Legal

Privacy Policy

Last updated May 28, 2026

Roost is built to need as little of your data as possible. Your PIN never leaves your device, and we don't track which apps you block or how you use your phone. This policy explains the little we do collect and why.

Who we are

Roost is operated by Merit Apps LLC, a Texas limited liability company ("Roost," "we," "us"). Roost is an iOS app that helps families lock distracting apps on a schedule using Apple Screen Time. This policy covers the Roost app and this website. You can reach us at support@useroost.app.

Information we collect

Email address

We collect an email address in two situations: when you contact us for support, and when you set up PIN recovery in the app. For PIN recovery, your email is stored so we can send a reset code if you forget your PIN. We store it lowercased alongside an anonymous install identifier and the date it was registered.

Install identifier

Each app installation generates a random identifier (a UUID). We use it only as an opaque key to look up the email tied to your install when you request a PIN reset. It is not linked to your name, device, or Apple ID, and it is not used for advertising or analytics.

Reset codes

When you request a PIN reset, we generate a six-digit code, store only a hashed (SHA-256) copy of it for up to 10 minutes, and email you the code. We never store the code in plain text.

What stays on your device

• Your PIN. It is hashed and stored only in your device's secure Keychain. It is never sent to us, and a full breach of our servers could not reveal it.
• The apps and schedules you choose. Roost uses Apple's Family Controls and Screen Time frameworks. Your app selections are represented by opaque tokens that stay on your device — we never see which apps you block or when.
• Your usage. We do not collect browsing history, app usage, location, or device analytics.

How we use your information

• To send you a PIN reset code when you request one.
• To respond if you contact us for support.
• To protect the service — for example, rate-limiting reset requests to prevent abuse.

We do not sell your information or use it for advertising.

Service providers

We rely on a small number of providers to run Roost:

• Vercel — hosts the PIN recovery service.
• Upstash Redis — stores the email-to-install mapping, short-lived reset records, and rate-limit counters used by PIN recovery.
• Resend — delivers PIN reset emails to your address.
• Apple — provides the Screen Time and Family Controls frameworks that power app blocking. Apple's handling of that data is governed by Apple's own privacy policy.

Data retention

• Your email and install record are kept until you ask us to delete them or you remove the app.
• Reset codes expire after 10 minutes.
• Rate-limit counters expire after one hour.

Children's privacy

Roost is a tool set up and managed by a parent or guardian. The only personal information we collect — an email address — belongs to the adult who installs and configures the app. Roost is not directed to children, and we do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will delete it.

Your choices

• Deletion. Email support@useroost.app to have your stored email and install record deleted.
• Recovery email. You can update your PIN recovery email in the app settings or ask us to delete the stored record.
• Depending on where you live, you may have additional rights to access, correct, or delete your data. Contact us to exercise them.

Security

All communication with our servers uses HTTPS. PINs are hashed on-device, reset codes are stored only as hashes with a short lifetime and an attempt limit, and reset codes are only ever sent to the email already registered for that install.

Changes to this policy

We may update this policy as Roost evolves. When we make material changes, we will update the "Last updated" date above.

Contact

Questions about privacy? Email support@useroost.app.