Before you say yes
Roma is built for kids ages 6 to 13. Before we collect anything from your kid, US federal law (COPPA) and our own ethics require us to tell you exactly what’s about to happen, and ask you to sign off on it. Here it is, in one page.
1. How we got your email
You gave us your email so we could send you this notice and capture your consent. We use that email only to (a) ask for and record your consent here, (b) deliver the morning brief about your kid, and (c) send safety escalations if Roma detects something serious. We do not sell, rent, or share your email. You can unsubscribe from non-safety email at any time on the parent dashboard.
2. What Roma will collect from your kid
From the kid directly:
- First name and age (you provide these; the kid can edit their own name later).
- Companion choice (a shape, color, and name the kid picks for the AI character).
- PIN (a 6-digit code for kids under 10, or a short password for older kids — bcrypt-hashed at rest).
- Chat messages (everything the kid types or says to the companion, plus the companion’s replies).
- Memory chunks (short summaries Roma generates from chat — “asked about volcanoes Tuesday” — used so the companion can remember across sessions).
- Safety classifications (one of nine red-flag categories, or null, scored 0-1 by a separate AI model on every message).
- Streak count and last-chat date (continuity signals; not behavioural-ad data).
We do not collect: photos, voice recordings, location data, contacts, health/medical data, or any data of any kind from outside the Roma app.
3. How we use it
- Run the companion — the chat messages and memory go to Anthropic’s Claude API to generate the next reply.
- Make the morning brief — your kid’s recent chats are summarized into a short paragraph delivered to your email each morning.
- Detect safety concerns — every kid message is screened by a separate AI model before the companion sees it. If the model flags it, you get notified.
- Improve Roma — we look at aggregate, de-identified metrics (e.g. cache hit rate, latency, error rate). We do not train any model on your kid’s messages.
We do not use your kid’s data for ads, marketing, or behavioural profiling. Ever.
3a. Why your kid’s messages go to Anthropic
COPPA gives you the right to consent to Roma’s collection of your kid’s data without consenting to its disclosure to third parties. We have to be honest with you about one limit: Roma’s companion is powered by Anthropic’s Claude. Sending your kid’s message to Claude is what produces the reply — it is the core function of the service, not an optional feature.
Anthropic acts as our service provider (a "support for internal operations" role under COPPA), not as an independent recipient of your kid’s data. Anthropic is contractually prohibited from using your kid’s messages to train its models and from retaining them beyond the inference call’s processing window. We never authorise Anthropic to use the data for any other purpose.
If you do not want your kid’s messages processed by Anthropic, Roma cannot function for your family. Please do not complete the consent step. Every other vendor in §4 below has a narrower role and is more clearly “support for internal operations” in the COPPA sense.
4. Who else sees the data
Roma is built on a small set of vendors, each one a written sub-processor under our data agreement:
- Anthropic (US) — runs the chat companion AI and the safety classifier. Messages flow through their API to generate replies. TODO(lawyer): confirm Anthropic’s data agreement satisfies 312.8 sub-processor requirements; attach DPA reference.
- Google (Gemini API) (US) — turns memory chunks into vectors so the companion can recall what was said weeks ago.
- Supabase (EU, our region) — stores all data (messages, memory, accounts, billing pointers) at rest.
- Netlify (US) — hosts the Roma application.
- Resend (US) — delivers email (briefs, safety escalations, transactional).
- Stripe (US) — processes payments. Stripe stores payment-method data (card number, etc.) on its own systems; Roma stores only Stripe customer/subscription IDs.
We do not sell your kid’s data. We do not share it with advertisers. We do not share it with anyone other than the vendors above, except where required by law (e.g. valid subpoena).
5. Your rights as the parent
At any time, from Parent dashboard → Account → Your data, you can:
- Review — download a JSON export of every piece of data Roma holds about your kid.
- Refuse further collection — keep your account active but pause Roma collecting any new data. The companion stays available to your kid based on what’s already there; new messages aren’t stored.
- Delete (default: 30-day restore window) — archive your kid’s account, then permanent delete after 30 days. You can restore during the grace window.
- Delete immediately (no grace period) — email privacy@roma.obbz.io with the subject line “Immediate deletion” and we will process within 24 hours, skipping the 30-day grace window. After permanent delete, the data is gone from production; backups age out within 30 days; vendors are sent deletion requests in parallel where the vendor supports it.
6. How to give (or refuse) consent
On the consent step you’ll be asked to: (a) review the Privacy Policy and Terms, (b) sign the Parental Consent Agreement, and (c) verify you’re an adult by holding a $0 charge on a credit card you control. The card is not charged. The hold is released within seconds. This method is recognised by the FTC as Verifiable Parental Consent.
If you don’t want to give consent, close the tab. We won’t collect anything from your kid, and we’ll delete your email from our records within 14 days unless you’ve asked us to keep you posted on Roma’s availability.
7. Who to contact
Privacy questions, deletion requests, or anything that feels off: privacy@roma.obbz.io. Roma is operated by Obbz International FZ LLC, a free-zone company established in the United Arab Emirates.
This document is version 2026-05-25.1. We will tell you when it changes and ask for fresh consent if the changes are material.