Privacy Policy

🔒 TL;DR — Privacy at a Glance

This summary is for convenience only. The full policy below is legally binding.

We don't sell your data. Ever. Not to advertisers, not to data brokers, not to anyone.
Your donor data stays yours. We only use it to power the AI features you're paying for.
AI providers see your prompts. When you chat, your messages go to AI providers (xAI, OpenAI, etc.) to generate responses. They have their own privacy policies.
Google Workspace access is limited. We only read what you authorize. Gmail = read emails + create drafts (never send). Drive = only files you pick.
CRM data is encrypted. API keys use AES-256-GCM encryption. Synced data stays in your account only.
Analytics are privacy-focused. We use PostHog. No cross-site tracking. You can opt out.
You can delete everything. Instant deletion — your data is gone immediately when you delete your account. Export first if you want a copy.
We log consent. When you accept cookies or connect services, we record it with timestamps for compliance.
California/EU users: You have extra rights (access, delete, opt-out). See Sections 10-11.
Texas-based company. GetRomy LLC, Kerrville, TX. Questions? privacy@getromy.app

1. Introduction

Rōmy ("we," "us," "our," or "Company"), operated by GetRomy LLC, a Texas limited liability company, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered donor research platform (the "Service").

By using Rōmy, you agree to this Privacy Policy. If you do not agree, please do not use the Service.

2. Data We Collect

We believe in transparency. Here's exactly what we collect, why, and how long we keep it:

Data Category	What We Collect	Why (Lawful Basis)	Retention
Account Info	Name, email, profile picture (from Google OAuth or email signup)	Contract performance — to create and manage your account	Until account deletion + 30 days
Chat Content	Messages, prompts, AI responses, conversation history	Contract performance — core service functionality	Until you delete or account closure + 30 days
Uploaded Files	PDFs, spreadsheets, documents (donor lists, etc.)	Contract performance — document analysis feature	Until you delete or account closure + 30 days
AI Memory	Extracted facts and preferences from conversations	Consent — you enable this feature	Until you disable memory or delete account
Gmail Data	Email content, writing style profile, draft metadata	Consent — you connect Google account	Until you disconnect Google or delete account
Google Drive	Selected files, document text, embeddings	Consent — you select files via picker	Until you remove documents or disconnect
CRM Data	Constituents, donations, contacts (from Bloomerang, Virtuous, Neon)	Consent — you connect your CRM	Until you disconnect CRM or delete account
Usage Data	Features used, clicks, session duration, errors	Legitimate interest — product improvement	90 days (anonymized after)
Technical Data	IP address, browser, device, OS	Legitimate interest — security, debugging	30 days
Payment Info	Card details (via Stripe — we don't store full card numbers)	Contract performance — billing	Per Stripe's retention policy
Consent Records	Cookie consent, integration authorizations, timestamps	Legal obligation — GDPR/CCPA compliance	3 years after consent given

3. How We Use Your Data

We use your information to:

Provide the Service: Power AI conversations, store chats, enable integrations
Process AI requests: Send your prompts to AI providers (xAI, OpenAI, Anthropic, etc.) to generate responses
Personalize experience: Remember your preferences, enable AI Memory (if enabled)
Improve the product: Analyze usage patterns, fix bugs, develop features
Communicate: Send service updates, security notices, respond to support requests
Ensure security: Detect fraud, prevent abuse, enforce Terms of Service
Comply with law: Respond to legal requests, maintain required records

4. Google Workspace Integration

If you connect your Google account, here's exactly what we access:

4.1 Gmail Access

Scope: gmail.readonly (read emails) + gmail.compose (create drafts)
What we read: Inbox and sent emails to provide AI context
What we create: Draft emails matching your writing style
What we NEVER do: Send emails, delete emails, or access emails without your request
Writing style: We analyze your sent emails to learn your tone, greetings, and phrasing

4.2 Google Drive Access

Scope: drive.file (per-file access via picker only)
What we access: Only files you explicitly select using the file picker
What we do: Extract text, create embeddings for semantic search
What we NEVER do: Scan your entire Drive or access files you didn't select

4.3 Revocation

Disconnect anytime in Settings → Integrations → Google. This immediately revokes access and deletes:

Writing style profile
Draft metadata
Indexed Drive documents
OAuth tokens

5. CRM Integrations

When you connect a CRM (Bloomerang, Virtuous, or Neon CRM):

Credentials: Your API keys are encrypted with AES-256-GCM before storage
Data synced: Constituents/contacts, donations/gifts, basic metadata
Access: Only you can access your synced CRM data
Deletion: Disconnect in Settings to remove all synced data and credentials

6. AI Providers and Data Sharing

When you use Rōmy, your prompts are sent to AI providers to generate responses:

Provider	Data Shared	Their Privacy Policy
xAI (Grok)	Prompts, chat context	x.ai/privacy
OpenAI	Prompts, chat context (via OpenRouter)	openai.com/privacy
Anthropic	Prompts, chat context (via OpenRouter)	anthropic.com/privacy
Google	Prompts (Gemini), OAuth data, Gmail/Drive data	policies.google.com/privacy
LinkUp	Search queries for web research	linkup.so/privacy
Supabase	All cloud-stored data	supabase.com/privacy
PostHog	Usage analytics (anonymized)	posthog.com/privacy
Stripe (via Autumn)	Payment information	stripe.com/privacy

We do NOT:

Sell your data to third parties
Share data with advertisers
Use your data to train our own AI models
Share your donor lists or CRM data with anyone

6.1 Client Data Protection Assurance

✓ Contractual Data Protection Commitments

GetRomy LLC provides the following written assurances regarding your donor data:

a) Purpose Limitation: Your donor data will be used SOLELY for the purpose of helping your organization achieve its charitable mission through prospect research and donor intelligence.
b) No Sale of Data: We will NEVER sell, license, rent, or transfer your donor data to any third party for any purpose.
c) No Cross-Client Use: Your donor data will NEVER be used to benefit any other client of GetRomy LLC. Each client's data is completely isolated through Row-Level Security (RLS) policies.
d) No Marketing Use: Your donor data will NEVER be used for marketing, advertising, lead generation, or any purpose other than providing the contracted services.
e) Confidentiality: All personnel with access to your data are bound by confidentiality agreements. Access is limited to those who need it to provide the Service.

These assurances are contractually binding and survive termination of service.

6.2 Authorized Subprocessors

The following subprocessors are authorized to process your data as part of delivering the Service:

Subprocessor	Purpose	Location	Compliance
Supabase Inc.	Database, Authentication, File Storage	US (AWS)	SOC 2 Type II, HIPAA
OpenRouter Inc.	AI Model Routing	US	SOC 2 Type II
xAI Corp	Grok AI Model	US	Enterprise Terms
Stripe Inc.	Payment Processing	US	SOC 2 Type II, PCI DSS Level 1
PostHog Inc.	Product Analytics (anonymized)	US	GDPR Compliant, SOC 2 Type II
LinkUp Inc.	Web Research	US	Enterprise Terms

Notification of Changes: We will provide 30 days written notice before adding new subprocessors. You may object to new subprocessors within 14 days of notification by contacting privacy@getromy.app.

Subprocessor list last updated: January 2025

7. Cookies and Tracking

7.1 What We Use

Cookie Type	Purpose	Can You Opt Out?
Essential	Authentication, CSRF protection, session management	No (required for the app to work)
Preferences	Theme (dark/light), language, UI settings	Clearing these resets your preferences
Analytics (PostHog)	Feature usage, product improvement	Yes — see below

7.2 Consent Logging

When you accept cookies or consent to optional features, we log:

What you consented to
Timestamp of consent
Your user ID (if logged in)
IP address (hashed)

This log allows you to withdraw consent and proves compliance if regulators ask.

7.3 Opting Out of Analytics

You can opt out of PostHog analytics by:

Enabling "Do Not Track" in your browser
Using a privacy-focused browser (Brave, Firefox with tracking protection)
Emailing privacy@getromy.app with "Opt out of analytics"

8. Data Storage and Security

8.1 Where Data Lives

Cloud mode: Data stored in Supabase (AWS infrastructure, US regions)
Local mode: Data stays in your browser's IndexedDB — we never see it

8.2 Security Measures

Encryption in transit: TLS 1.3 for all connections
Encryption at rest: AES-256 for database, AES-256-GCM for API keys
Authentication: OAuth 2.0, secure session tokens
Access control: Row-level security (RLS) — users only see their own data
Audit logging: Security events logged for monitoring

8.3 Data Retention

Active accounts: Data kept while your account is active
Inactive accounts: Accounts inactive 24+ months may be deleted (with 30-day notice)
Deleted accounts: Data deleted within 30 days (except legal holds)
Backups: Retained up to 30 days, then purged

9. Your Rights — Everyone

Regardless of where you live, you can:

Access: Request a copy of your data
Delete: Request deletion of your account and data
Export: Download your data in standard formats (JSON, CSV)
Correct: Update inaccurate information
Disconnect: Revoke access to Google, CRMs, and third-party integrations

To exercise these rights: Email privacy@getromy.app with your request. We'll respond within 10 business days and complete requests within 30 days.

10. California Residents (CCPA/CPRA)

🇺🇸 California Privacy Rights

Your Rights:

Right to Know: What personal information we collect, use, and share
Right to Delete: Request deletion of your personal information
Right to Correct: Fix inaccurate personal information
Right to Opt-Out of Sale/Sharing: See below
Right to Limit Use: Restrict use of sensitive personal information
Right to Non-Discrimination: We won't penalize you for exercising your rights

Do We Sell or Share Your Data?

No. Rōmy does not sell personal information. We do not share personal information for cross-context behavioral advertising.

We share data only with service providers who help us operate the Service (AI providers, hosting, analytics). This is not a "sale" or "sharing" under CCPA because these providers are contractually prohibited from using your data for their own purposes.

If this ever changes, we will update this policy and add a "Do Not Sell or Share My Personal Information" link.

Categories of PI Collected:

Identifiers (name, email, IP address)
Commercial information (subscription, usage)
Internet activity (browsing, interactions)
Inferences (AI-generated insights)
Sensitive: None collected beyond what you voluntarily provide

11. European Users (GDPR)

🇪🇺 EU/EEA/UK Privacy Rights

Legal Bases for Processing:

Contract: Account creation, core service functionality
Consent: Optional features (AI Memory, Google integration, analytics)
Legitimate Interest: Security, fraud prevention, product improvement
Legal Obligation: Tax records, compliance requests

Your GDPR Rights:

Right of Access (Art. 15)
Right to Rectification (Art. 16)
Right to Erasure / Right to be Forgotten (Art. 17)
Right to Restrict Processing (Art. 18)
Right to Data Portability (Art. 20)
Right to Object (Art. 21)
Right to Withdraw Consent (Art. 7)

International Transfers:

Your data may be transferred to the United States. We use Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection.

Complaints:

You may lodge a complaint with your local Data Protection Authority:

EU: Find your DPA
UK: ICO

12. Other Jurisdictions

12.1 Texas (TDPSA)

Texas residents have rights under the Texas Data Privacy and Security Act, including access, deletion, correction, and opt-out of targeted advertising. Contact us at privacy@getromy.app to exercise these rights.

12.2 Canada (PIPEDA)

Canadian users have rights under PIPEDA, including access to and correction of personal information. You may file complaints with the Office of the Privacy Commissioner of Canada.

12.3 Other US States

If you reside in Colorado, Connecticut, Delaware, Iowa, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Utah, Virginia, or other states with privacy laws, you likely have similar rights to California residents. Contact us to exercise them.

13. Children's Privacy

Rōmy is not for children under 18. We do not knowingly collect personal information from anyone under 18 (or 16 in the EEA). If you believe a child has provided us data, contact privacy@getromy.app immediately. We will delete it within 30 days.

14. Data Deletion and Export

You have full control over your data. You can export and/or delete your data at any time — completely or selectively.

14.1 Export Your Data

Complete Export:

Download everything: chats, files, AI memories, CRM data, settings
Formats: JSON (structured) or CSV (spreadsheet-compatible)
Go to Settings → Data → Export All, or email privacy@getromy.app

Partial Export:

Export specific chats or conversations
Export by date range (e.g., "last 30 days")
Export by data type (e.g., "only CRM data" or "only chat history")
Email privacy@getromy.app with your specific request

14.2 Delete Your Data

Complete Deletion (Delete Everything):

Go to Settings → Account → Delete Account
Confirm deletion
All your data is permanently and instantly deleted

Or email privacy@getromy.app with subject "Delete My Account".

⚠️ Warning: Deletion is immediate and irreversible. Export your data first if you want to keep a copy.

Selective Deletion (Keep Your Account):

Delete specific chats: Click the trash icon on any chat
Delete AI memories: Settings → Memory → Delete individual or all memories
Delete uploaded files: Remove files from chat attachments
Delete CRM data: Settings → Integrations → Disconnect CRM (removes all synced data)
Delete Google data: Settings → Integrations → Disconnect Google (removes writing style, drafts, indexed docs)

14.3 What Gets Deleted (Complete Deletion)

Account information (name, email, profile)
All chat history and conversations
All uploaded files and attachments
All AI memories
Google integration data (writing style profile, draft metadata, indexed Drive documents)
CRM data and encrypted API credentials
All preferences and settings

14.4 What We May Retain

Anonymized, aggregated analytics (cannot identify you)
Billing records (legal/tax requirement — typically 7 years)
Data subject to active legal holds or investigations

14.5 Deletion Timeline

Account deletion: Instant — data removed immediately upon confirmation
Backups: Purged within 24 hours
Third-party systems: We request deletion from providers immediately; most complete within 24-48 hours

15. Changes to This Policy

We may update this Privacy Policy. When we do:

We'll update the "Effective" date at the top
For material changes, we'll email you and/or show an in-app notification
Material changes take effect 30 days after notice
Continued use after the effective date = acceptance

16. Contact Us

Questions, concerns, or requests? Contact us:

Email: privacy@getromy.app
Security issues: security@getromy.app
Legal/Terms: legal@getromy.app

Mailing Address:
GetRomy LLC
Kerrville, TX 78028
United States

Response Time: We acknowledge requests within 10 business days and complete them within 30-45 days depending on complexity and jurisdiction.

17. Open Source Transparency

Rōmy is open-source. You can review our code, data handling, and security implementations on GitHub. This transparency allows independent verification of our privacy practices.

Last updated: December 27, 2024

Version: 3.0