What personal information do we process?
We process information about how you interact with My RoomMate and the Services, including account details, questionnaire responses, and related usage information.
Legal
Privacy Policy
This Privacy Notice explains how Arbor S j.d.o.o. (doing business as My RoomMate) accesses, collects, stores, uses, and shares personal information when you use our website and services.
Last updated
April 17, 2026
Questions or concerns? Email
hello@my-roommate.app
This Privacy Notice applies when you visit my-roommate.app or use My RoomMate, a digital tool designed to streamline the roommate-selection process. The platform lets room providers share a customized questionnaire link or QR code, applicants submit responses, and those responses are scored against the room provider's criteria.
My RoomMate does not perform background checks, verify applicant information, or guarantee a successful match. It is a structured decision-support tool to help room providers review incoming applications more efficiently.
Reading this Privacy Notice will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services.
Summary of key points
This summary highlights the main parts of the notice. The full policy appears below.
Do we process sensitive personal information?
Applicants may voluntarily disclose special category data through questionnaire responses. We process that information only where we have a valid legal basis, including explicit consent where required.
Do we collect information from third parties?
We do not buy personal information from data brokers. We may receive limited profile information from a social login provider if you choose to sign in that way.
How do we process your information?
We process information to provide and improve the Services, communicate with you, enable user-to-user interactions, prevent fraud, and comply with legal obligations.
When do we share personal information?
We share information with specific service providers needed to operate the platform, including Anthropic, Stripe, Google, Microsoft Azure, Resend, Supabase, and Better Stack. We do not sell personal data.
Is information transferred internationally?
Our primary servers are in the EU, but some providers may process data in the USA. Where that happens, we rely on recognized transfer mechanisms such as the EU-US Data Privacy Framework and Standard Contractual Clauses where applicable.
How do we keep information safe?
We apply technical and organizational safeguards, including encryption, access controls, secure authentication, monitoring, and contractual protections with processors.
How do you exercise your rights?
You can visit https://my-roommate.app/user-profile or contact hello@my-roommate.app. We respond to privacy requests in line with applicable law.
1
What information do we collect?
In short: We collect information you provide to us directly, as well as technical and usage information collected automatically when you use our Services.
Personal information you disclose to us
We collect personal information that you voluntarily provide when you register for and use our Services, ask for information about us or our products, participate in activities on the Services, or otherwise contact us.
The personal information we collect may include:
- Email addresses
- Full name
- Date of birth
- City and country of residence
- Profile photo, if provided via social login
- Questionnaire responses submitted by applicants, which may include lifestyle preferences, living habits, employment status, and availability
- Custom questionnaire data created by room providers, including questions and preferred answer criteria
- Communications you send to other users or to us through the platform
Sensitive information
Our platform allows applicants to voluntarily disclose personal preferences through questionnaire responses. Depending on the questions selected by room providers and the answers submitted by applicants, this may include special category data under GDPR Art. 9, including:
- Information revealing racial or ethnic origin
- Information revealing religious or philosophical beliefs
- Information about sexual orientation or gender identity
- Information relating to employment status or financial situation
We do not require applicants to provide special category data unless it is voluntarily disclosed through questionnaire responses, and we process such data only with the applicant's explicit consent.
Payment data
We collect data necessary to process payment for paid services, such as the information required by our payment processor to complete a transaction. All payment data is handled and stored by Stripe. Review Stripe's privacy notice at stripe.com/en-ch/privacy.
Social media login data
We provide the option to register using an existing social media account, such as Google. If you choose this option, we will receive certain profile information from that provider, including your name, email address, and profile photo.
Information automatically collected
Some information, such as your IP address and browser or device characteristics, is collected automatically when you use our Services. This is personal data and is treated as such.
We automatically collect:
- Log and usage data, including IP address, browser type, operating system, pages viewed, timestamps, and actions taken within the Services
- Device data, including device type, application identifiers, hardware model, and operating system configuration
- Approximate location derived from IP address, not precise GPS location
- Referral data, including the URL from which you arrived at our Services
We collect this information to maintain the security and operation of the Services and for internal analytics. The legal basis is our legitimate interest under GDPR Art. 6(1)(f) and, where required, your consent for non-essential analytics technologies.
Google API
Where we use Google APIs for sign-in, authentication, or related platform functionality, our use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
2
How do we process your information?
In short: We process information to provide, improve, and administer the Services, communicate with you, enable user-to-user interactions, protect the platform, and comply with applicable laws.
We process personal information for the following purposes:
- To facilitate account creation, authentication, and account management using your email address, name, and authentication credentials
- To deliver the core platform functionality, including questionnaire data for applicants and questionnaire configuration data for room providers
- To send administrative communications about your account, billing, security, service changes, and policy updates
- To enable communications between room providers and selected applicants within the platform
- To request feedback about your experience using the Services
- To send marketing and promotional communications where you have given consent or where otherwise permitted by law
- To understand usage trends and improve performance, functionality, and user experience
- To detect, prevent, and respond to fraud, abuse, misuse, and security threats
- To comply with legal, tax, accounting, regulatory, and lawful public authority obligations
- To protect your vital interests or the vital interests of another person where necessary
3
What legal bases do we rely on to process your information?
In short: We only process personal information when we have a specific and valid legal basis. The basis depends on the type of data and the processing activity involved.
We are established in Croatia and rely on the following legal bases under the GDPR:
- Consent. For specific processing activities such as marketing communications, non-essential analytics, and the processing of special category data disclosed in questionnaire responses where applicable
- Performance of a contract. For processing needed to provide the Services under our Terms of Service, including account management, payments, questionnaire functionality, and user-to-user communications
- Legitimate interests. For maintaining platform security, preventing fraud, diagnosing technical issues, handling service administration, and improving performance and usability where those interests are not overridden by your rights and freedoms
- Legal obligations. For compliance with applicable law, cooperating with regulators or law enforcement, and exercising or defending legal rights
- Vital interests. For emergency situations involving risk to life or serious harm
6
Do we offer artificial intelligence-based products?
In short: We use AI technologies, currently Anthropic's Claude, to power questionnaire summarization. Data used for that feature is processed by Anthropic as a processor on our behalf.
As part of the Services, we use AI technologies to analyze and summarize questionnaire responses to help room providers evaluate applicants efficiently.
AI service providers
The summarization feature is powered by Anthropic's Claude API. If that feature is used, the questionnaire inputs necessary for the request and the resulting summary are processed by Anthropic on our behalf. Anthropic is not permitted to use the data for unrelated purposes.
How we process your data using AI
Personal data shared with Anthropic is limited to what is strictly necessary for the summarization function. Under Anthropic's commercial API terms, customer inputs and outputs are not used for model training by default unless the customer affirmatively opts into a separate arrangement.
We implement contractual, access-control, and security safeguards designed to protect information processed through this feature.
8
Is your information transferred internationally?
In short: Our servers are located in the EU, but some third-party service providers may process personal data in the USA. Where that happens, we use appropriate safeguards.
Arbor S j.d.o.o. is established in Croatia and our primary servers are located in the EU. Certain personal data may still be transferred to and processed by third- party service providers in the United States, including Anthropic, Stripe, and Google.
Where personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place in accordance with GDPR Chapter V. Depending on the provider and transfer context, these safeguards may include the EU-US Data Privacy Framework and the European Commission's Standard Contractual Clauses.
If you are a resident of the EEA, UK, or Switzerland, we will take all necessary measures to protect your personal information in accordance with this Privacy Notice and applicable law.
9
How long do we keep your information?
In short: We keep personal data only as long as necessary for the purposes described in this notice and in line with legal obligations.
We retain data for the following general periods:
- Account data for room providers and applicants: while your account remains active, plus any additional period needed for legal, security, dispute-resolution, or accounting purposes
- Applicant questionnaire responses: for the period necessary to provide the Service to the relevant room provider and applicant, for as long as the applicant has an account
- Payment records: as required by applicable tax and accounting law
- Log and analytics data: according to our internal retention settings and Cookie Notice, after which it is deleted or anonymized where appropriate
- Marketing consent records: for as long as needed to demonstrate compliance with applicable marketing and privacy laws
When personal data is no longer needed, we delete it, anonymize it, or, where immediate deletion is not technically possible, isolate it from further processing until deletion is possible.
10
How do we keep your information safe?
In short: We use appropriate technical and organizational security measures to protect personal data in accordance with GDPR Art. 32.
These measures include:
- Encryption of personal data in transit and, where applicable, at rest
- Access controls restricting access to authorized personnel
- Secure authentication measures for user accounts and internal systems
- Security monitoring for threats, misuse, and vulnerabilities
- Contractual security obligations for third-party processors
Despite these measures, no system is completely secure. If you believe your data has been compromised, contact us immediately at hello@my-roommate.app .
11
Do we collect information from minors?
In short: Our Services are not directed to anyone under the age of 18.
We do not knowingly collect personal data from individuals under 18 years of age. By using our Services, you confirm that you are at least 18 years old.
If we discover that we have inadvertently collected data from a minor, we will promptly delete it.
12
What are your privacy rights?
In short: If you are located in the EEA, UK, or Switzerland, you have extensive rights regarding your personal data under the GDPR.
Under the GDPR and related laws, you have the following rights:
- Right of access under Art. 15
- Right to rectification under Art. 16
- Right to erasure or the right to be forgotten under Art. 17
- Right to restriction of processing under Art. 18
- Right to data portability under Art. 20
- Right to object under Art. 21
- Rights relating to automated decision-making under Art. 22, including requesting human review where applicable
- Right to withdraw consent at any time under Art. 7(3)
You may review or update your account information, manage certain privacy settings, or request account deletion by logging in to your account settings or user profile at my-roommate.app/user-profile .
To exercise these rights, visit my-roommate.app/user-profile or contact hello@my-roommate.app . We will respond within the timeframe required by applicable law.
You also have the right to lodge a complaint with your national data protection authority. In Croatia, this is the Agencija za zastitu osobnih podataka (AZOP). If you are located in Switzerland, you may contact the Federal Data Protection and Information Commissioner. In other EEA member states, please contact your local data protection authority.
13
Do we make updates to this notice?
In short: Yes. We may update this notice from time to time to stay compliant with applicable laws and reflect changes in our Services.
The updated version will be indicated by the "Last updated" date at the top of this page.
If we make material changes, we will notify you by email or by prominently posting a notice in the Services. We encourage you to review this notice periodically.
14
How can you contact us about this notice?
In short: Email us at hello@my-roommate.app or write to us using the postal address below.
Postal address
Arbor S j.d.o.o.Hosti 25/2
Rijeka 51 000
Croatia
7
How do we handle your social logins?
In short: If you register using a social media account, we receive certain profile information from that provider.
Our Services offer the ability to register and log in using social media accounts, such as Google, Facebook, or X logins. If you choose to do this, we will receive certain profile information about you from your provider, typically including your name, email address, friends list, and profile picture.
We use the information only for the purposes described in this Privacy Notice, including account registration, authentication, and profile set-up. We do not control, and are not responsible for, other uses of your personal information by the third-party social media provider.
You can usually manage what information a social login provider shares with us by reviewing the permissions requested at sign-in and adjusting your privacy and account settings directly with that provider.