roundely
← Back home

Privacy Policy

Effective: 15 May 2026

Overview

Roundely is a private, invite-only assistant that helps organisers coordinate social plans. We collect the minimum data needed to run the service, store it encrypted, and never sell it, share it for advertising, or use it to train AI models.

What we collect

  • Sign-in data: your email and (optionally) phone number, used to identify you and send the magic-link sign-in.
  • Your network of contacts: names, emails, phones, and the tier / group / avoid-pair labels you set. Stored encrypted, scoped to your organiser account.
  • Communications log: a record of invitations sent and responses received, retained 90 days for support and abuse investigation.
  • Google Contacts (only if you connect): when you opt in to the Google Contacts sync, we read names, emails, and phone numbers from the label you select. We do not read addresses, photos, biographies, organisations, or any other field, and we never write back to your Google account.

How we use data

  • To send invitations and reminders on your behalf.
  • To match candidates for plans using your tier and group settings.
  • To improve the service in aggregate (never tied to individuals).
  • We do not use your data for advertising, sell it to third parties, or use it to train AI models.

Third parties involved

  • Anthropic(Claude API) — handles the conversational agent. Anthropic's data policy applies to messages we send for processing; we send only what's needed for the immediate task.
  • Resend — delivers email on our behalf.
  • Supabase — hosts the database.
  • Vercel — hosts the application.
  • Cloudflare Turnstile— protects our sign-up form from bots. When you request access, Cloudflare receives technical signals (such as your IP address and browser characteristics) to verify you're human. This is governed by the Cloudflare Turnstile Privacy Policy.
  • Google — only when you opt into the Contacts sync. We use the People API with read-only scope and the Limited Use rules of the Google API Services User Data Policy.

How we protect data

Contacts, tier labels, soft groups, avoid-pairs, and OAuth refresh tokens are encrypted at rest using a per-organiser key derived via HKDF v2. Other data is protected by Supabase's row-level security policies, HTTPS in transit, and passwordless magic-link authentication.

Retention

We keep your account data until you close your account or request deletion. Communications log entries are retained for 90 days. Database backups follow Supabase's default retention policy.

Your rights

  • Access: request a copy of what we hold on you.
  • Deletion: request deletion of your account and data.
  • Export: download your contact list as CSV.
  • Withdraw OAuth consent: revoke our Google access at myaccount.google.com/permissions. Disconnecting from inside our app removes our stored credentials immediately.

Email hello@roundely.com to make any of these requests.

Google API Services User Data Policy compliance

Roundely's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Scope requested

Roundely requests only the https://www.googleapis.com/auth/contacts.readonly scope (read-only access to your Google Contacts). We also use openid and userinfo.email to identify which Google account you connected. We do not request, and do not receive, any other Google data.

Limited Use commitments

  • User-facing features only: we use Google user data only to provide and improve user-facing features that are prominent in the Roundely user experience — specifically, importing contacts from a label you select in Google Contacts into your private organiser network.
  • No third-party transfer: we do not transfer Google user data to others except as necessary to provide or improve user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets (and only with continued protection of the data).
  • No advertising: we do not use Google user data for serving advertisements, including retargeted, personalised, or interest-based advertising.
  • No human access: we do not allow humans to read Google user data unless we have obtained your affirmative agreement to view specific data, as necessary for security purposes (such as investigating abuse or resolving a support request), or to comply with applicable law.
  • No AI/ML training: we do not use Google user data to develop, improve, or train generalised AI and/or ML models.

What we read from your Google Contacts

Only the contact's display name, email address, and phone number, and only for the label you select. We do not read addresses, photos, birthdays, biographies, organisations, relations, custom fields, or any other Google Contacts field. The full Google People API response includes around 30 fields per contact; everything except name, email, and phone is discarded at the API boundary in our application code, before any persistence to our database.

Where Google data goes inside Roundely

Imported contacts are stored encrypted (HKDF v2 per-organiser key) in our Supabase database, scoped to your organiser account, and visible only to you. They are used solely to enable you to invite those contacts to social plans you organise. Your Google OAuth refresh token is also stored encrypted under the same per-organiser key; the access token is never persisted and is refreshed per sync.

Disconnecting and revoking

You can disconnect at any time inside Roundely under Settings → Integrations or directly on the sync page — disconnecting removes our stored credentials immediately. To revoke our access at the Google end, visit myaccount.google.com/permissions. Already-imported contacts remain in your Roundely network after disconnection; delete them individually if you want them removed.

International users (GDPR / CCPA)

For users in the EU/UK, our lawful basis for processing is contract — you signed up for the service and we use your data to provide it. For California residents under CCPA: we do not sell personal information.

Children

Roundely is intended for adult organisers at private members' clubs. We do not knowingly collect data from anyone under 18.

Changes to this policy

Material changes will be communicated to active organisers by email at least 7 days before they take effect. The current version is always live at this URL.

Contact

Questions, requests, or concerns: hello@roundely.com.