Roomie العربية Get the app
← Back to Roomie

Privacy Policy

Last updated June 18, 2026

Roomie (“Roomie”, “we”, “us”) is operated by Company ERM AL-HADITH For Information Technology (One Partner), based in Riyadh, Saudi Arabia. This policy explains what information we collect when you use the Roomie app, how we use it, the legal bases we rely on, and the choices you have.

By using Roomie, you agree to this policy as part of our Terms of Service. Where we rely on your consent — for example, for your location, which you can turn off at any time — we ask for it separately, as explained in Our legal bases below.

Roomie is intended only for people aged 18 and over.

Information we collect

Account information. When you create an account, we collect your name and email address, and we assign you a user ID.

Date of birth. We collect and retain your full date of birth (and a derived age) when you register, to confirm that you meet our minimum age requirement of 18. Roomie is for adults only; under-18 registration is denied, and your date of birth is locked after you sign up.

Profile information. To match you with compatible roommates, we collect the details you add to your profile — your photo, your gender and the gender preference you set for roommates, the lifestyle preferences you choose to share (for example sleep schedule and tidiness), and any free-text bio you write. Roomie does not ask for sensitive details such as religion, health, ethnicity, or marital status. Please don’t include sensitive personal information in free-text fields like your bio; the profile details you choose to share are visible to other members.

Identity verification. Identity verification through our partner Didit is optional and offered after signup, in your settings, so you can earn a verified badge. It is not required to use Roomie, and it is not an age check (we confirm your age at signup from your date of birth). Verification uses Didit’s SDK to check an identity document, confirm liveness, and match your face to the document. Didit acts as our processor and carries out the biometric and liveness checks; Roomie does not store that biometric data — we keep only the verification result and status (the decision and a session reference), and Didit does not use this data to train its models on our users’ data (we have opted out). Before any data is sent to Didit, we ask for your explicit consent through a dedicated step; if you do not consent, verification does not proceed, and declining does not affect your use of Roomie. We keep a record of your consent, including when you gave it and the version of this Privacy Policy in force at the time. A verified badge confirms a member completed this process — it is not a guarantee of any member’s identity, character, intentions, or conduct. This processing may involve transfer outside the Kingdom (Didit’s Middle East contracting entity is based in the United States; see the International data transfers section). Location. With your permission, we collect your approximate (coarse) location only — never your precise location, and never in the background — to show you relevant matches and listings near you. Roomie stays fully usable if you choose not to share location. You can change this in your device settings at any time. During onboarding, your approximate coordinates may be sent to Google’s geocoding service (a third-party processor) to turn them into a city name.

Communications. We process the messages you send through the app, including any photos or files you share in a chat, so that the service works and to support safety and moderation.

Technical information. We collect device identifiers, app-interaction data, and crash logs to keep the app running, diagnose problems, and improve it.

Contact form. When you submit our contact form, we collect the name, email address, and message you provide, solely to respond to your enquiry. Your message is delivered by email to our support inbox and is processed by our hosting provider on our behalf; it is retained only as long as needed to handle your request, in line with our retention practices, and is never used for marketing. Like the rest of our service, this may involve processing outside the Kingdom (see the International data transfers section). We do not collect payment information. Roomie is currently free to join and use.

We only use your personal information when we have a lawful basis to do so. Under Saudi Arabia’s Personal Data Protection Law (PDPL) and, for users in the European Union, the GDPR, we rely on the following bases:

  • To provide the service — creating and managing your account, matching you with compatible roommates, and enabling in-app messaging. This is necessary to perform our agreement with you (our Terms of Service).
  • Our legitimate interests — keeping Roomie safe and trustworthy, reviewing reports, preventing fraud and abuse, and operating, maintaining, and improving the app. We rely on these interests in a way that respects your rights.
  • Your consent — for collecting your location and for optional identity verification. You can turn location off at any time in your device settings. Identity verification only takes place if you opt in through a dedicated consent step beforehand; if you do not consent, it does not proceed.
  • Legal obligation — where we must process information to comply with laws that apply to us.

How we use your information

We use your information to:

  • create and manage your account;
  • match you with compatible roommates and show relevant listings;
  • verify identities and support trust and safety, including reviewing reports and preventing abuse;
  • enable in-app messaging;
  • operate, maintain, and improve the app; and
  • comply with legal obligations.

How matching works

Roomie suggests potential roommates using automated processing of the lifestyle preferences and profile details you provide (for example sleep schedule and tidiness). You control these inputs and can change or remove them at any time in your profile. Matching produces suggestions to help you decide — it does not make binding decisions about you, and you always choose who to view, contact, or connect with.

Reviews and reputation

When you connect with another member, you can leave and receive reviews. A review includes category ratings, a “would live again” indicator, and a short comment, and is attributed to you — it shows your name. Reviews build members’ reputation on Roomie and appear on profiles once they are revealed (we hold reviews under a double-blind process and show them only when both have been submitted or a set time has passed). Reviews are visible to other members — they are information you choose to share publicly within Roomie. Reviews can be reported, and we remove those that break our rules.

How we share your information

We do not sell your personal information. We share it only in these situations:

With other users. The profile information you choose to display is visible to other members so they can decide whether you might be a good match.

With service providers. We use trusted providers to run Roomie — including Google Firebase for hosting and backend infrastructure, and Didit for identity verification. They process data on our behalf, under our instructions, and under agreements that require them to protect it.

For legal and safety reasons. We may disclose information where required by law, to enforce our Terms, or to protect the rights, safety, and security of our users, the public, or Roomie.

Sharing contact details

Roomie lets two members exchange contact details — phone number and email — when they both agree: one member requests the exchange, and when the other accepts, both sets of details are revealed at the same time. We share your contact details with another member only on your instruction, through this mutual exchange.

Before both members agree, messages that contain contact details — such as phone numbers or email addresses — may be blocked. When that happens, we log a sanitized record of the event (the type of contact detail detected, never the message content) to support safety and prevent abuse.

International data transfers

Your personal data is processed and stored in the United States, where our infrastructure providers (Google Cloud/Firebase) and our identity-verification processor (Didit) operate. For users in the European Economic Area, transfers are covered by Google’s Cloud Data Processing Addendum and the EU Standard Contractual Clauses applied under it. We are a controller registered with the Saudi Data & AI Authority and apply appropriate safeguards to international transfers, including the data-protection commitments of our processors. We are finalizing additional transfer safeguards in accordance with the Personal Data Protection Law; this policy will be updated as those are completed.

Data retention and deletion

We keep your information only for as long as we need it, based on the type of data:

  • Account and profile data (name, email, user ID, photo, lifestyle preferences) — kept while your account is active. You can delete your account at any time from within the app. When you do, your account enters a 30-day recovery period and is then permanently deleted. Full details are on our Account Deletion page.
  • Messages and shared files — kept so the service works. After you delete your account, your past messages are anonymized — your identity is removed and you appear as “Deleted User” — so other members’ chat history stays intact without exposing your data.
  • Technical data and logs (device identifiers, app-interaction data, crash logs) — kept for limited periods, as described below.

When you delete your data or your account, it is removed from our active systems promptly. Short, standard recovery windows apply at the infrastructure level before permanent deletion: deleted media (such as photos) may be recoverable for up to 7 days, and database records carry only brief internal version history. Operational logs are retained for up to 30 days, and certain security/audit logs for up to 400 days. Identity-verification data held by our processor, Didit, is retained for up to 1 month and then deleted.

After deletion, we may retain limited information where necessary to comply with legal obligations, for security purposes, or to prevent fraud and abuse, in anonymized or aggregated form.

Your rights

Depending on where you live and subject to applicable law — including Saudi Arabia’s PDPL and, for EU users, the GDPR — you may have the right to:

  • access a copy of the personal information we hold about you;
  • correct information that is inaccurate or incomplete;
  • delete your personal information;
  • object to or restrict certain processing;
  • data portability — receive your information in a structured, commonly used format, or ask us to transfer it;
  • withdraw consent where we rely on it — for example, by turning location off in your settings; and
  • complain to the supervisory authority — in Saudi Arabia, the Saudi Data & AI Authority (SDAIA); in the EU, your local Data Protection Authority.

To exercise any of these rights, or to ask any privacy question, contact us at support@roomie.cc. We aim to respond within 30 days. We may need to verify your identity before acting on a request.

If there is a data breach

If a personal-data breach occurs that affects your information, we will notify the competent supervisory authority — and affected users where the breach is likely to create a high risk to them — as required by applicable law (including the PDPL and, for EU users, the GDPR).

Security

We take reasonable technical and organizational measures to protect your information, and we restrict access to personal data. Messages can be read only by the participants in a conversation; your profile information and photos are owner-scoped, accessible only to you and to the members you choose to share them with on Roomie; and administrative access is limited to authorized personnel. No method of transmission or storage is completely secure, but we work to safeguard your data and limit access to it.

Children

Roomie is not directed to anyone under 18, and we do not knowingly collect personal information from minors. See our Child Safety page for our standards against child sexual abuse and exploitation. If you believe a minor is using Roomie, please contact us immediately.

Changes to this policy

This policy is versioned, and you accept it together with our Terms of Service and Community Guidelines as a single agreement. We may update it from time to time; for material changes we will ask you to accept the updated version again in the app, while minor changes take effect when posted. We also update the date above whenever we make changes.

Contact us

This Service is operated by Company ERM AL-HADITH For Information Technology (One Partner), Commercial Registration No. 1009154490, Riyadh, Kingdom of Saudi Arabia.

For privacy questions or to exercise your rights, contact our Data Protection Officer, Abdulaziz Alessa, at a.alessa@roomie.cc. We are registered with the Saudi Data & AI Authority (SDAIA) National Personal Data Protection Register, Registration No. 3260006969.