Privacy Policy

1. Data Controller

Open Road is the data controller for personal data processed through the App.

Contact: openroad2026@gmail.com

2. Data We Collect

2.1 Local Drive Data

The following data is stored locally on your device and optionally synced to your private iCloud account via CloudKit:

• Location data: GPS coordinates recorded during drive sessions to display routes, calculate distance, speed, and render maps/heatmaps.
• Motion data (if enabled): Accelerometer and gyroscope data used to estimate acceleration and driving dynamics.
• Drive metadata: Start/end times, duration, and user-assigned labels or notes.

This data remains on your device and iCloud. Drive route data is not transmitted to Open Road servers; however, if you use social features, related data (such as presence or shared speed objects) may be sent to our servers as described below.

2.2 Social Features Data (Server-Stored)

If you use social features, the following data is processed on our Firebase backend:

• Account identifier: A stable identifier from Sign in with Apple (we do not receive your email unless you choose to share it).
• Friends list: User identifiers of people you connect with.
• Convoy membership: Data about convoy groups you join or create.
• Live presence (optional): Your real-time location shared with friends during active sessions.
• Speed traps/zones: Location data for speed traps or zones you report, shared with friends.
• Push notification tokens: Device tokens stored in Firebase Cloud Messaging (FCM) to deliver notifications.

2.3 Voice Chat

Voice chat is facilitated via LiveKit. We issue authentication tokens to connect calls. Audio streams are transmitted peer-to-peer or via LiveKit servers in real-time. Voice calls are not recorded or stored.

3. Purposes and Legal Bases

4. Recipients and Processors

We use the following third-party service providers (processors) to operate Open Road:

• Google / Firebase: Firestore (database), Cloud Functions (server logic), Cloud Storage (file storage), and Firebase Cloud Messaging (push notifications). Data is processed on Google Cloud infrastructure.
• Apple: Sign in with Apple (authentication), App Store (subscription and purchase processing), and iCloud/CloudKit (optional drive data sync). We do not receive your payment card details from Apple.
• LiveKit: Real-time voice transport for voice chat. LiveKit receives authentication tokens and routes audio streams; voice calls are not recorded.

We do not sell personal data to third parties. We do not use third-party advertising or ad tracking services.

5. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States, where our service providers (Google/Firebase, LiveKit, Apple) operate data centers.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland: we rely on recognized transfer mechanisms used by our service providers (such as Standard Contractual Clauses) to facilitate lawful data transfers to countries without an adequacy decision.

You can request more information about international transfer safeguards by contacting us.

6. Data Retention

• Local drive data: Retained on your device and iCloud until you delete it or delete your account.
• Live presence data: Short time-to-live (TTL); automatically expires shortly after you stop sharing or go offline.
• Push notification tokens: Retained until you revoke notification permissions, disable notifications in-app, or delete your account.
• Speed trap/zone objects: Retained until you hide or remove them in-app or delete your account. Note: items you have shared may persist for other users who already received them.
• Friends list and convoy data: Retained until you remove the relationship or delete your account.
• User reports and blocks: Retained for the minimum period necessary to maintain platform safety and investigate potential violations.
• Account deletion receipts: A limited audit record may be retained for a short period to confirm deletion was processed and prevent abuse (e.g., repeated account creation to circumvent blocks).
• Voice chat: No retention; audio is transmitted in real-time and not recorded or stored.

7. Your Rights

Under GDPR and applicable US privacy laws, you may have the following rights regarding your personal data:

• Access: Request a copy of your personal data.
• Rectification: Request correction of inaccurate data.
• Erasure: Request deletion of your data ("right to be forgotten").
• Restriction: Request restriction of processing in certain circumstances.
• Portability: Request your data in a portable format.
• Objection: Object to processing based on legitimate interests.
• Withdraw consent: Withdraw consent at any time where processing is based on consent (e.g., live presence, push notifications, microphone access).

How to Exercise Your Rights

• Email: Contact us at openroad2026@gmail.com with your request. We may ask you to verify your identity before processing.
• In-app deletion: You can delete your account directly in the App via Settings → Delete Account. This removes your server data, local data, and iCloud data (if enabled).

We aim to respond to data subject requests within 30 days, or as required by applicable law.

8. Account Deletion

You can delete your account at any time from within the App:

Settings → Delete Account

Account deletion triggers removal of: (1) your server-side data (Firestore, Cloud Storage, FCM tokens), (2) local data on your device, and (3) an attempt to delete iCloud/CloudKit data associated with the app if iCloud sync is enabled. iCloud deletion may take time to propagate and may not complete if iCloud services are unavailable at the time of deletion.

9. Supervisory Authority (EU Users)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland and believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority (data protection authority).

A list of EU/EEA data protection authorities is available at edpb.europa.eu. We encourage you to contact us first so we can try to resolve any concerns directly.

10. Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption of data in transit (TLS/HTTPS).
• Encryption at rest is applied by our service providers (Firebase, iCloud) as part of their standard infrastructure.
• Authentication via Sign in with Apple with secure token handling.
• Firebase Security Rules to restrict data access.
• Regular review of access controls and security practices.

11. Reporting and Safety

How to Report

You can report users or speed trap/zone content directly within the App. Reports can typically be submitted from user profiles or from the content itself via the report option in the interface.

How Reports Are Reviewed

When a report is submitted, we review the reported content or account to determine whether it violates our terms of service or community guidelines. Depending on the outcome of the review, we may take one or more of the following actions:

• Hide or remove the reported content from social surfaces (e.g., speed traps, shared locations).
• Restrict the reported account's access to social features.
• Suspend or terminate the reported account in cases of serious or repeated violations.
• Take no action if the report does not indicate a violation.

We do not guarantee any specific outcome from a report. Decisions are made based on the information available at the time of review.

Law Enforcement and Legal Requests

For law enforcement requests, legal notices, or other official inquiries, please contact us at openroad2026@gmail.com. We may require verification of authority and proper legal process before responding to such requests.

12. Children and Minors

Open Road is not intended for use by children under the age of 13 (or the applicable minimum age in your jurisdiction, such as 16 in parts of the EU). We do not knowingly collect personal data from children below these ages.

If you believe a child under the applicable age has created an account or provided us with personal data, please contact us at openroad2026@gmail.com. We will take steps to delete the data as soon as reasonably practicable.

13. California Notice

We do not sell or share personal information for cross-context behavioral advertising as defined under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

14. Automated Decision-Making

We do not use automated decision-making processes that produce legal effects or similarly significant effects concerning you.

15. EU Representative

If required under Article 27 of the GDPR, we will designate a representative in the European Union and update this policy accordingly.

16. Purchases

Subscriptions and in-app purchases are processed by Apple via the App Store. We do not receive or store your payment card details. Purchase history is managed by Apple and subject to Apple's privacy policy.

17. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date at the top of this page. Continued use of the App after changes constitutes acceptance of the revised policy.