OverTrail RO — Privacy Policy
Effective date: 2026-05-19.
Public version hosted at: https://overtrail.ro/privacy
This privacy policy explains what data the OverTrail RO Android app collects, how that data is used, who else processes it, and how long it is kept. It exists to comply with Romanian and EU data-protection law (Regulation (EU) 2016/679 — "GDPR") and Google Play's app-publishing requirements.
If you have a question about your data or want to exercise any of the rights listed at the bottom of this document, email contact@overtrail.ro.
1. Who is the data controller?
OverTrail RO is operated by Constantin, an individual developer based in Bucharest, Romania. This is a hobby / non-commercial project — there is no registered company behind it at the time of writing. Contact: contact@overtrail.ro.
A Romanian version of this policy is available at https://overtrail.ro/privacy-ro.
2. The short version
- No name, email, or phone is required to use the app.
- You sign in anonymously on first launch — the app generates a random user ID that lives on your device until you delete the app or ask us to wipe it.
- Location data is collected only when you use a location-aware feature (recording a GPS track, sharing your position with convoy members, posting a hazard or SOS). Background location is requested only if you choose to broadcast to a convoy.
- No analytics, no advertising, no third-party SDKs beyond Firebase Cloud Messaging (for SOS notifications). The app has no Crashlytics, no Facebook SDK, no AppsFlyer, no anything-like-that.
- Map tiles, routing requests, and address searches are sent to third-party services (OpenStreetMap, OpenTopoMap, OSRM, Photon, Esri/ArcGIS, OpenFreeMap) — those providers can see the coordinates you query. See § 5 for the full list.
- You can request deletion of your data at any time by emailing
contact@overtrail.ro with your anonymous user ID.
3. What data the app collects
3.1 Account
- A randomly-generated anonymous user ID (UUID), created by Supabase Auth on first launch. No email, password, phone, or name is required or collected.
- A Firebase Cloud Messaging (FCM) registration token — a long device-specific string Google issues to allow us to push you SOS notifications. Linked to your anonymous user ID in our database.
3.2 Location
The app collects precise location (GPS coordinates + altitude when available) only when:
- You record a GPS track — stored on your device only. Never uploaded.
- You post a POI (camping spot, water spring, etc.), hazard report, or SOS alert — the location of that single post is uploaded to Supabase so other users in the area can see it on the map.
- You join or create a convoy and enable position sharing — your live position is broadcast to the other convoy members (max 12 people who all share a 6-character convoy code). See § 6 for the convoy detail.
The app never collects location passively in the background unless you have explicitly joined a convoy and granted background-location permission. Even then, broadcasting auto-stops after 2 hours of foreground-screen-off use to limit battery and data drain.
3.3 User-generated content
- POI names + descriptions (≤ 800 chars)
- Hazard descriptions (≤ 280 chars, optional)
- SOS descriptions (≤ 280 chars, optional) and
contact_hint (≤ 80 chars, optional — typically your own phone number if you choose to share it)
- Convoy nicknames (≤ 8 chars, visible only to other members of your convoy)
- Moderation reports you file against other users' content
3.4 Map / routing / search queries
When you pan the map, search for a place by name, or ask for turn-by-turn navigation, the device sends the relevant coordinates or search text to third-party map providers (§ 5). These queries do not include your anonymous user ID. The providers can, however, see the IP address your device connects from.
3.5 What the app does NOT collect
- Your real name, email, or phone number (unless you voluntarily put contact info in an SOS
contact_hint).
- Photos, microphone audio, contacts, calendar, or any other Android user data.
- Analytics events, ad identifiers, or behavioural telemetry.
- Web-browsing history. Crash logs are NOT collected by us (Google Play's pre-launch report runs its own diagnostics outside this scope).
4. Why each piece of data is collected (lawful basis)
Under GDPR Art. 6:
| Data | Purpose | Lawful basis |
|---|
| Anonymous user ID | Authenticate API calls; prevent abuse | Legitimate interest (Art. 6(1)(f)) |
| FCM token | Deliver SOS push notifications | Consent (Art. 6(1)(a)) — implicit in installing an off-road app + granting POST_NOTIFICATIONS |
| Location of a POI / hazard / SOS post | Show the post on a shared map | Consent — you explicitly chose to post |
| Live convoy position | Show your position to convoy members | Consent — you explicitly joined a convoy and granted background-location permission |
| Free-text content in posts | Display to other users | Consent |
| IP address (transient, in HTTP headers) | Connect to our backend | Legitimate interest (Art. 6(1)(f)) — network protocol requires it |
| Map / routing / search queries to third-party providers | Show maps; calculate routes; find addresses | Legitimate interest (Art. 6(1)(f)) — these are the requested user actions |
No data collection is based on a contract (Art. 6(1)(b)) — there is no paid subscription — and none of it falls under the "vital interest" or "public task" bases.
5. Third parties that receive your data
OverTrail RO does not sell your data and does not share it for advertising. Data passes to the following service providers strictly to make the app work:
5.1 Supabase (primary backend)
- What: Anonymous-auth records, POIs, hazards, SOS alerts, convoy memberships, FCM tokens, moderation reports.
- Where: EU region (Frankfurt, Germany). Operated by Supabase Inc.
- Why: Our database, authentication server, and Realtime push channel.
- Privacy policy: https://supabase.com/privacy.
5.2 Firebase Cloud Messaging (push notifications)
- What: Your FCM registration token + the contents of any SOS notification we send your way.
- Where: Google global infrastructure. Operated by Google LLC.
- Why: Deliver heads-up notifications when another user posts an SOS in your geohash cell.
- Privacy policy: https://policies.google.com/privacy.
5.3 OSRM routing
- What: Latitude/longitude of your current position and your chosen destination, sent over HTTPS for route calculation.
- Where:
router.project-osrm.org (community-operated demo server).
- Why: Calculate turn-by-turn driving routes.
- Privacy policy: https://routing.openstreetmap.de/about.html.
5.4 Photon (Komoot) — geocoding
- What: The text you type into the search bar, plus your current position as a bias (to rank nearby results higher).
- Where:
photon.komoot.io — operated by Komoot GmbH.
- Why: Convert "Cabana Padina" into a map coordinate.
- Privacy policy: https://www.komoot.com/privacy.
5.5 OpenStreetMap tile servers
- What: Map-tile requests (
{z}/{x}/{y} URL segments) — these effectively reveal which map regions you are looking at.
- Where:
a/b/c.tile.openstreetmap.org (OpenStreetMap Foundation, UK).
- Why: Render the standard online map style.
- Privacy policy: https://wiki.osmfoundation.org/wiki/Privacy_Policy.
5.6 OpenTopoMap, CyclOSM, Esri/ArcGIS World Imagery, OpenFreeMap
- What: Same shape as § 5.5 (tile requests revealing the regions you view) for the alternative map styles.
- Where: Various community-operated servers + Esri (ArcGIS).
- Privacy policies:
5.7 What no third party receives
- None of the third-party services above receives your anonymous user ID.
- None of them receives the contents of POIs / hazards / SOS posts (those stay between your device and Supabase).
- None of them receives any contact information you may have entered in an SOS
contact_hint.
6. The convoy feature in detail
This deserves its own section because it is the only feature that uses background location, and it is the only feature where your real-time position becomes visible to other people.
6.1 How it works
- You explicitly create or join a convoy by entering a 6-character code shared by the convoy owner (think "AirDrop for off-road groups"). Convoys are capped at 12 members.
- Before background broadcasting starts, the app shows an in-app disclosure dialog explaining what's about to happen, and then asks Android for the
ACCESS_BACKGROUND_LOCATION permission.
- While broadcasting, a persistent notification appears showing "Convoy active — your position is being shared" with a one-tap "STOP SHARING" button.
- Broadcasting automatically stops after 2 hours of cumulative foreground-screen-off use, even if you forget you joined.
6.2 What flows where during a convoy
- Your live position (lat/lon/heading) is sent every ~5 seconds to Supabase Realtime Broadcast and immediately relayed to the other convoy members. It is not stored — there is no database row written for any single position ping.
- Your convoy membership (anonymous user ID + nickname + color) is stored in a database row for the lifetime of the convoy. Convoys auto-expire 12 hours after the last activity (last position broadcast or heartbeat) and are then deleted server-side.
6.3 Who can see your position
- Only other members of the same convoy. Membership is gated by the 6-character code and enforced by Supabase Row-Level Security.
- The convoy owner can kick any member, immediately revoking their ability to see other members' positions.
- Any member can leave the convoy at any time, immediately stopping their broadcasting and removing them from the others' maps.
6.4 How to stop
- Tap the persistent notification's "STOP SHARING" button — instant.
- Open the app → MENIU → Convoi → LEAVE CONVOY — instant + removes your membership row.
- Disable the app's background-location permission in Android Settings → Apps → OverTrail → Permissions — at the OS level, instant.
- Force-quit the app — the foreground service stops, broadcasting stops. The system will not relaunch it.
7. How long data is kept
| Data | Retention |
|---|
| Anonymous user ID | Until you delete the app or email us to wipe it |
| FCM token | Until your device deregisters (uninstall / clear data) or you wipe the account |
| GPS tracks | On-device only — never uploaded; you control them in the "Trasee Salvate" screen |
| POIs | Permanent until you delete them, or auto-hidden if ≥ 3 distinct users report them (see Moderation Policy) |
| Hazard reports | 4 hours after creation (auto-deleted by a 15-minute cron job) |
| SOS alerts | 24 hours after creation (auto-resolved + deleted after the resolved-state retention) |
| Convoy membership rows | 12 hours after the last activity from any member |
| Live convoy positions | Not stored — relayed via Realtime Broadcast and discarded |
| Moderation reports you file | Indefinite (immutable audit log) — visible only to you and the operator |
8. International transfers
- Supabase data is hosted in Frankfurt, Germany (EU). No transfer outside the EU/EEA happens for the primary backend.
- Firebase Cloud Messaging operates on Google's global infrastructure. Google relies on Standard Contractual Clauses (Art. 46 GDPR) for transfers outside the EEA — details in their privacy policy.
- The third-party tile / routing / geocoding services listed in § 5 are operated by entities in the EU (Komoot — Germany; OpenStreetMap Foundation — UK + community mirrors) and the US (Esri). Each request is a transient HTTP call; nothing about you persists with those providers beyond their own server logs.
9. Your rights under GDPR
You have the right to:
- Access the data we hold about you. Email
contact@overtrail.ro with the anonymous user ID visible in the app's Settings → About screen. We'll send a JSON export within 30 days.
- Rectification — correct anything that's wrong. POIs and SOS alerts you created are editable / deletable directly in the app. For other corrections, email us.
- Erasure / "Right to be forgotten" — email
contact@overtrail.ro with your anonymous user ID. We'll purge your auth.users row and cascade-delete every row referencing it within 30 days. An in-app self-service delete-account flow is planned for a future release.
- Restriction of processing — same email; tell us which processing you want paused.
- Object to processing based on legitimate interest — same email.
- Data portability — request your data export under "Access" above; the format will be machine-readable JSON.
- Withdraw consent at any time, where consent was the basis (e.g. revoke
POST_NOTIFICATIONS or ACCESS_BACKGROUND_LOCATION in Android Settings).
- Lodge a complaint with the Romanian data-protection authority (ANSPDCP — dataprotection.ro) if you believe we've mishandled your data.
10. Children's privacy
OverTrail RO is not directed at children under 16 and we do not knowingly collect data from them. If you believe a child has used the app and you'd like their data removed, email contact@overtrail.ro.
11. Security
- All network traffic is over TLS 1.2+ (HTTPS). Plain HTTP is disabled at the OkHttp + manifest level.
- Database access is gated by Row-Level Security policies on every table, so a compromised anon-auth token cannot read other users' data beyond what the in-app UX exposes.
- Anonymous user IDs are random UUIDs — they cannot be reversed into PII because no PII was collected to begin with.
- The Supabase publishable API key shipped in the APK is intentionally public; it grants no privileges beyond what RLS allows.
This said, no system is perfectly secure. If you discover a vulnerability, please email contact@overtrail.ro rather than posting it publicly so we can fix it before bad actors notice.
12. Changes to this policy
Material changes (new third parties, new data categories, changed retention) will be announced in the app's release notes and reflected in the "Effective date" at the top of this document. Continued use of the app after a change implies acceptance of the new policy. If a change is significant enough that it requires fresh consent (e.g. adding analytics — which we won't), the app will prompt you in-app.
The current version always lives at https://overtrail.ro/privacy.