Privacy Policy

RollM8s ("we", "our", "us") is the UK Skate, Wheels & Boards community platform — built first for roller skaters and now serving inline skaters, skateboarders, longboarders, BMX riders, scooter riders, snow sports crews and related communities. We provide event ticketing, ride-sharing, peer-to-peer Community Listings, crisis resource mapping (Blackout Zone), offline navigation, a global events calendar (World Trips), community features (Safe Space, Corners, Unfiltered, Floor Tax), and related services. This policy explains how we collect, use, store, and protect your information, and is written to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data controller: RollM8s (sole trader, United Kingdom). Contact: connect@rollm8s.com. We are not required to appoint a statutory Data Protection Officer under UK GDPR Article 37; privacy queries should be directed to the contact email above.

Account Information: Name, email, phone number, skater/rider name or alias, profile photo, vehicle details (for drivers), selected community (roller skate, inline, skateboard, BMX, etc.), and social media links.

Location Data: GPS coordinates when using the Blackout Zone map, offline navigation, ride-share features, or "Resources Near Me". This data is processed locally on your device for offline routing and is only sent to our servers when you share a ride or search for online resources.

Usage Data: Pages visited, features used, event attendance, ride history, shop listings, community interactions, and theme preferences.

Payment Data: We use Stripe as our payment processor. We do not store your full card details. Stripe handles all payment data in accordance with PCI-DSS standards.

Content: Messages, posts (Unfiltered, Safe Space, Floor Tax), uploaded images (profile photos, shop listings, event images), incident reports, and community contributions.

Blackout Zone Data: Locally cached road networks, postcode lookups, resource bookmarks, and offline map data stored in your browser's IndexedDB. This data never leaves your device unless you explicitly share it.

Device Data: Browser type, operating system, device identifiers, and push notification tokens (if enabled).

We use your data for the purposes below. Each purpose is supported by one or more lawful bases under UK GDPR Article 6:

• Create and manage your account, profile, and corner — lawful basis: performance of a contract (Art. 6(1)(b)).
• Facilitate ride-sharing (matching drivers with passengers, calculating cost splits, providing real-time navigation) — lawful basis: performance of a contract (Art. 6(1)(b)).
• Process event ticket purchases and manage waitlists — lawful basis: performance of a contract (Art. 6(1)(b)).
• Power the Blackout Zone (displaying nearby resources, offline navigation, incident reports) — lawful basis: legitimate interests (Art. 6(1)(f)) — enabling community safety.
• Operate the Community Listings board — lawful basis: performance of a contract (Art. 6(1)(b)).
• Operate the Hire Hub (booking, payment, deposit, dispute resolution, evidence storage) — lawful basis: performance of a contract (Art. 6(1)(b)) and legitimate interests in providing a fair dispute mechanism (Art. 6(1)(f)).
• Show World Trips events and track attendance — lawful basis: performance of a contract (Art. 6(1)(b)).
• Deliver community features (Safe Space, Unfiltered, Floor Tax, Post-it Notes) — lawful basis: performance of a contract (Art. 6(1)(b)) and legitimate interests (community participation).
• Send transactional notifications (bookings, events, messages) — lawful basis: performance of a contract.
• Send marketing or feature-update notifications — lawful basis: consent (Art. 6(1)(a)), which you can withdraw at any time via in-app settings.
• Improve the platform through usage analytics and feedback — lawful basis: legitimate interests (Art. 6(1)(f)).
• Safety, fraud prevention, and abuse detection — lawful basis: legitimate interests and, where applicable, legal obligation (Art. 6(1)(c), e.g. Online Safety Act 2023).

The Blackout Zone and ride-share features use your device's GPS. You can control location access through your browser or device settings.

Offline Navigation: When you download the road network for offline use, the graph data is stored locally in your browser's IndexedDB. Route calculations happen entirely on your device — no server communication is required. We do not track your offline routes.

Offline Resources: Cached crisis resources (food banks, shelters, medical facilities, etc.) are stored locally for offline access. This data is sourced from public datasets and does not contain personal information.

We share your information only in these circumstances:

• Ride-shares: Your name, pickup preferences, and approximate location are visible to drivers/passengers on the same booking
• Community Listings: Your seller profile and listing details are visible to other users
• Hire Hub: When you book or list gear for hire, the counter-party sees your @username, the booking dates, and the pickup/return photos you upload. In a damage dispute, those photos and the in-app chat history are shared with RollM8s' moderation team for adjudication. We never share your real legal name or personal contact details with the counter-party unless a court order requires it.
• Community: Posts in public areas (Unfiltered, Floor Tax) are visible to all users. Safe Space posts are pseudonymous — see "Safe Space & safeguarding" below
• Event organisers: If you purchase a ticket or RSVP, the organiser may see your name and attendance status
• Payment processors: Stripe processes payments and handles related fraud-prevention on our behalf
• Legal requirements: We may disclose data if required by UK law or to protect safety

We never sell your personal data to third parties for advertising.

Safe Space & safeguarding: Safe Space posts are pseudonymous by default. However, in cases of serious risk to life or safeguarding concerns (including suspected self-harm, child safety or threats to others), we may break pseudonymity and share the minimum information necessary with emergency services, safeguarding authorities, or law enforcement, where required by law or to protect someone from serious harm.

Our key data processors: Stripe Inc. (payments, US), Google Cloud Storage / Google LLC (file and image storage, US), Firebase Cloud Messaging / Google LLC (push notifications, US), MongoDB Atlas (database hosting, region-configurable), and the hosting infrastructure that runs this platform.

Some of our processors (Stripe, Google Cloud, Firebase) are US-based and process data outside the United Kingdom. Where this happens, we rely on the safeguards approved by the UK Information Commissioner's Office (ICO), including:

• The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs), as incorporated into our processors' data processing terms.
• The UK-US Data Bridge (Data Privacy Framework) where our processors are certified participants.

If you would like a copy of the specific safeguards applied to any transfer, please contact us at connect@rollm8s.com.

We keep your personal data only for as long as necessary for the purposes set out in this policy, or as required by law. Our default retention periods are:

• Account data (name, email, profile): Retained for the life of your account. Deleted within 30 days of account deletion, except where we must retain it for legal or fraud-prevention reasons.
• Ride history & bookings: Retained for up to 24 months after the ride, to support dispute resolution and safety investigations.
• Hire Hub bookings, pickup/return photos & dispute evidence: Retained for 3 years from the booking end-date — this matches the UK Limitation Act 1980 standard period for contractual claims and protects both parties.
• Event tickets & payment records: Retained for 7 years to comply with HMRC record-keeping requirements.
• Community posts (Unfiltered, Floor Tax, Safe Space): Retained while your account is active; removed within 30 days of account deletion unless required for safety investigations.
• Push notification tokens: Retained while you have notifications enabled. Cleared when you disable notifications or delete the app. You can revoke tokens at any time via your device settings or in-app notifications settings.
• Server logs & analytics: Rolling 90 days.
• Locally cached data (IndexedDB, offline maps): Under your control — clear from the Blackout Zone settings or your browser at any time.

Your data is stored on secure cloud servers. We use encryption in transit (HTTPS/TLS) and implement access controls to protect your information. Passwords are hashed using bcrypt and never stored in plain text.

Offline data (road graphs, cached resources, postcodes) is stored in your browser's IndexedDB and is under your control. You can delete it at any time through the Blackout Zone settings.

Under UK data protection law, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate information via your profile settings
• Erasure: Request deletion of your account and associated data
• Restriction: Limit how we process your data
• Portability: Receive your data in a machine-readable format
• Objection: Object to processing based on legitimate interests
• Withdraw consent: Where we rely on consent (e.g., marketing notifications), you can withdraw at any time

To exercise any of these rights, contact us at connect@rollm8s.com.

If you believe we have not handled your data properly, you have the right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk).

We use only strictly necessary and functional browser storage:

• localStorage / sessionStorage: authentication tokens, theme preferences, saved filters, and cached user settings.
• IndexedDB: offline Blackout Zone maps, postcode lookups and resource caches.
• Service worker cache: app shell files for offline/PWA operation.

We do not use third-party advertising cookies or cross-site tracking. Because our cookie use falls within the "strictly necessary" and "functional" categories under the UK PECR, no explicit consent banner is required. If this ever changes (for example, if we add analytics), we will introduce a consent banner before such tracking begins.

RollM8s is intended for users aged 16 and above (17 and above for drivers). We do not knowingly collect data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. Significant changes will be communicated via in-app notification or email. Continued use of RollM8s after changes constitutes acceptance of the updated policy.

For privacy-related questions or data requests:

Email: connect@rollm8s.com

Platform: Use the in-app support feature

Supervisory authority: UK Information Commissioner's Office — ico.org.uk