Privacy Policy
This privacy policy explains how the Roost MX mobile application ("Roost MX", "we", "us", "the app") collects, uses, stores, and shares information when you use the app on Android, iOS, or the web.
Roost MX is a personal motorcycle service log: you record your bikes, service history, jetting setups, and suspension setups, optionally attaching photos and PDFs. The app uses your location only to fetch local weather conditions to help calculate jetting recommendations.
1. Who we are (Data Controller)
The data controller responsible for your personal data is the developer of Roost MX. You can contact us at:
- Email: tristinwhiteqtec@gmail.com
- App: Roost MX (com.roostmx.app)
2. What data we collect
2.1 Account information (you give us)
- Email address (used as your sign-in identifier)
- Password (hashed by Firebase Authentication; we never see it)
- First name, last name, optional profile photo
2.2 App content (you create)
- Bike details: make, model, year, name, modifications, VIN, hours
- Service records: dates, notes, mileage, attached photos (taken with your device's camera or selected from your photo library), attached PDFs
- Jetting and suspension configurations: track, date, conditions, jet sizes, clip positions, suspension clicks, ratings, remarks
Camera and photo library access is only used when you choose to attach an image to a service record. The app does not record video, take photos in the background, or access photos unrelated to attachments you explicitly add. You can revoke camera and photo library permissions at any time in your device settings.
2.3 Device + usage data (collected automatically)
- Approximate or precise location, only when you tap "Use my location" or recalculate jetting — used once to look up temperature, humidity, and elevation. The coordinates themselves are not stored or transmitted to our servers.
- App version, device model, operating system, language preference
- App-activity events such as which screens you open, taps on key features, and crashes (via Firebase Analytics + Crashlytics)
- Authentication tokens stored locally on your device for keeping you signed in
2.4 What we do not collect
- Contacts, SMS, call logs, calendar, or browsing data outside the app
- Background location
- Audio recordings
- Health, fitness, financial, or biometric data
3. Why we use your data (purposes & lawful basis)
| Purpose | Data used | Lawful basis (UK GDPR Art. 6) |
|---|---|---|
| Create and maintain your account | Email, password, name | Performance of contract |
| Save and sync your bikes, services, configurations | Profile + content | Performance of contract |
| Authenticate API requests | Auth tokens | Legitimate interest (security) |
| Calculate jetting recommendations | One-time location lookup → weather + elevation | Legitimate interest (you initiated the action) |
| Improve the app and diagnose crashes | Anonymous usage events, crash reports | Legitimate interest |
| Provide customer support | Email + relevant account context | Legitimate interest |
4. Where your data is stored
We use Google Firebase (operated by Google LLC and Google Cloud EMEA Limited) as our backend platform. Firebase data is stored in Google's data centres. The Firebase services we use are:
- Firebase Authentication — stores your email + a hashed password
- Cloud Firestore — stores your profile, bikes, configurations, transfer requests
- Cloud Storage for Firebase — stores image and PDF attachments you add to service records
- Cloud Functions for Firebase — runs the API your app talks to
- Firebase Analytics — anonymous usage statistics
- Firebase Crashlytics (if enabled) — anonymous crash reports
Google's privacy and security practices are described at firebase.google.com/support/privacy.
5. Third-party services
5.1 Open-Meteo (weather + elevation)
When you tap "Use my location" or "Recalculate with current weather", the app sends your latitude and longitude to open-meteo.com to fetch temperature, humidity, and elevation. Open-Meteo's privacy policy is at open-meteo.com/en/terms. We do not receive or store your coordinates ourselves.
5.2 Google Play Services / Apple App Store
Google or Apple may collect basic device and account information when you install or update the app. That collection is governed by their privacy policies, not ours.
6. International transfers
Firebase data may be processed in regions outside the UK or EEA, including the United States. Google relies on the EU-US Data Privacy Framework and Standard Contractual Clauses to safeguard such transfers. See cloud.google.com/terms/data-processing-addendum.
7. Data retention
- Active accounts: we keep your data for as long as your account is active.
- Account deletion: when you delete your account (in-app or by email request), we permanently delete your profile, bikes, services, configurations, and uploaded files within 30 days. Backups are purged on a 90-day rolling cycle.
- Anonymous analytics: aggregated, non-identifying analytics may be retained for up to 14 months.
8. Your rights (UK GDPR / EU GDPR)
You have the right to:
- Access the personal data we hold about you
- Have inaccurate data corrected
- Have your data erased ("right to be forgotten")
- Restrict or object to certain processing
- Receive a copy of your data in a portable format
- Withdraw consent where processing relies on consent
- Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your national supervisory authority
To exercise any of these rights, email tristinwhiteqtec@gmail.com. We will respond within 30 days.
9. Account deletion
You can delete your account at any time:
- In the app: Profile → Delete my account (or your equivalent path)
- Web: roost-mx.co.uk/delete-account — fill in your account email and we will erase all associated data within 30 days
- Email: send a deletion request to tristinwhiteqtec@gmail.com
10. Security
Data in transit is encrypted via HTTPS / TLS 1.2+. Data at rest in Firebase is encrypted using Google-managed keys. Authentication uses industry-standard token-based mechanisms. Locally cached data on your device is stored in the operating system's app sandbox; we recommend using a device passcode or biometrics. No system is perfectly secure, but we apply reasonable technical and organisational measures appropriate to the risk.
11. Children
Roost MX is not directed at children under 13 (or under 16 in the UK and EEA). We do not knowingly collect personal data from children under those ages. If you believe a child has provided personal data, contact us and we will delete it promptly.
12. Cookies and local storage
The app uses local storage on your device (IndexedDB, Capacitor Preferences, browser localStorage) for essential functions: keeping you signed in, caching your profile and configurations for offline use, and remembering your language and display preferences. We do not use cookies for advertising or cross-site tracking.
13. Changes to this policy
We may update this policy to reflect changes in the app or in the law. The "Last updated" date at the top of this page will be revised accordingly. Material changes will be notified in-app or by email.
14. Contact
Questions or concerns about your privacy? Email tristinwhiteqtec@gmail.com.