Privacy Policy

Roam Caribbean Inc. ("Roam", "we", "us") respects your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and related services (collectively, the "Service").

Account information: name, email address, phone number, profile photo, and password hash when you create an account.

Identity verification: government-issued ID images and selfie data processed by our third-party provider (Stripe Identity). Roam does not store raw ID images on its servers.

Insurance documents: proof of insurance files you upload are stored in encrypted private storage.

Payment information: payment card details are processed and stored by Stripe. Roam does not have access to full card numbers.

Host payout details: bank account information (account number, routing number, IBAN, SWIFT/BIC) provided by hosts is encrypted at rest using AES-256 symmetric encryption. Only our authorized payouts team can decrypt this data to execute transfers.

Booking and trip data: dates, locations, vehicle details, pricing, and communications between hosts and guests.

Device and usage data: IP address, browser type, device identifiers, pages visited, and actions taken on the platform. Collected via server logs and analytics tools.

We use the information we collect to:

• Create and manage your account
• Verify your identity and eligibility
• Process bookings and payments
• Execute host payouts via wire transfer or Wise
• Facilitate communication between hosts and guests
• Provide customer support
• Send transactional emails (booking confirmations, receipts, verification status)
• Send marketing communications (with your consent; you can opt out at any time)
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations
• Improve and develop the Service

We share information only in the following circumstances:

• With other users: hosts see guest name, profile photo, and verification status; guests see host name, photo, and vehicle details.
• Service providers: Stripe (payments, identity verification), Postmark (transactional email), Supabase (database hosting), Wise (payout processing).
• Insurance partners: trip and driver data necessary to administer coverage.
• Legal compliance: when required by law, subpoena, or government request, or to protect the rights, property, or safety of Roam, our users, or the public.
• Business transfers: in connection with a merger, acquisition, or sale of assets, your information may be transferred to the successor entity.

We do not sell your personal information to third parties.

We implement industry-standard security measures to protect your information, including:

• HTTPS/TLS encryption for all data in transit
• AES-256 symmetric encryption for sensitive financial data at rest (host payout details)
• Row-level security policies in our database
• Bcrypt password hashing with salt rounds
• JWT-based session management with refresh token rotation
• Restricted access controls for internal operations

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

We retain your account information for as long as your account is active. Booking and transaction records are retained for 7 years for financial and legal compliance. Identity verification results are retained by Stripe per their retention policy. You may request deletion of your account and personal data at any time (see Section 8).

We use a minimal presence cookie (roam_authed) to maintain your login state across page navigations. This is a first-party, session-management cookie and does not track you across other websites. We do not use third-party advertising cookies.

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Delete your account and associated personal data
• Export your data in a portable format
• Withdraw consent for marketing communications at any time
• Object to processing of your data for certain purposes

To exercise any of these rights, contact us at hello@roamislands.com. We will respond within 30 days.

Your information may be processed in jurisdictions outside St. Vincent and the Grenadines, including the United States (where our service providers operate). We ensure appropriate safeguards are in place for any cross-border transfers.

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we learn we have collected data from a child, we will delete it promptly.

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 14 days before taking effect. The "Last updated" date at the top reflects the most recent revision.

If you have questions or concerns about this Privacy Policy or our data practices, contact us at:

Roam Caribbean Inc.
hello@roamislands.com