Privacy Policy
Service: OnWay — traffic POI awareness application Data Controller: Malatenski David, individual developer (Serbia) Contact: onway.help@proton.me Effective Date: 2026-04-13 Version: 1.0
1. Data Controller
This Privacy Policy (“Policy”) applies to personal data processed in connection with the OnWay app.
| Data Controller | Malatenski David (individual developer) |
|---|---|
| Country | Serbia |
| onway.help@proton.me |
The Controller processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation — “GDPR”) and applicable national data protection laws.
2. Purpose of This Policy
This Policy aims to transparently present:
- What personal data we process when providing the Service
- For what purposes and on what legal basis we process this data
- How long we retain the data
- With whom we share the data
- What rights the User has regarding their data
- How to contact us regarding the processing of personal data
3. Categories of Personal Data We Process
The operation of OnWay requires the processing of the following categories of personal data:
3.1 Pseudonymous Device Identifier (User Account)
- Data: Pseudonymous UUID (Universally Unique Identifier) generated by the Supabase anonymous authentication system on the first launch of the App
- Legal Basis: Article 6(1)(f) GDPR — legitimate interest of the Controller in operating a functional, free POI awareness service that requires distinguishing individual devices (report ownership, voting eligibility, abuse prevention)
- Balancing Test: The User’s privacy interest is balanced against the Controller’s interest in providing a functional and moderable Service. The device identifier is not directly tied to the User’s real identity and is not combined with other data sources for profiling purposes — thus the User’s interests do not override the Controller’s legitimate interest. The User may exercise the right to object under Section 8.
- Purpose: Distinguishing the User’s device during Service operation (report ownership, voting eligibility)
- Note: The device identifier does NOT contain directly identifying information (no name, email, phone, etc.) — this is a pseudonymous processing, which nevertheless falls under the GDPR per Recital 26
3.2 Device Information
- Data: Platform (iOS / Android), app version, last activity timestamp
- Legal Basis: Article 6(1)(b) — contract performance + Article 6(1)(f) — legitimate interest (service quality control, debugging)
- Purpose: Debugging, ensuring platform compatibility, update notifications
3.3 Location Data (GPS)
- Data: Latitude and longitude, heading, speed
- Legal Basis (foreground): Article 6(1)(f) — legitimate interest of the Controller in providing a location-based POI awareness service. The operating system location permission (iOS/Android) serves as an effective consent mechanism for foreground processing; the User may withdraw it at any time via device settings.
- Legal Basis (background): Article 6(1)(a) — explicit, separate in-app consent, as background location is considered a more privacy-sensitive processing
- Purpose: Centering the map on the User’s position, real-time alerts about nearby cameras and POIs
- Retention: Real-time GPS data is processed only on the User’s device by the App. It is not sent to the server unless the User explicitly submits a report or an alert event is logged (see 3.4–3.5)
3.3.1 Background Location Consent Management
Consent for background location processing is handled in accordance with GDPR Articles 7 and 4(11):
- Granting consent: Background location is activated only after the User accepts a separate in-app confirmation screen that clearly explains the purpose of processing. The operating system’s “Always Allow” permission alone is not sufficient — the in-app consent is separately documented by the Controller.
- Withdrawing consent: The User may withdraw consent at any time, with the same ease as granting it, via a toggle in the App’s Settings menu, which immediately stops future background location collection.
- Effect of withdrawal: Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal. Previously recorded alert events (
alert_events) continue to be retained per Section 4.
3.4 User Reports
- Data: Report type (hazard / accident / traffic jam / pothole), position (lat/lng), heading, creation time, expiration time, pseudonymous identifier of the creator
- Legal Basis: Article 6(1)(f) — legitimate interest of the Controller and other Users in sharing and receiving real-time traffic information. Balancing test: reports are voluntarily created by the User, concern public locations and public events (they do not contain personal data of third parties), and are linked via a pseudonymous device identifier.
- Purpose: Warning other Users about current road conditions
3.5 Alert Events
- Data: Alert source (fixed camera or report), source ID, trigger time, location, heading, speed, pseudonymous identifier of the alerted device
- Legal Basis: Article 6(1)(f) — legitimate interest (continuous improvement of Service quality, statistical and spatial analysis, traffic hotspot identification)
- Purpose: Service improvement, traffic pattern analysis (heatmap), fraud prevention, abuse mitigation
- Balancing Test: The analysis is conducted at the level of the anonymous device identifier, from which the identity of the User cannot be determined. The User’s legitimate interest (right to privacy) is balanced against the Controller’s legitimate interest (improving service quality). The User may object to the processing as set out in Section 8.
3.6 Report Votes
- Data: Report ID, voter’s pseudonymous device identifier, vote value (confirm / deny)
- Legal Basis: Article 6(1)(f) — legitimate interest in community moderation, filtering false reports, and preserving the integrity of the Service
- Purpose: Community moderation of reports, filtering out false reports
3.7 Optional Nickname
- Data: A short, public display name chosen by the User in Settings
- Legal Basis: Article 6(1)(a) — explicit consent (the field is optional and the User actively types a value)
- Purpose: Public attribution of the User’s reports and contributions
- Note: The User can clear or change the nickname at any time. The Controller recommends not entering the User’s real name.
3.8 Admin Audit Log (admin users only)
- Data: Admin identifier, executed action, target object, timestamp, IP address
- Legal Basis: Article 6(1)(f) — legitimate interest of the Controller in system security, accountability, and fraud prevention
- Balancing Test: The audit log applies exclusively to administrator users who are responsible for operating the Service. Processing and retention are limited to what is necessary for security and accountability purposes.
- Purpose: Traceability of administrative operations
3.9 What We Do NOT Process
OnWay expressly does not process:
- Real names, email addresses, phone numbers (the User remains anonymous unless they voluntarily set a nickname)
- Credit card or payment data
- Social media profiles
- Special categories of data (health, ethnic origin, religion, etc.)
- Children’s data (the App is 16+, see Section 11)
4. Data Retention
| Data Type | Retention Period |
|---|---|
Pseudonymous device row (devices) |
Until the User’s deletion request, or automatic anonymization after 24 months of inactivity |
Reports (reports) |
Active: until expiration (45 min — 8 hours). Expired: 90 days, then automatic deletion |
Votes (report_votes) |
Anonymized when the User deletes their account; counts are preserved without attribution |
Camera confirmations (camera_confirmations) |
Anonymized when the User deletes their account; counts are preserved without attribution |
Alert events (alert_events) |
12 months, then automatic anonymization and conversion to aggregated statistics, which under Recital 26 GDPR no longer qualify as personal data |
Admin audit log (admin_audit_log) |
5 years (for accountability and security purposes) |
| GPS data (real-time) | NOT stored on the server (except in the above cases) |
After the retention period expires, the Controller automatically deletes or irreversibly anonymizes the data.
5. Data Processors and Third-Party Sharing
To provide the Service, the Controller uses the following data processors:
5.1 Primary Processor: Supabase
- Name: Supabase Inc.
- Role: Database, authentication, cloud backend service
- Storage Location: Amazon Web Services (AWS) eu-west-3 region — Paris, France (within the EU territory)
- Legal Basis: Data Processing Agreement (DPA) under Article 28 GDPR
- More information: https://supabase.com/privacy
5.2 Map Tile Service: OpenStreetMap
- Name: OpenStreetMap Foundation (OSMF)
- Role: Map tile (raster) delivery
- Location: Servers within the European Union
- Data: User device IP address and map tile request
- More information: https://osmfoundation.org/wiki/Privacy_Policy
5.3 Platform Providers (Mobile Stores)
- Apple Inc. (App Store — iOS platform) — USA, under the EU-US Data Privacy Framework
- Google LLC (Google Play Store — Android platform) — USA, under the EU-US Data Privacy Framework
5.4 Push Notifications (future feature)
If the App introduces push notification functionality, the push token and notification content will be transmitted via Apple Push Notification Service (APNs) or Firebase Cloud Messaging (FCM). This feature is not currently active.
5.5 No Sale of Data
The Controller does not sell, rent or transfer for marketing purposes the User’s personal data to third parties.
6. International Data Transfers
The Controller primarily stores data within the European Union (AWS eu-west-3, Paris). For the non-EU processors listed above (e.g., Apple, Google), data transfers are conducted based on the following compliance mechanisms:
- EU-US Data Privacy Framework (European Commission Implementing Decision 2023/1795)
- Standard Contractual Clauses (SCC) — European Commission Decision 2021/914
- Where necessary, additional technical and organizational measures (encryption, pseudonymization)
7. Security Measures
The Controller applies the following measures to secure the data:
- Encrypted data transmission (HTTPS/TLS 1.2+) in all client-server communication
- Encrypted storage (AES-256 at-rest encryption) in the Supabase infrastructure
- Row Level Security (RLS) at the database level — the User can only access their own data
- Pseudonymization of User identification (pseudonymous UUID, not direct identifiers)
- Admin audit log for all administrative operations
- Two-factor authentication (2FA) for administrator access
- Automatic backups on a daily basis
8. User (Data Subject) Rights
Under the GDPR, the User has the following rights:
8.1 Right of Access (Art. 15)
The User has the right to request information on whether we process their data and, if so, what data we process.
8.2 Right to Rectification (Art. 16)
The User has the right to request the correction of inaccurate data.
8.3 Right to Erasure (Right to Be Forgotten, Art. 17)
The User may at any time request the deletion of their personal data, either by using the in-app “Delete my data” option in Settings, or by emailing the Controller.
8.4 Right to Restriction of Processing (Art. 18)
The User may request the Controller to restrict the processing of their personal data if:
- The User contests the accuracy of the data (for a period enabling the Controller to verify accuracy)
- The processing is unlawful but the User does not request erasure
- The Controller no longer needs the data but the User needs it for the establishment, exercise or defence of legal claims
- The User has objected under Art. 21 and the verification of whether the Controller’s legitimate grounds override the User’s is pending
During the restriction period, the data is stored but not otherwise processed, except with the User’s consent or for the establishment or defence of legal claims.
8.5 Right to Data Portability (Art. 20)
The User has the right to receive their data in a machine-readable format (JSON).
8.6 Right to Object (Art. 21)
The User may object to processing based on legitimate interest (particularly Alert Events, Section 3.5).
8.7 Right to Withdraw Consent (Art. 7(3))
If the legal basis of processing is the User’s consent, the User may withdraw their consent at any time free of charge. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
8.8 Automated Decision-Making (Art. 22)
OnWay does not use automated individual decision-making or profiling that produces legal effects on the User or similarly significantly affects them.
8.9 Right to Lodge a Complaint (Art. 77)
The User has the right to lodge a complaint with a supervisory authority if they consider that the processing violates the GDPR.
Supervisory authorities:
- Hungary: Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH) — https://naih.hu
- Serbia: Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti — https://www.poverenik.rs
- Other EU countries: the supervisory authority of the User’s country of residence
9. How to Exercise Your Rights
The User can exercise the above rights by:
- Within the App — through the relevant options in the Settings menu (including “Delete my data”)
- By email — sending a request to onway.help@proton.me
The Controller will examine the request within 30 days. For complex requests, this period may be extended by an additional 60 days (the User will be notified).
For identification purposes, the Controller may request re-authentication before executing the request to prevent unauthorized third parties from accessing the User’s data.
10. Changes to This Policy
The Controller reserves the right to unilaterally modify this Policy. The User will be notified of changes via the App at least 15 days before the effective date.
11. Children’s Privacy
OnWay is a service available to persons aged 16 or older, reflecting the default digital-consent age set by Article 8 GDPR. Users under 16 may only use the App with the consent of a person with parental responsibility. The Controller does not knowingly collect data from children under 16 without appropriate parental consent. If the Controller becomes aware that data of a child under 16 has entered the system without the necessary consent, it will be deleted immediately.
Country-specific digital-consent ages: The minimum age may vary by EU Member State (between 13 and 16) and by jurisdiction (e.g., 15 in Serbia under Article 16 ZZPL, 16 in Hungary under Infotv.). Users from jurisdictions with a lower age threshold may use the App if they meet the threshold of their country of habitual residence.
12. Contact for Privacy Matters
- Email: onway.help@proton.me
- Data Protection Officer (DPO): The Controller is not required to appoint a DPO under Article 37 GDPR.
Last updated: 2026-04-13 Version: 1.0