Skip to the content.

Privacy Policy

Service: OnWay — traffic POI awareness application Data Controller: Malatenski David, individual developer (Serbia) Contact: onway.help@proton.me Effective Date: 2026-04-13 Version: 1.0


1. Data Controller

This Privacy Policy (“Policy”) applies to personal data processed in connection with the OnWay app.

Data Controller Malatenski David (individual developer)
Country Serbia
Email onway.help@proton.me

The Controller processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation — “GDPR”) and applicable national data protection laws.

2. Purpose of This Policy

This Policy aims to transparently present:

3. Categories of Personal Data We Process

The operation of OnWay requires the processing of the following categories of personal data:

3.1 Pseudonymous Device Identifier (User Account)

3.2 Device Information

3.3 Location Data (GPS)

Consent for background location processing is handled in accordance with GDPR Articles 7 and 4(11):

3.4 User Reports

3.5 Alert Events

3.6 Report Votes

3.7 Optional Nickname

3.8 Admin Audit Log (admin users only)

3.9 What We Do NOT Process

OnWay expressly does not process:

4. Data Retention

Data Type Retention Period
Pseudonymous device row (devices) Until the User’s deletion request, or automatic anonymization after 24 months of inactivity
Reports (reports) Active: until expiration (45 min — 8 hours). Expired: 90 days, then automatic deletion
Votes (report_votes) Anonymized when the User deletes their account; counts are preserved without attribution
Camera confirmations (camera_confirmations) Anonymized when the User deletes their account; counts are preserved without attribution
Alert events (alert_events) 12 months, then automatic anonymization and conversion to aggregated statistics, which under Recital 26 GDPR no longer qualify as personal data
Admin audit log (admin_audit_log) 5 years (for accountability and security purposes)
GPS data (real-time) NOT stored on the server (except in the above cases)

After the retention period expires, the Controller automatically deletes or irreversibly anonymizes the data.

5. Data Processors and Third-Party Sharing

To provide the Service, the Controller uses the following data processors:

5.1 Primary Processor: Supabase

5.2 Map Tile Service: OpenStreetMap

5.3 Platform Providers (Mobile Stores)

5.4 Push Notifications (future feature)

If the App introduces push notification functionality, the push token and notification content will be transmitted via Apple Push Notification Service (APNs) or Firebase Cloud Messaging (FCM). This feature is not currently active.

5.5 No Sale of Data

The Controller does not sell, rent or transfer for marketing purposes the User’s personal data to third parties.

6. International Data Transfers

The Controller primarily stores data within the European Union (AWS eu-west-3, Paris). For the non-EU processors listed above (e.g., Apple, Google), data transfers are conducted based on the following compliance mechanisms:

7. Security Measures

The Controller applies the following measures to secure the data:

8. User (Data Subject) Rights

Under the GDPR, the User has the following rights:

8.1 Right of Access (Art. 15)

The User has the right to request information on whether we process their data and, if so, what data we process.

8.2 Right to Rectification (Art. 16)

The User has the right to request the correction of inaccurate data.

8.3 Right to Erasure (Right to Be Forgotten, Art. 17)

The User may at any time request the deletion of their personal data, either by using the in-app “Delete my data” option in Settings, or by emailing the Controller.

8.4 Right to Restriction of Processing (Art. 18)

The User may request the Controller to restrict the processing of their personal data if:

During the restriction period, the data is stored but not otherwise processed, except with the User’s consent or for the establishment or defence of legal claims.

8.5 Right to Data Portability (Art. 20)

The User has the right to receive their data in a machine-readable format (JSON).

8.6 Right to Object (Art. 21)

The User may object to processing based on legitimate interest (particularly Alert Events, Section 3.5).

If the legal basis of processing is the User’s consent, the User may withdraw their consent at any time free of charge. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

8.8 Automated Decision-Making (Art. 22)

OnWay does not use automated individual decision-making or profiling that produces legal effects on the User or similarly significantly affects them.

8.9 Right to Lodge a Complaint (Art. 77)

The User has the right to lodge a complaint with a supervisory authority if they consider that the processing violates the GDPR.

Supervisory authorities:

9. How to Exercise Your Rights

The User can exercise the above rights by:

  1. Within the App — through the relevant options in the Settings menu (including “Delete my data”)
  2. By email — sending a request to onway.help@proton.me

The Controller will examine the request within 30 days. For complex requests, this period may be extended by an additional 60 days (the User will be notified).

For identification purposes, the Controller may request re-authentication before executing the request to prevent unauthorized third parties from accessing the User’s data.

10. Changes to This Policy

The Controller reserves the right to unilaterally modify this Policy. The User will be notified of changes via the App at least 15 days before the effective date.

11. Children’s Privacy

OnWay is a service available to persons aged 16 or older, reflecting the default digital-consent age set by Article 8 GDPR. Users under 16 may only use the App with the consent of a person with parental responsibility. The Controller does not knowingly collect data from children under 16 without appropriate parental consent. If the Controller becomes aware that data of a child under 16 has entered the system without the necessary consent, it will be deleted immediately.

Country-specific digital-consent ages: The minimum age may vary by EU Member State (between 13 and 16) and by jurisdiction (e.g., 15 in Serbia under Article 16 ZZPL, 16 in Hungary under Infotv.). Users from jurisdictions with a lower age threshold may use the App if they meet the threshold of their country of habitual residence.

12. Contact for Privacy Matters


Last updated: 2026-04-13 Version: 1.0