Privacy Policy

Roma is a kids' AI companion with a parent intelligence layer. This policy explains what we collect about your family, why, who it goes to, and how to take it back. For the short COPPA-required notice see COPPA Direct Notice; for the consent you sign at sign-up see Parental Consent Agreement. We wrote it plainly. Where the law makes us use a term of art, we'll say what it means in a line.

version 2026-05-25.1 · effective 2026-05-01 · last updated 2026-04-26

The short version

If you only read one section, read this one.

What we collect. Your email (parent). Your child's first name and age (you give us these; we do not ask for more). Your child's typed messages to their Roma companion. Automatic metadata like device type and session times. Stripe holds your card details — we do not. We never record audio; kid voice input is transcribed on the device and only the text comes to us.

How we use it. To let your child chat with their companion, to keep that chat safe (every message is pre-checked by a safety model before the reply is generated), to remember your child between sessions, to write your morning brief, and to bill you. That's it. We do not sell data. We do not run behavioral advertising to children. Ever.

Who sees it. Inside Roma, only you see your family's data. Outside Roma, your child's messages pass through Anthropic (Claude, for the reply), a Google model (for memory embeddings), and Supabase (our database). Each is bound by a data processing agreement. No third party uses your child's data to train their models — we send the messages with training opted out where the provider supports it, and we record your family's region so we keep data in the right place.

Your rights. You can read, export, correct, or delete any of your family's data from the parent dashboard. Deletes complete within 30 days. Safety events are kept for 7 years because the law requires us to (explained below). Questions go to privacy@roma.obbz.io.

1. Who we are

Roma is operated by Obbz International FZ LLC, a free-zone company established in the United Arab Emirates (the "Company", "we", "us", "our"). When this policy says you, we mean the parent or legal guardian who signed up. When it says your child, we mean the child you added to the family account.

Contact for privacy questions: privacy@roma.obbz.io. Contact for a formal data-subject request: same address, subject line "DSAR". If you are in the EU or UK and prefer to write to a Data Protection Officer, use dpo@roma.obbz.io.

2. What we collect

We only collect what the product needs to work. Here's the full list, by category.

From you (the parent)

Account: email address, hashed password (or OAuth identifier if you use Sign in with Apple/Google), role on the family account.
Billing: Stripe customer ID, subscription tier, billing cycle, and invoice history. Card numbers are held by Stripe under PCI-DSS; we never see or store them. We store the last four digits for display only.
Compass configuration: the three values you ranked at onboarding, your privacy mode, notification preferences, and screen-time caps.

From your child

Profile you created: first name, age, up to three interests, companion name, companion color.
Credentials: a 6-digit PIN (ages 6–9) or password (10+), hashed before storage. Optional biometric unlock lives on the device — we never see it.
Messages: the text of every message typed or spoken (see the next bullet) to the companion, together with a timestamp, a session ID, and a safety classification score (0–3).
Voice — text only. If your child uses voice input, transcription happens on the device using the browser's Web Speech API. We never receive or store audio. Only the final text arrives at our servers, same as if the child had typed.
Memory chunks: after each exchange, short text summaries (~100 tokens) of memory-worthy points are embedded (converted into mathematical vectors using Google's Gemini embedding-001 model) and stored, so the companion can recall context next session.
Safety classification: for every message, the score returned by our safety model (Claude Haiku 4.5), plus the category flagged if any.

Automatically

Session metadata: start time, end time, device type (e.g. "iPad, iOS 17, Safari"), browser user-agent, whether the session was a guest session, and whether it was disputed by a parent afterwards.
Parent device cookie: a server-set HMAC-signed cookie scoped to the parent's own browser, used to keep you signed in across visits to the parent dashboard. This cookie applies to the parent surface only. We do not track typing cadence, vocabulary style, or any passive identity signals on the kid surface — see our COPPA Notice for why this is a deliberate design choice.

3. How we use it

We process each piece of data for a specific purpose. Here is the one-to-one map.

Data	Purpose	Legal basis (GDPR Art. 6 / 8)
Account + billing	Run your subscription, send receipts.	Art. 6(1)(b) — contract
Child profile (name, age, interests)	Personalize the companion and tune age-appropriate tone.	Art. 8 — parental authorization of child's consent
Child messages	Generate the companion's reply (Claude Sonnet 4.6).	Art. 8 — parental authorization of child's consent
Child messages (pre-check)	Safety classification on every message (Claude Haiku 4.5). Tier 3 suppresses the reply and triggers parent escalation. This check cannot be disabled.	Art. 6(1)(f) — legitimate interest (child safety), plus child-protection obligations
Memory chunk embeddings	Retrieve relevant past exchanges so the companion remembers your child.	Art. 8 — parental authorization of child's consent
Messages + compass config	Compose the morning brief and monthly compass drift report.	Art. 8 — parental authorization of child's consent
Parent email	Deliver briefs and safety alerts (email is the sole notification channel in V1).	Art. 6(1)(b) — contract, plus legitimate interest (child safety)
Session metadata	Shared-device safety (auto-logout, guest mode audit trail).	Art. 6(1)(f) — legitimate interest (child safety)

What we never do with your child's data: sell it, rent it, share it with advertisers, use it for behavioral advertising to your child, use it to train third-party foundation models, or feed it into any research or marketing pipeline outside the ones listed above.

4. Third parties who process data for us

Roma is a small team standing on a stack of specialist providers. We hold a data processing agreement (DPA) with each. None are permitted to use your family's data for their own purposes.

Processor	What flows there	Purpose	Region
Anthropic DPA	Child messages, compass, portrait summary	Generate reply (Sonnet 4.6) + safety pre-check (Haiku 4.5)	EU / US
Google (Gemini API) DPA	Memory chunk text (short, ~100 tokens)	Produce embedding vectors (embedding-001)	EU (Frankfurt)
Supabase DPA	All primary data (Postgres + pgvector)	Database, auth, storage	EU (Ireland, eu-west-1) · GCC-resident available on request for UAE/KSA
Netlify DPA	Request routing (request body in transit only)	App hosting + edge routing	Global edge; primary region EU
Stripe DPA	Parent name, email, card data	Payment processing; parental consent verification (V1/V2)	Stripe's regional processing
Resend DPA	Parent email, brief content, safety-escalation email	Transactional email (briefs, receipts, Tier 3 escalations — sole notification channel in V1)	EU
Trigger.dev DPA	Job metadata (not message bodies)	Schedule nightly dossier, morning brief, weekly scroll	EU

Future processors we are evaluating. We are evaluating an SMS provider (Twilio) and a WhatsApp delivery path (Meta WhatsApp Cloud API) as additional safety-escalation channels for a future release, and a crash-monitoring provider (Sentry) for internal diagnostics. None of these are wired into the live product today; we will update this Policy and ask for fresh consent before any of them sees your family's data.

Where a provider stores data in the United States, that transfer is covered by the EU–US Data Privacy Framework and, where not applicable, Standard Contractual Clauses plus our own supplementary measures (encryption in transit, encryption at rest, service-role key isolation).

5. Children under 13 — COPPA

Roma is directed to children ages 6–13. We do not permit a child to create an account on their own — every child profile is created by a parent inside a paid family account. Before a child begins, we obtain verifiable parental consent using a credit card you control:

We use Stripe's $0 card authorization to verify you control a credit card in your name. No charge is made to your card — Stripe holds the card on file for approximately ten seconds, then releases it. We record only the Stripe customer ID, payment method ID, and SetupIntent ID as evidence of the verification; we never see or store the card number. This method is permitted by the FTC's Verifiable Parental Consent rule as a card-transaction method (16 CFR § 312.5(b)(2)(ii)), and the FTC's 2025 COPPA Rule amendment specifically acknowledged $0 card authorization as compliant when the operator records the transaction ID.

You can, at any time:

review exactly what we've collected about your child (Parent dashboard → Kid dossier);
delete any or all of it (Parent dashboard → Settings → Delete data — including an option to delete immediately without the 30-day restore window);
refuse any further collection (disable the child profile or cancel the subscription);
ask us to correct anything inaccurate (email privacy@roma.obbz.io).

We do not condition your child's use of Roma on collecting more data than the product needs. We do not show behavioral advertising to your child. We do not use your child's data to target them for marketing — ours or anyone else's.

The consent mechanism for EU/UK families is the same Stripe $0 card authorization described in §5. We treat your child's data as a special category deserving extra protection.

Under the GDPR you additionally have the right to:

access your and your child's personal data in a readable form;
rectify inaccurate data;
erase data ("right to be forgotten"), subject to legal retention;
restrict or object to processing;
receive your data in a portable format (we export as JSON + PDF);
lodge a complaint with your national supervisory authority. A directory is maintained by the European Data Protection Board. In the UK, complaints go to the ICO.

7. AI labeling, break prompts, non-manipulation

Several proposed US laws — including the KIDS Act and the SAFEBOTs Act — would set higher standards for AI products directed at children. None of these are federal law yet, but Roma is designed to meet those proposed standards already:

AI label disclosure: the companion introduces itself as an AI in onboarding, and at any point if your child asks "are you real?" it answers truthfully.
Break prompts: after extended sessions the companion suggests a break. Session duration is bounded by parent-configurable screen-time caps.
No manipulative engagement: we do not use streak-loss framing, artificial scarcity, social pressure ("others are playing now"), or loot-box style rewards. Gamification is "growth", not "grinding".
No behavioral advertising to children. Ever.

8. Morning briefs and verbatim quotes

One of Roma's core features is a morning brief — a short, daily summary of your child's conversations, designed to help you parent better, not spy harder. There are four privacy modes for how much you see:

Full transparency: your child sees a "what my parent sees" toggle in their app.
Insight-only (default): you see summaries and one verbatim quote per brief. At companion onboarding, every child is told in age-appropriate language: "Your grown-up sees a short summary of how you're feeling each morning, so they can be there for you." Kids 10+ can ask for the longer explanation from inside their app.
Flag-only: you see only safety escalations.
Full access: you see all transcripts, and your child is told this at onboarding.

In all modes, Tier 3 safety events escalate to you regardless of setting: an immediate email is sent. This cannot be turned off — it is the line we will not cross. (Additional safety-escalation channels — SMS and WhatsApp — are scheduled for a future release and not active today.)

9. How long we keep data

Data	Retention	Why
Child messages	24 months default; you can delete earlier	Long-term memory and compass drift reports need historical context
Memory chunks / embeddings	Same TTL as the source message	Cannot outlive the message they summarize
Safety events	7 years	Legal / auditable retention (US and EU norms)
Billing records	7 years	Tax and accounting requirements
Session metadata	13 months	Shared-device audit, dispute resolution
Account records after you cancel	30 days, then purged (or immediately on request)	Lets you change your mind and reactivate; immediate option available on request

You can override any retention window down, never up, from Parent dashboard → Settings → Data. Deletes complete within 30 days across every system in the processor table, including backups which are rotated on a 30-day cycle.

10. Where your data lives

By default, Roma stores data in the European Union (Ireland, AWS eu-west-1) on Supabase. For customers in the UAE, KSA, and other GCC countries who request it, Roma can provision a GCC-resident deployment — a separate Supabase instance hosted in-region. In both cases the rest of the processor list applies, with regional routing where the provider offers it.

International transfers, where unavoidable (for example a Claude call routed via a US Anthropic endpoint), are covered by Standard Contractual Clauses and the EU–US Data Privacy Framework.

11. How we protect the data

Encryption at rest (AES-256) on Postgres and pgvector.
Encryption in transit (TLS 1.2+) on every request.
Row-level security on every database table — parents see their family only; children see only their own messages.
Service-role isolation — the master key that can bypass row-level security never leaves our server environment and is never shipped in the client bundle.
Passwords hashed with bcrypt (cost 12); PINs similarly.
Third-party security audit (SOC 2 Type 1 readiness) scheduled before V2 open enrolment; periodic penetration testing thereafter.
Incident response: if a breach affects your family we will notify you within 72 hours of confirmation, and notify the relevant supervisory authority as required.

11a. Automated decisions about your child

Every kid message is reviewed by a separate AI safety classifier (Anthropic Haiku 4.5) before the companion replies. The classifier assigns one of four tiers: Tier 0 (benign), Tier 1 (soft signal — surfaces in your morning brief), Tier 2 (flag — same-day email), Tier 3 (escalate — immediate email and the companion's reply is suppressed). This is the only automated decision in Roma.

You can review every classification on the parent dashboard at Safety → Recent events, and dispute one by emailing privacy@roma.obbz.io. We record disputes, use them to improve the classifier, and never penalise a child for a classification that was later disputed.

12. Your rights and how to use them

Regardless of where you live, every parent on Roma can:

See — open the Parent dashboard → Kid dossier for everything collected about your child.
Export — Account → Your data → Download JSON. You get the full per-kid dossier as a single file, immediately.
Correct — edit the child profile or compass directly; for anything else email privacy@roma.obbz.io.
Delete — Account → Your data → Delete. By default we keep your child's data for a 30-day restore window before permanent deletion so you can change your mind. If you want immediate, irrecoverable deletion with no grace period, email privacy@roma.obbz.io with subject line "Immediate deletion" and we will process within 24 hours.
Object to any processing that relies on our legitimate interest rather than your consent.

13. Changes to this policy

Every version of this policy is numbered and dated. When we make a material change — a new category of data, a new processor, a change in retention — we email every active parent account at least 30 days before it takes effect, and we post the previous version for one year at /legal/privacy/archive. Non-material edits (typos, clarifying plain-English tweaks) bump the date only.

14. Contact us

General privacy: privacy@roma.obbz.io
Data Protection Officer (EU/UK): dpo@roma.obbz.io
Operating entity: Obbz International FZ LLC, a free-zone company established in the United Arab Emirates. Registered office: [free-zone registered address — to be inserted].

You also have the right to complain to a supervisory authority. In the EU, see the EDPB directory. In the UK, the ICO. In the UAE, the UAE Data Office. In Saudi Arabia, SDAIA.