Drove Privacy Policy

Last updated: 29 April 2026

This is the privacy policy for Drove, a live bike-ride tracking application. It describes what personal data we collect about you, why we collect it, how long we keep it, and what rights you have. It is written to be readable. If anything is unclear, email petrepopescu21@gmail.com.

1. Who we are

Drove is operated by:

Petre Popescu, sole operator.
Address: to be added before public launch. [LEGAL REVIEW]
Email: petrepopescu21@gmail.com

For the purposes of EU data protection law, Petre Popescu is the data controller of the personal data described in this policy.

We are based in Romania. The Romanian data protection authority is the Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP), https://www.dataprotection.ro. You can complain to them about our handling of your data at any time.

2. The very short version

We collect your live location while you are participating in a ride. This is the entire point of the service.
We collect a display name that you choose, and optionally an avatar.
If you sign in (as an event organiser or as a registered rider), we collect your email address and a Google or Microsoft account identifier.
We do not track you across other websites. We do not show advertising. We do not sell or share your data with anyone except the third parties listed in section 8 (cloud hosting, error monitoring, the maps provider).
You can download all your data or delete your account at any time, immediately, from inside the app.
We keep raw GPS tracks for 90 days after a ride ends, then they are automatically deleted.

3. What we collect, why, and on what legal basis

We process all personal data on the basis of Article 6(1)(b) GDPR — performance of a contract, except for the two activities flagged with (LI) below, which are based on Article 6(1)(f) GDPR — legitimate interests.

3.1 Account data — anonymous, signed-in, and registered

Drove uses three identity tiers. Most users move through them gradually as they engage more with the app. The data we hold differs at each tier.

Tier 1 — anonymous app user (the default on mobile)

When you first install the Drove mobile app, the app creates an anonymous Supabase Auth session for you in the background. This is a tamper-resistant identifier that lets us tie your settings, ride history on this device, and any rides you join to "you" without ever asking for an email address. The anonymous identity is created on the device the moment you launch the app, before any sign-in screen.

What we hold for an anonymous user:

What	Why
A random, opaque user identifier (a UUID) issued by Supabase Auth	To let you join rides, read your own ride history, and persist your settings across app launches without an email
The role(s) you hold (always the default `rider` role for anon users)	Internal access control
The version of this Privacy Policy and our Terms of Service that you have accepted, with a timestamp	Evidence that you agreed to those documents
Anything in tier 3 below if you go on to join a ride	The data is created by joining, not by being anon

We do not collect an email address, a name, an SSO identifier, or any contact information at the anonymous tier. The identifier is local to your device — uninstalling the app effectively orphans the account from your end (we keep the row server-side until our retention rules delete it; see Section 4).

Tier 2 — signed-in user (you have linked a Google or Apple account)

If you choose to link a Google or Apple identity to your anonymous account from inside the app (Profile → Sign in), your anonymous account is upgraded in place. You keep the same internal user identifier and any data you have accumulated.

What we additionally hold:

What	Why
Email address as returned by your identity provider	To recognise you on a new device, and to email you about your account if needed
Display name as returned by your identity provider	To show you who is signed in
A unique account identifier from Google or Apple	To recognise you when you sign in again

Does linking require a new "consent"? No. The legal basis for processing your data under Drove (performance of the contract you accepted at first launch) does not change when you link, and the privacy policy you accepted already discloses the data categories we collect at each tier. We do not need to ask you again to agree to the same documents.

What we do before completing a link:

Show you on screen, before you tap the provider button, that linking will add your email and name to your Drove account.
Let Google or Apple show you their own consent screen — they tell you which scopes Drove is asking for. We only request the minimum (openid, email, profile) needed to identify you.
Record the link in our internal audit log (the fact that the link happened, when, with which provider). This is part of the audit trail required under Art. 30 GDPR for accountability.

You can unlink at any time from the same screen, which moves you back to tier 1 without losing your data. Unlinking removes the email, name, and provider identifier from our records.

Tier 3 — admin sign-in (web)

Event organisers sign in to the admin web dashboard via Google or Microsoft single sign-on. This is a separate path from the mobile flow. Admins always have an email and an SSO identifier; there is no anonymous tier on the web admin.

3.2 Ride participation data (everyone who joins a ride)

What	Why
The display name you choose for the ride	So the organiser and other riders can recognise you on the map
Optional avatar (an image or initial)	Same as above
Your live GPS position while the ride is active	So the organiser and other riders can see you on the map. This is the service.
Speed and accuracy reported by your device	To make the live map useful and to flag riders who appear to have stopped
The time you joined and the time you left the ride	To bound how long we collect your location
The version of the Privacy Policy and Terms of Service you accepted	Evidence of acceptance

We do not record audio, video, your contacts, your photos, or any other content from your device. We do not collect health, biometric, or any other special-category data under GDPR Article 9.

3.3 Device data (everyone using the app)

What	Why
Push notification token (if you grant notification permission)	So we can send ride-related notifications (broadcasts from the organiser, ride-end notices)

3.4 Rate-limit and abuse-prevention data (LI)

What	Why
Your IP address, only when you attempt to join a ride using an invite code	To detect and slow down brute-force attempts on invite codes

This data is kept for 30 days and then deleted automatically. We do not link it to your account. We process it under Article 6(1)(f) GDPR — legitimate interests — specifically, our interest in keeping the service usable and free of abuse. Our balancing of those interests against your privacy is documented in legitimate-interests-assessment.md in this repository; you can ask us for it.

3.5 Error monitoring data (LI)

What	Why
Diagnostic information sent automatically by the app when something crashes — file paths, stack traces, the action you were taking when the error happened	To find and fix bugs

We configure our error-monitoring tool (Sentry) to strip personal data before it reaches Sentry's servers — your email, display name, IP address, and any authentication tokens are removed at source. Errors are kept for 30 days and then deleted automatically. This is also processed under Article 6(1)(f) GDPR — legitimate interests.

4. How long we keep your data

Category	Retention
Account data	While your account is open. We delete inactive rider accounts after 3 years of no use.
Raw GPS tracks (`location_points`, `ride_location_points`)	90 days after the ride ends, then deleted automatically.
Aggregate ride summaries (distance, duration, route taken)	While your account is open. Linked to your account, deletable on request.
Push tokens	While the app is installed. Removed if the device has been silent for more than 1 year.
IP addresses in the rate-limit log	30 days, then deleted automatically.
Error monitoring records	30 days, then deleted automatically.
Acceptance of this policy and the Terms of Service	While your account is open.
Audit log (administrative actions only — does not contain ride data)	1 year.
Erasure log (the fact that you deleted your account, with a hashed identifier)	1 year.

The full retention schedule is published at retention-schedule.md. It is enforced by an automated job that runs every night.

5. Your rights

Under the GDPR you have all of the following rights. Email petrepopescu21@gmail.com to exercise any of them; for most, you can do it yourself from inside the app under Settings → Privacy.

Right of access (Art. 15) — get a copy of your data. Self-service: "Export my data" button.
Right to rectification (Art. 16) — fix anything wrong. Self-service: edit your profile.
Right to erasure / "right to be forgotten" (Art. 17) — delete your account and all associated personal data. Self-service: "Delete my account" button. Hard delete, immediate, no recovery.
Right to restrict processing (Art. 18) — pause specific uses of your data. Email us; for live tracking, leaving the ride achieves this immediately.
Right to data portability (Art. 20) — receive your data in a machine-readable format. Self-service export delivers JSON, CSV, and GeoJSON.
Right to object (Art. 21) — particularly to processing on legitimate interests. Email us. The two LI activities — rate-limit logging and error monitoring — are explicitly enumerated above.
Rights related to automated decision-making (Art. 22) — Drove makes no automated decisions that produce legal or similarly significant effects, so this does not apply to us.
Right to lodge a complaint with a supervisory authority (Art. 77) — you can complain to ANSPDCP at https://www.dataprotection.ro at any time.

6. Security

All data is stored encrypted at rest by our cloud provider (Supabase) and is transmitted over TLS.
Access from inside the app is gated by row-level security in the database — every query is checked against your identity, server-side, before it is allowed.
Administrative actions on user data are written to an audit log.
We use Google or Microsoft single sign-on for organiser accounts; we do not store organiser passwords.
Riders who join via QR code use a short-lived authentication token bound to a specific ride; that token cannot be refreshed or used outside the ride.

7. Children

Drove is not for users under 16. By Romanian law (Law 190/2018, implementing GDPR Art. 8), the digital age of consent is 16, and we do not have a parental-consent verification mechanism. The app asks every new user to confirm they are 16 or older before they can join or sign in. If you become aware that a child under 16 has provided data to us, please email petrepopescu21@gmail.com and we will delete it.

8. Who else processes your data

We use a small number of third-party services to run Drove. Each of them processes personal data on our behalf, under a written Data Processing Agreement (DPA). The full list — including each company's location, the type of data they handle, and the legal mechanism that protects EU-to-non-EU data transfers — is in sub-processors.md.

In summary:

Supabase (Ireland) — primary database, authentication, file storage, real-time pipeline. Your data is stored in the European Union.
Vercel (United States; we use their EU regions for Drove) — hosting for the admin web dashboard.
Google LLC (United States) — Google Maps API and Google sign-in.
Microsoft (United States) — Microsoft sign-in.
Sentry (preferred: Germany region; otherwise United States) — error monitoring.
Apple and Google (Play Store) — app distribution.
Expo (650 Industries) (United States) — the build pipeline that produces the mobile app binaries; does not process user data at runtime.

We do not sell your data to anyone. We do not share it with advertising networks. We do not pass it to anyone for direct marketing.

9. International transfers

Your data is primarily stored in the European Union (Ireland, on Supabase). For some of the third parties listed above (Google, Microsoft, Sentry US, Vercel, Expo), some processing happens in the United States. Those transfers are protected either by:

the EU–US Data Privacy Framework for vendors who are certified under it (Google, Microsoft); or
Standard Contractual Clauses (SCCs) issued by the European Commission for vendors who are not.

The mechanism in force per vendor is documented in sub-processors.md.

10. Changes to this policy

If we change this policy in a way that materially affects you, we will:

Update the version: field at the top of this document and at version: YYYY-MM-DD references inside the app code,
Re-prompt every user to accept the new version on their next session.

You can always see the change history on GitHub.

11. How to contact us

Email: petrepopescu21@gmail.com

We aim to respond to data-subject requests within 30 days as required by GDPR Art. 12(3), and usually faster.