Privacy Policy

1. Who We Are

Controller: OpenRoad LLC, 5941 39th Ave SW, Seattle, WA 98136, USA. Contact: openroad2026@gmail.com.

No EU/UK representative: OpenRoad LLC is a U.S.-based small business and does not currently maintain a designated representative in the EU/EEA or UK under Article 27 of the GDPR or UK GDPR. EU/EEA, UK, and Swiss users may contact us directly at openroad2026@gmail.com for any data-protection request, and may also lodge a complaint with their local supervisory authority (see Section 13). If our active user base in those regions grows materially, we will appoint a representative and update this policy.

2. Data We Collect

2.1 Local Drive Data

Data stored locally on device (Core Data on iOS; Room database on Android) and optionally synced to private iCloud (iOS) via CloudKit or Firebase (Android) via Firestore. This includes, but is not limited to:

• Location data: GPS coordinates recorded during drive sessions for routes, distance, speed, and map/heatmap rendering.
• Motion data (if enabled): Accelerometer and gyroscope data for acceleration and driving dynamics estimation.
• Drive metadata: Start/end times, duration, and user-assigned labels or notes.

Drive route data is not transmitted to Open Road servers; however, social feature usage may send related data (presence, shared speed objects) to servers.

2.2 Social Features Data (Server-Stored)

If you use social features, data processed on our Firebase backend includes, but is not limited to, the categories below. Open Road is an evolving product: we may add, remove, or change social features (and the data they involve) over time, and will update this Policy for material changes.

• Account identifier: Stable identifier from Sign in with Apple / Google (email not received unless user shares).
• Friends list: User identifiers of connected people.
• Convoy membership: Data about convoy groups joined or created.
• Live presence with friends (optional): Real-time location shared with friends during active sessions. 90-second TTL, auto-deleted; location is quantized to a 100m grid for non-convoy members.
• Public Presence — nearby drivers: Open Road includes a feature that surfaces nearby drivers within approximately 10 km (a radius we may adjust), transported over Firebase Realtime Database. It is active on iOS and Android. It currently offers three tiers, which we may change:
  • Hidden: you are not visible to other drivers and you do not see them.
  • Anonymous: you appear on other drivers' maps without your identity (no name, no profile photo); you can also see other drivers in the same tier.
  • Open: you appear with your username and profile photo to other drivers nearby.

  On Android, onboarding currently defaults new users to Anonymous. You can change your tier at any time, including switching to Hidden, in the Public Presence settings inside the app. We may change the default tier, the available tiers, or how this feature works, and will update this Policy for material changes.

• Waves: Where Public Presence is enabled, you can send a lightweight "wave" to a nearby driver. A wave is a brief, ephemeral record (stored in Firebase Realtime Database with an approximately 5-minute time-to-live, then auto-deleted) containing the sender and recipient identifiers and a timestamp — no message content.
• Markers and zones: Location data for markers and zones you create (such as community speed traps and zones). Depending on the type, these may be shared with your friends and/or contributed to the broader Open Road community as public community objects visible to other users.
• Push notification tokens: Device tokens stored in Firebase Cloud Messaging (FCM).
• Shared drive routes: When a user shares a drive to their feed, routes are automatically privacy-trimmed. Approximately the first and last half-mile of each drive are removed from the contribution. On all platforms, any segments within user-defined privacy zones (e.g., near home or work) are fully removed before sharing.

2.3 Photos and Camera

The App may request access to your device camera (for taking a vehicle photo for your garage) and your photo library (for choosing a profile photo). These images are stored locally and, if you use social features, uploaded to Firebase Storage. Photos are deleted when the associated profile or vehicle is deleted, or when the account is deleted.

2.4 Voice Chat

Voice chat is facilitated via LiveKit with authentication tokens issued for calls. Audio streams are transmitted peer-to-peer or via LiveKit servers in real-time. Voice calls are not recorded or stored.

2.5 Markers and Zones

Markers and zones are in-app driving challenges (similar to Forza speed traps) — they are not related to law enforcement detection.

• Stored with creator ID for ownership and editing purposes.
• Depending on the type and your choices, markers and zones may be shared privately with your friends and/or published as community objects visible to the broader Open Road community. Community-contributed markers and zones may remain visible to others, in a form that does not identify you by name, after you create them.
• Your own markers and zones are removed from your account when your account is deleted; community objects you contributed may be retained in aggregate or de-identified form to keep the community map functional.

2.6 Now-Playing Music (iOS)

On iOS, the App requests Apple Music access so it can show what you are currently playing and let you skip or pause tracks without leaving the app while driving. Track title and artist are read locally for on-screen display only and are not transmitted to our servers.

2.7 Notification Listener (Android)

On Android, the App offers a now-playing display equivalent to iOS. Android exposes this only through the Notification Listener system permission, which technically grants access to all notifications. Our notification-listener service is bound exclusively to surface currently-playing music; non-music notifications are ignored and never read, stored, or transmitted off-device. You can revoke this access at any time in Android Settings.

2.8 Activity Recognition and Auto-Drive Detection (Android)

On Android, the App uses Activity Recognition to detect when a drive has started and offers to begin logging automatically. The App also requests permission to start in the background after device boot (for resumption of in-progress drives across reboots) and to be exempted from battery optimization (so the foreground location service is not killed mid-drive). Activity-recognition signals are processed on-device and are not transmitted to our servers.

3. Purposes and Legal Bases

The processing activities and categories described in this Policy reflect how the Service works today and the range of uses we may make of your data. Open Road continues to develop new features; where a new feature involves a materially different use of your personal data, we will update this Policy and, where required, obtain your consent.

4. Recipients and Processors

We rely on third-party service providers (processors) to operate the Service. These currently include, but are not limited to, the following. We may add, remove, or replace service providers as the Service evolves; each acts on our instructions and is bound by contractual confidentiality and data-protection obligations.

• Google / Firebase: Firestore (database), Realtime Database (nearby-driver Public Presence and Waves transport, iOS and Android), Cloud Functions (server logic), Cloud Storage (file storage), Firebase Cloud Messaging (push notifications), Firebase Analytics (anonymous usage data), Firebase App Check (abuse prevention). Data processed on Google Cloud infrastructure.
• Mapbox: Turn-by-turn routing via the Mapbox Directions API on both iOS and Android. Origin, destination, and intermediate waypoints are sent to Mapbox to compute the route. Mapbox does not receive your full drive history or live driving data.
• Google Maps SDK (Android): Map tile rendering on Android. Tile requests include the visible map area only.
• Apple: Sign in with Apple (authentication, iOS), App Store (subscription/purchase processing), iCloud/CloudKit (optional drive data sync, iOS), SKAdNetwork (privacy-preserving install attribution for paid ad campaigns, iOS — see §4.1). Payment card details not received from Apple.
• Google: Sign in with Google (authentication, iOS and Android), Google Play Billing (subscription/purchase processing on Android), Google Play In-App Review (optional rating prompt on Android). Payment card details not received from Google.
• LiveKit: Real-time voice transport for voice chat. Receives authentication tokens and routes audio streams; calls not recorded.
• PostHog: Product analytics service. Receives anonymous usage events (screen views, feature usage, onboarding steps). Session replay is enabled on Android with all text inputs masked. No location, route, or driving data is sent to PostHog. PostHog is disabled in debug builds.

4.1 SKAdNetwork (iOS install attribution)

On iOS, Open Road participates in Apple's SKAdNetwork framework so that when you install the App from a paid advertising campaign, Apple can send us a privacy-preserving install-attribution signal — telling us which campaign drove the install in aggregate. SKAdNetwork postbacks do not include your Apple ID, IDFA, email, location, or any other personally identifying signal: only the campaign and conversion identifiers Apple defines.

The list of advertising networks that may receive an SKAdNetwork postback for an Open Road install is declared in the App's Info.plist and visible in our App Store listing under "App Privacy." We do not control which specific ad networks Apple may send postbacks to during any particular campaign.

We do not embed third-party advertising SDKs inside the App. We do not collect IDFA. We do not run cross-app behavioral tracking. Apple's App Tracking Transparency (ATT) prompt is not used because we do not perform tracking that requires it.

Personal data is not sold, rented, licensed, or provided to third parties for commercial purposes, including advertisers, data brokers, insurance companies, or government agencies. No third-party advertising or ad tracking services are used.

5. Who Can See Your Data Inside OpenRoad

We want to be straightforward about what the company can technically see and what we promise not to do with it.

5.1 What we can technically access

Because we operate the server side of Open Road on Google Firebase, authorized OpenRoad LLC personnel can, in principle, view individual user account data through the Firebase console. That includes:

• Your Firestore documents (profile, drives you have synced or shared, feed entries, friends, convoy membership, marker/zone ownership, push notification tokens).
• Cloud Storage files you uploaded (profile photo, vehicle photos).
• Live presence entries while they exist (90-second TTL).
• Cloud Functions execution logs that contain your account identifier.
• Firebase Authentication metadata (sign-in provider, account creation date, last sign-in).

We cannot see drive routes that stay on your device — those are not transmitted to our servers unless you choose to share a drive. We cannot see voice chat audio — it is not recorded.

5.2 What we use this access for

• Debugging crashes and reported issues.
• Investigating reports under our Community Guidelines (e.g., harassment, fake drives, abuse).
• Operating and improving the Service.

5.3 What we will not do with this access

• We will not browse user accounts out of curiosity.
• We will not share, sell, license, or otherwise transfer your data to advertisers, data brokers, insurance companies, employers, family members, or any other third party.
• We will not provide your data to law enforcement except as set out in Section 7 (Law Enforcement and Government Requests).
• We will not use your shared drive data for any purpose other than the social features you opted into and the aggregate Global Heat Map described in Section 6, to which contributions are automatically trimmed.

If we change these self-imposed rules, we will update this Policy and notify users in-app at least 15 days before the change takes effect.

6. Global Heat Map

Open Road displays a community-wide heat map showing where people drive. To build it, we aggregate contributions from every active user. We disclose this directly so you understand what is being contributed and what is not.

6.1 What is contributed

• The middle portion of drives you have synced or shared. The start and end of every drive — approximately the first and last half-mile — are removed before contribution, so the heat map cannot reveal where any one user begins or ends a trip.
• Contributions are aggregated into a coarse grid; individual drives are not retrievable from the heat map.

6.2 What is not contributed

• Any segment that falls inside a user-defined privacy zone (e.g., near home or work).
• The trimmed start and end portions of every drive.
• Drives that were never synced or shared.

6.3 Opt-out

Today, every user contributes to the heat map by default; the trimming and privacy-zone exclusion described above apply universally. A per-user opt-out toggle is on the roadmap. The heat map is a feature of the Service. It is not sold or licensed to third parties.

7. Law Enforcement and Government Requests

• We will not voluntarily provide user data to law enforcement, government agencies, or any other authority.
• We do not cooperate with informal requests, voluntary disclosure programs, or non-binding inquiries.
• We will only provide user data if compelled by a legally binding court order — not a subpoena, not an informal ask.
• Even when legally compelled, we provide the minimum data required and notify the affected user where legally permitted.
• Drive data stays on-device unless the user explicitly shares it via social features — we cannot provide data we do not have.

8. Analytics and Crash Reporting

We use Firebase Analytics and PostHog for anonymous usage data (app launches, screen views, feature usage). Analytics never includes location, routes, addresses, or driving data.

• We do not send location, route, or address data to any analytics service. Analytics events are limited to non-location usage signals (screen views, feature usage, app/build version, subscription status, permission states).
• Firebase Remote Config is used for feature flags only.
• Firebase Crashlytics is used for crash reporting in release builds only. Crash reports include stack traces, app version, device model, and a truncated (non-identifying) user ID. No location or driving data is included in crash reports.
• PostHog collects anonymous usage events. On Android, session replay is enabled with all text inputs masked. PostHog is disabled in debug builds.
• We do not embed Sentry, Mixpanel, Amplitude, Segment, Facebook SDK, or any third-party behavioral-ad SDK inside the App. We do not collect IDFA. We do not use tracking pixels. Apple's SKAdNetwork is used for paid-campaign install attribution only (see §4.1) and is privacy-preserving by design.
• Analytics properties collected: app version, build number, subscription status, and permission states. No usernames, emails, or device IDs are collected.

9. International Data Transfers

OpenRoad is based in the United States. If you use the Service from outside the U.S., your data is transferred to and processed in the U.S. For EU/EEA, UK, and Swiss data subjects, we rely on:

• The EU-US Data Privacy Framework adequacy decision (Commission Decision (EU) 2023/1795);
• The UK Extension and Swiss-US Data Privacy Framework;
• The EU Standard Contractual Clauses (Commission Decision (EU) 2021/914) and UK International Data Transfer Addendum as fallback where DPF does not apply.

For Brazil, we rely on ANPD-approved Standard Contractual Clauses. Service providers including Google/Firebase, PostHog, and LiveKit maintain transfer compliance documentation.

10. Data Retention

• Local drive data: Retained on device and cloud until user deletion or account deletion.
• Live presence data: Expires after 90 seconds; server cleanup runs every 2 minutes to remove stale entries.
• Waves: Ephemeral; expire approximately 5 minutes after being sent, then auto-deleted.
• Push notification tokens: Retained until notification permissions revoked, notifications disabled in-app, or account deleted.
• Marker/zone objects: Retained until hidden/removed in-app or account deleted. Note: shared items may persist for other users.
• Friends list and convoy data: Retained until relationship removed or account deleted.
• After account deletion: When you delete your account, active server data is removed and your authentication record is revoked. Residual data may persist in encrypted backups, log archives, and provider-side replicas for up to 180 days before being permanently expunged. Moderation reports are redacted (personally identifiable information removed) but not deleted, to maintain platform safety records.
• Drive feed entries: Retained until the user deletes them, changes visibility, or deletes their account.
• Voice chat: No retention; audio transmitted in real-time only.

11. Your Rights

Under GDPR and applicable US privacy laws, you may have the following rights regarding your personal data:

• Access: Request a copy of your personal data.
• Rectification: Request correction of inaccurate data.
• Erasure: Request deletion of data ("right to be forgotten").
• Restriction: Request processing restriction in certain circumstances.
• Portability: Request data in a portable format.
• Objection: Object to processing based on legitimate interests.
• Withdraw consent: Withdraw consent where processing is based on consent (live presence, push notifications, microphone access).

How to Exercise Your Rights

• Email: Contact openroad2026@gmail.com with your request. Identity verification may be required.
• In-app deletion: Delete your account directly in the app via Profile → Settings → Delete Account. Removes server data and local data.

Response aim: 30 days or as required by applicable law.

12. Account Deletion

Delete your account anytime from the app:

Profile → Settings → Delete Account

Account deletion removes data from all Firestore collections including:

• Profile, drives, feed entries, friends (both directions), markers/zones, convoys, presence, push tokens, notification settings, and all subcollections.
• Cloud Storage files (avatars, vehicle photos, user uploads) are deleted.
• Apple Sign-In tokens are revoked (iOS). Google authentication credentials are removed (Android).
• Local device data is removed. On iOS, iCloud/CloudKit data (if sync was enabled) is also deleted.
• On iOS, deletion is processed server-side via Firebase Cloud Functions. On Android, deletion is performed client-side with cascading Firestore and Storage cleanup followed by Firebase Auth account removal.

Moderation reports are redacted (personally identifiable information removed) but not deleted, to maintain platform safety records.

Deletion is permanent and irreversible.

13. Supervisory Authority (EU/EEA/UK Users)

You have the right to lodge a complaint with your supervisory authority if you believe your data protection rights have been violated:

• EU/EEA: Your local data protection authority
• UK: Information Commissioner's Office (ICO) — ico.org.uk
• Switzerland: Swiss Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch

We encourage contacting us first at openroad2026@gmail.com to resolve concerns.

14. California Notice (CCPA/CPRA)

Although OpenRoad is below CCPA/CPRA applicability thresholds, we voluntarily extend these rights to California residents:

• Right to Know: Request a copy of the personal information we collect about you.
• Right to Delete: Request deletion of your personal information.
• Right to Correct: Request correction of inaccurate information.
• Right to Opt Out of Sale/Sharing: We do not sell or share PI for cross-context behavioral advertising. We honor Global Privacy Control signals.
• Right to Limit Sensitive Personal Information: You can limit use of precise geolocation and other sensitive data.
• Right to Non-Discrimination: No discrimination for exercising CCPA/CPRA rights.
• Automatic Renewal Law: Subscription disclosures provided prior to purchase and in renewal reminders.

To exercise rights: Settings → Privacy & Data, or email openroad2026@gmail.com. We respond within 45 days.

15. Other U.S. State Rights

Residents of Virginia, Colorado, Connecticut, Utah, Oregon, Texas, Montana, Delaware, Iowa, Tennessee, Indiana, Kentucky, Rhode Island, New Jersey, New Hampshire, Minnesota, Maryland, Nebraska, and Nevada have similar rights to access, delete, correct, port, and opt out of profiling. We provide these rights on the same basis as California. Nevada and Connecticut residents: our Consumer Health Data Privacy Policy applies to drive data.

16. EU/EEA, UK, and Swiss Rights (GDPR / UK GDPR)

You have the following rights under GDPR / UK GDPR:

• Access (Art. 15): Obtain a copy of your personal data.
• Rectification (Art. 16): Correct inaccurate data.
• Erasure (Art. 17): Request deletion ("right to be forgotten").
• Restriction (Art. 18): Restrict processing in certain circumstances.
• Portability (Art. 20): Receive data in a portable format.
• Objection (Art. 21): Object to processing based on legitimate interests.
• Not to be subject to automated decision-making (Art. 22): Receive human review for decisions with legal or similarly significant effects.
• Withdraw consent (Art. 7(3)): Withdraw consent at any time without affecting prior lawfulness.

Exercise rights in-app (Settings → Privacy & Data) or email openroad2026@gmail.com. Response time: 30 days.

17. Other Jurisdictions

Canada (PIPEDA / Quebec Law 25): Right to access, correct, withdraw consent, and complain to the Office of the Privacy Commissioner (priv.gc.ca) or your provincial authority.

Brazil (LGPD): Rights include confirmation, access, correction, deletion, portability, and withdrawal of consent. Contact us at openroad2026@gmail.com with subject "LGPD". Complaints: ANPD at gov.br/anpd. We are below the LGPD threshold that requires appointing a Data Protection Officer; if that changes we will update this policy.

Japan (APPI): Request disclosure, correction, suspension of use, and suspension of third-party provision. Contact openroad2026@gmail.com (subject: "APPI").

18. Security Measures

Technical and organizational measures implemented to protect personal data:

• Encryption of data in transit (TLS/HTTPS).
• Encryption at rest applied by service providers (Firebase, iCloud) as part of standard infrastructure.
• Authentication via Sign in with Apple / Google with secure token handling.
• Firebase Security Rules restricting data access.
• Regular access control and security practice review.
• Location, route, and address data are not included in analytics events sent to any analytics service.
• Live presence uses 100m grid quantization to reduce location precision for non-convoy members.
• Privacy zone offsets are randomized (200–800m) to prevent triangulation of home/work locations.
• Before a drive is contributed to the social feed, the global heat map, or the drive-share card image, the start and end of the route are removed. On iOS, the trim distance is between 1.0 and 1.7 miles, jittered per-drive by hashing a device-local Keychain salt with the drive's ID via SHA-256 — the same drive always trims to the same polyline (so it doesn't move between renders), but the trim distance is unpredictable across drives and across devices. On all platforms, any segments inside user-defined privacy zones are also fully removed before sharing.
• Exception — live convoy navigation: While you are actively in a convoy with friends, the real-time location broadcast to convoy members applies user-defined privacy-zone exclusion but does not apply the start/end distance trim, because the trim is designed for historic sharing and would defeat the purpose of live navigation. Live convoy presence still has a 90-second TTL and is auto-deleted.

19. Children and Minors

Open Road is not intended for users under 16. Our iOS and Android onboarding both require new users to confirm they are 16 or older before account creation; under-16 selections are blocked from continuing. We do not knowingly collect personal data from anyone under 16. If a child under 16 has created an account, contact openroad2026@gmail.com and the account and associated data will be deleted as soon as reasonably practicable. Because Open Road blocks under-16 use globally, COPPA (which applies to under-13 in the United States) does not apply to our processing.

20. Purchases

Subscriptions and in-app purchases are processed by Apple via the App Store (iOS) or Google via Google Play (Android). Payment card details are not received or stored by Open Road. Purchase history is managed by Apple / Google under their respective privacy policies.

21. Changes to This Policy

We will notify you of material changes via in-app notice and email at least 15 days before they take effect. Continued use after the effective date constitutes acceptance of the revised policy.

22. Contact

For questions, requests, or concerns about this Privacy Policy or your personal data:

openroad2026@gmail.com