on-device data described below.
2. If you cannot access the App (lost device, uninstalled, locked out of your Google account, etc.): Send an email to sandeep84397@gmail.com with the subject line "Delete Roachy account". Include, if you still have access to it, your Roach Code (six characters, shown on Your Card screen) and the email address used for sign-in. We will verify ownership and process the deletion within 7 business days of receiving a verifiable request.

What happens when you delete your account

Immediate (soft-delete): A deletion timestamp is recorded on your account row. Your public profile at roachcard.in/u/<your-code> becomes unreachable. Your Roach Code is no longer resolvable by other users. Cipher messages already sent to or from your code remain encrypted on recipients' devices; we cannot recall them because we never saw the plaintext.

Within 30 days (hard-delete): A daily background job permanently erases the row from our production D1 database. After this point we have no record of your account ever having existed, except for incidental references in Cloudflare's standard infrastructure logs (which Cloudflare retains for up to 30 days under its own policy).

On-device data: If you delete via the App, the private key, streak counter, contacts list, language preference, and all cached data are wiped from the device immediately as part of the deletion flow. If you delete via email (because you cannot access the App), on-device data persists on the device until you uninstall the App.

Detailed retention windows

Active accounts: Server-side data (hashed UID, display name, Roach Code, public key, persona ID, creation timestamp) is retained for as long as your account is active.

Soft-deleted accounts: Retained for up to 30 days from the deletion request, then permanently erased as described above.

Crash reports: Crashlytics retains crash report data in accordance with Google's data retention policies, which are typically 90 days. We do not have independent control over Crashlytics retention periods.

API cache: Aggregate count and public profile endpoints are cached at the Cloudflare edge. Cache TTL for count data is 1 hour. Profile cache TTL is set by our Cache-Control headers and evicts naturally; deleted account profiles are evicted within the cache TTL after deletion is processed.

9. Your Rights

Depending on where you are located, you have the following rights regarding your personal data. To exercise any of these rights, contact us at sandeep84397@gmail.com.

Under the Digital Personal Data Protection Act 2023 (India — applies to all users):

• Right to access: You may request a summary of the personal data we hold about you.
• Right to correction: You may correct inaccurate data directly within the App (by updating your display name) or by contacting us.
• Right to erasure (Right to be Forgotten): You may request deletion of your account and all associated personal data via the in-app deletion flow. We will process it within 30 days.
• Right to grievance redressal: You may raise a grievance with our Grievance Officer (see Section 14). We will acknowledge your grievance within 48 hours and respond substantively within 30 days.
• Right to nominate: Under the DPDP Act, you have the right to nominate another individual to exercise your rights on your behalf in the event of your death or incapacity. To register a nomination, contact us at the address below.
• Right to withdraw consent: You may withdraw consent at any time by deleting your account. Withdrawal does not affect the lawfulness of processing before withdrawal.

Under the General Data Protection Regulation (EU/EEA residents):

• Right of access (Article 15): Obtain a copy of the personal data we process about you.
• Right to rectification (Article 16): Correct inaccurate or incomplete data.
• Right to erasure (Article 17): Request deletion subject to applicable grounds.
• Right to restriction (Article 18): Request that we limit processing in certain circumstances.
• Right to data portability (Article 20): Receive your data in a structured, machine-readable format. We will provide a JSON export of the server-side data listed in Section 3 upon request.
• Right to object (Article 21): Object to processing based on legitimate interests.
• Right to lodge a complaint: You have the right to lodge a complaint with your local supervisory authority (the data protection authority in your EU member state).

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.

10. Children's Privacy

Roachy is not directed at children under the age of 13, or under 16 for residents of the European Union. We do not knowingly collect personal data from children below these ages.

We do not employ age verification technology beyond the self-declaration made at account creation. If you believe a child below the applicable age has created an account, please contact us at sandeep84397@gmail.com and we will promptly delete the account and associated data.

We do not engage in targeted advertising or profiling of any users, including minors.

11. International Data Transfers

Roachy is operated by a developer based in India. Our infrastructure involves processors in multiple jurisdictions:

• Cloudflare operates a globally distributed network. Your data may be processed at Cloudflare edge locations worldwide, including in the United States and the European Union, depending on your geographic location and network routing. Cloudflare maintains the transfer mechanisms required under Chapter V of the GDPR (including Standard Contractual Clauses) and any applicable adequacy or certification frameworks then in force.
• Google LLC (Firebase Authentication, Crashlytics, Play Integrity, Block Store) operates globally. Google maintains the transfer mechanisms required under Chapter V of the GDPR (including Standard Contractual Clauses) and any applicable adequacy or certification frameworks then in force.

By creating an account and using the App, you acknowledge and consent to your data being processed in jurisdictions outside your country of residence, including India, the United States, and other countries where Cloudflare and Google operate infrastructure.

Restrictions under Indian law: Section 16 of the Digital Personal Data Protection Act, 2023 permits the Central Government to restrict transfers of personal data to specified jurisdictions by notification. We will comply with any such restriction once notified, and will update this Policy and the App accordingly.

12. Security Measures

We implement the following technical measures to protect your data:

• End-to-end encryption for 1:1 messages: X25519 ECDH key agreement + AES-GCM authenticated encryption. We cannot read your messages.
• Android Keystore: Your private key is stored in hardware-backed secure storage where available, protecting it from extraction even if the device OS is compromised.
• Hashed identifiers: We store only the SHA-256 hash of your Firebase UID, not the UID itself, reducing the value of our database to any attacker.
• HTTPS / TLS everywhere: All communication between the App and our API uses TLS. Cloudflare enforces HTTPS at its edge.
• No message content storage: Messages are never transmitted to or stored on our servers. The attack surface for message content is limited to the two endpoint devices.
• Rate limiting: Our API applies rate limiting to registration and authentication endpoints to limit brute-force and enumeration attacks.
• Play Integrity check: Account creation is gated by a Play Integrity attestation to reduce automated fake-account creation.

No security measure is perfect. We cannot guarantee absolute security. In the event of a data breach affecting your personal data, we will notify you and applicable regulators in accordance with legal requirements.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes — changes that affect how we collect, use, or share your personal data — we will notify you via an in-app notification before the changes take effect. The updated policy will include a revised effective date and version number at the top of the document.

Your continued use of Roachy after the effective date of an updated Privacy Policy constitutes your acknowledgment of and, where consent is the legal basis, your consent to the updated terms. If you do not accept the changes, you must stop using the App and delete your account.

Minor changes (such as corrections to grammar or updated links to third-party privacy policies) may be made without notice.

Language availability: This Policy is currently available in English. We are working to publish official translations in Hindi and Hinglish to match the in-app language options. Where a translation is provided, the English version remains authoritative in case of conflict, except where the law of your jurisdiction requires otherwise.

14. Contact and Grievance Officer

For any privacy-related queries, rights requests, or complaints — including grievances under the Digital Personal Data Protection Act 2023 — please contact:

Grievance Officer / Data Controller
Sandeep Dhami
Email: sandeep84397@gmail.com
App: Roachy (Android)

We will acknowledge grievances within 48 hours of receipt and provide a substantive response within 30 days. If you are not satisfied with our response, you may escalate to the applicable data protection authority in your jurisdiction.

For EU residents: if you believe we have not adequately addressed your concern, you may contact the supervisory authority in your EU member state of residence.