Privacy Policy

TL;DR — what this means in plain English

Roster scanning (the original feature) sends the single image you pick to Claude (Anthropic) for schedule extraction. The image is deleted from our server within 24 hours. We never browse or back up your photo library.
Your direct messages and group chats are end-to-end encrypted. We can’t read them. The encryption keys live on your phone, not on our servers.
Posts on the Community Wall are NOT encrypted. They’re visible to every member of the group. We scan them automatically for abuse before they go live.
You control your data. Delete a message, block a user, leave a group, or fully delete your account from inside the app at any time.
We collect the minimum we need to make Rostr work — your sign-in info, your roster, the friends you choose to share with. Nothing more. We never sell your data.

Who runs Rostr

Rostr is operated by ARAMI TECH LLC, a US limited liability company.

When this policy says “we”, “us”, or “our”, that’s ARAMI TECH LLC.

What we collect — and why

Data	Why we have it	Where it lives
Email + Apple ID / Google ID	Sign-in only	Supabase Auth (TLS + AES-256 at rest)
Display name, avatar, username	Shown to your friends and group members	Supabase DB (TLS + AES-256 at rest)
Roster entries (shifts, dates, types)	The core feature	Supabase DB
Roster scan images (camera capture / photo pick)	OCR via Claude (Anthropic) — image deleted within 24h	Supabase Storage (transient) → Anthropic
Roster Group + Community Group memberships	Who you share with	Supabase DB
Push notification token (APNs / FCM)	Deliver alerts	Supabase DB; never shared with advertisers
Community Wall posts (text + images)	Visible to group members	Supabase DB + Storage; scanned for abuse
DM messages	End-to-end encrypted (E2EE) — we cannot read	Supabase DB (ciphertext only)
Group chat messages	End-to-end encrypted (E2EE)	Supabase DB (ciphertext only)
Reports of abusive content	Act on platform abuse policy within 24h	Supabase DB
Crash + performance data (anonymous)	Find bugs	Firebase Crashlytics
Ad identifier (IDFA on iOS / AAID on Android, only if you opt in)	Ad targeting via Google AdMob	Google
Approximate location (country code only — optional)	Suggest nearby communities in Discover. We derive only a country code on your device; exact coordinates are never stored or sent. Decline and Discover still works (falls back to your device region setting).	Supabase DB (country code only)

We do NOT collect: your contacts, your wider photo library (only the single image you pick to scan a roster or attach to a chat / post), your precise location or movements (Discover uses only an optional, coarse country code — see the table above), your call history, your browsing on other sites, or your real-world identity.

End-to-end encryption (E2EE) — what it actually means

Direct messages and group chats use the Signal protocol family, implemented with platform-native cryptography (Apple CryptoKit on iOS, Google Tink + AndroidX Security on Android). The wire format is byte-compatible across both platforms.

Each device generates a Curve25519 identity key pair on first launch. The private key never leaves the device — it lives in iOS Keychain (AfterFirstUnlockThisDeviceOnly) or Android Keystore (StrongBox where available).
DM messages are encrypted with ChaCha20-Poly1305 using a per-conversation key derived from a Diffie-Hellman exchange.
Group chats use Sender Keys: each member’s outgoing messages are encrypted with their own sender key, distributed once over the pairwise DM channel. When someone leaves the group, the sender key is rotated.
Images, voice messages, and files in DM/group chats are also encrypted before they leave your phone. We store ciphertext blobs in Supabase Storage; the per-file key is encrypted inside the message body and only the recipient can decrypt it.
Push notifications carry no message preview for E2EE chats — just “New message”.

We can never produce the plaintext of an E2EE message in response to any request — government, civil, or our own — because we don’t have the key. Only your phone has it.

Roster scanning (OCR) — the original feature

Rostr’s core feature is automatic schedule extraction from a roster image. Here is exactly how the pipeline works:

You initiate it. Tap Add Roster → Scan Screenshot. The first time you use it, iOS or Android shows the system permission prompt for Camera or Photo Library.
One image at a time. You either capture a fresh photo or pick a single existing screenshot. The app does NOT browse your photo library — the iOS Photos Picker / Android Photo Picker hands us only the file you actually select.
Compressed and uploaded. The image is downscaled (max 1024 px wide) and sent to our Supabase Edge Function over HTTPS.
Read by Claude (Anthropic). The Edge Function forwards the image to Anthropic’s Claude Vision-capable model for OCR. This runs under Anthropic’s commercial API terms: no model training on API inputs, max 30-day input retention for trust & safety, then deleted.
Schedule extracted, image deleted. The structured schedule (dates, shift times, types) is saved to your account. The original image is deleted from our Supabase Storage within 24 hours.

The OCR pipeline only sees the single image you pick. We never index, browse, or back up your photo library. The extracted schedule belongs to you and is shared only with the friends and family you add to your Roster Group.

What we DO scan (and why)

App Store and Play Store policies require us to filter user-generated content on broadcast surfaces. We do this in three places:

Surface	What we scan	How
Community Wall posts (text)	Text body	OpenAI Moderation
Community Wall posts (images)	Image content	OpenAI gpt-4o-mini Vision
Roster Group chat (legacy plaintext)	Text + images	Same as above
DM messages	Nothing — E2EE	We can’t read
Group chat messages	Nothing — E2EE	We can’t read

If a post or image is flagged by automated review, it is hidden from other users immediately. The author keeps their copy and sees a takedown reason.

We also rely on you. If you encounter abusive content in a DM or group chat, tap Report. Reporting unlocks a one-time decryption of THAT message and uploads the plaintext to our admin queue for human review (24-hour SLA). Reporting is the ONLY way the content of an E2EE message ever leaves your device readable.

AI sub-processors (Anthropic + OpenAI)

We use two separate AI providers, each scoped to a different feature. Neither has overlapping access.

Anthropic — Roster OCR only

The image you pick to scan is sent to Anthropic, PBC under their commercial API terms:

They do not train Claude on our API requests
They retain inputs for max 30 days for trust & safety, then delete
We do not use Claude.ai (consumer product, different policy)

What we send to Anthropic:

Roster scan images for OCR (Claude Vision-capable model) — image deleted from our server within 24h

OpenAI — Community Wall moderation only

For Community Wall content moderation we send certain content to OpenAI, Inc. under their Enterprise / API data policy:

They do not train models on our API requests
They retain inputs for max 30 days for abuse monitoring, then delete
We do not use ChatGPT (which has a different policy)

What we send to OpenAI:

Community Wall post text (Moderation API) — hate speech and abuse detection
Community Wall image URLs (Vision, gpt-4o-mini) — abusive image detection

What we never send to either Anthropic or OpenAI:

DM message contents
DM image / voice / file contents
Group chat message contents
Your account credentials, payment information, or device identifiers

Other sub-processors

Vendor	Purpose	Region
Supabase (Postgres + Storage + Auth + Realtime)	Hosting, database, file storage, auth, websocket	EU (eu-central)
Firebase Cloud Messaging (Google)	Push notifications (Android + iOS)	US
Anthropic, PBC	Roster OCR (Claude Vision)	US
OpenAI	Community Wall text + image moderation	US
Apple Push Notification Service	iOS push delivery	US
Google AdMob	Ad serving (only if you allow tracking)	US

We have signed Data Processing Agreements (or have equivalent commercial terms in place) with Supabase, Google, OpenAI, Anthropic, and Apple. None of these vendors sells your data.

Data retention

Data	Retained for
Account, roster, group memberships	While your account exists
Roster scan images (after OCR upload)	24 hours, then deleted from our Supabase Storage
Voice messages (audio bytes, ciphertext for E2EE chats)	180 days, then nulled
Community Wall posts	While the group exists; you can delete anytime
DM / group chat (ciphertext)	While both parties keep the conversation
Reports + admin notes	1 year (regulatory)
Crash logs	90 days
Push tokens	Until you sign out / disable notifications
Soft-deleted accounts	30-day grace period for restore, then hard-deleted

You can delete your account from Profile → Delete Account. Your row is soft-deleted (recoverable for 30 days), then hard-deleted along with all messages you authored. Other people’s chats with you are preserved (their content, their copy).

Your rights

You have the right to:

Access what we have on you (email info@arami.tech)
Correct anything we have wrong
Export your data (we’ll send a JSON dump within 30 days)
Delete your account (in-app, instant)
Object to ad personalization (iOS Settings → Privacy → Tracking, or Android Settings → Google → Ads)
Lodge a complaint with your data-protection authority

EU / UK residents (GDPR)

Your legal basis under GDPR is:

Contract for the core service (sign-in, roster, chat)
Legitimate interest for moderation, anti-abuse, and crash logs
Consent for ad personalization (you can withdraw anytime)

California residents (CCPA / CPRA)

We do not sell or share your personal information for cross-context behavioral advertising as defined by California law. You can request to know, delete, or correct your data via info@arami.tech.

Children

Rostr is rated 17+. We do not knowingly collect data from anyone under 13 (US: COPPA) or 16 (EU: GDPR). If you believe a child has created an account, email info@arami.tech and we’ll delete it.

Changes to this policy

We’ll update the “Last updated” date at the top whenever we change something. Material changes (new vendors, new categories of data) get an in-app banner the next time you open the app.

For App Store / Play Store reviewers

If you’re an Apple App Reviewer or Google Play reviewer reading this, here’s the relevant compliance summary:

OCR pipeline: Camera capture / Photo Library pick → image downscaled to 1024 px → HTTPS to Supabase Edge Function (ocr-roster-claude) → Anthropic Claude Vision-capable model → structured schedule returned → original image deleted from Supabase Storage within 24h. iOS uses Photos Picker; Android uses ActivityResultContracts.PickVisualMedia. Neither requires READ_MEDIA_IMAGES; the picker is out-of-process.
UGC moderation: text + image on Community Wall are scanned via OpenAI Moderation + gpt-4o-mini Vision before publish. DM and Group chat (including voice) are E2EE; user-report is the safety net (24h SLA).
Reporting flow: long-press any message → Report → adds row to reports table; admin reviews via dashboard within 24h.
Block / Kick: live in-app, all surfaces.
Encryption export compliance (iOS): Apple CryptoKit (X25519 + ChaCha20-Poly1305 + HKDF) used for end-to-end encryption of DM and group chat. Declared as ITSAppUsesNonExemptEncryption = YES; classified under ECCN 5D992.c with License Exception ENC §740.17(b)(1) (mass market, standard algorithms only). App Store Connect’s App Encryption questionnaire completed for this submission — no documentation upload required.
Encryption export compliance (Android): Google Tink + AndroidX Security (X25519 + ChaCha20-Poly1305 + HKDF). Standard mass-market crypto only; same ECCN 5D992.c classification.
Account deletion: Profile → Delete Account, soft delete with 30-day grace, then hard delete + cascade.