Legal
Privacy Policy
Last updated: 2026-06-30
This notice explains how RoadPeer processes your personal data in line with the EU General Data Protection Regulation (GDPR / DSGVO) and applicable national law. RoadPeer is a compliance-first travel and camping marketplace and community for the EU/EEA. We try to collect as little as possible and to keep your location coarse by default.
1. Data controller
The controller responsible for processing your personal data under Art. 4(7) GDPR is:
- [PLACEHOLDER: Legal entity / operator name]
- [PLACEHOLDER: Registered address]
- Contact: [PLACEHOLDER: privacy contact email]
- Data protection officer (if appointed): [PLACEHOLDER: DPO name / email, or "not appointed"]
2. What data we collect
We collect only what is needed to run the marketplace and community.
- Account & authentication. Your email address and login credentials, handled through our authentication provider (Supabase Auth). We do not store your password in readable form.
- Profile. Display name, photo and bio you choose to provide. Providers may additionally supply an optional date of birth (to confirm the 18+ requirement) and an optional tax-residence country for compliance.
- Approximate location. When you switch on location sharing, we process a fuzzed location accurate only to roughly 1 km. We do not store your precise GPS coordinates for sharing. Location sharing is off until you explicitly enable it and can be turned off at any time.
- Messages. The content of messages you exchange with other members.
- Road spots. Community-submitted camping and road locations, notes and photos you contribute.
- Reviews & ratings. Feedback you leave about providers, spots or other members.
- Virtual points. Records of the in-app points you earn or spend. Points have no monetary value (see our Terms).
- Technical & usage data. Device, browser and basic log data processed to keep the service secure and working.
There is no real money on the platform yet — only virtual points — so we do not process payment-card or bank data at this stage.
3. Legal bases (Art. 6 GDPR)
- Contract (Art. 6(1)(b)). Creating and operating your account, messaging, reviews and the points system so we can provide the service you signed up for.
- Consent (Art. 6(1)(a)). Live/approximate location sharing and any optional features. You can withdraw consent at any time, e.g. by disabling location sharing.
- Legitimate interests (Art. 6(1)(f)). Security, fraud and abuse prevention, content moderation, and improving the service — balanced against your rights.
- Legal obligation (Art. 6(1)(c)). Where we must keep or disclose data to comply with EU/national law, including the Digital Services Act notice-and-action duties.
4. Purposes of processing
- Operate accounts, profiles and the community.
- Show approximate locations on the map when sharing is enabled.
- Enable messaging, road spots, reviews and the virtual points system.
- Moderate content and handle flags/reports (DSA notice-and-action).
- Keep the platform safe and prevent abuse and fraud.
- Comply with our legal obligations.
5. Third parties & processors
We share data only with service providers acting on our instructions under Art. 28 GDPR data-processing agreements, and only as needed.
- Authentication & database — Supabase. Hosts our account, authentication and core data. [PLACEHOLDER: Supabase region / hosting location]
- Hosting / infrastructure. [PLACEHOLDER: hosting provider & region]
- Map tiles. When the map loads, your browser requests tiles from our map-tile provider, which may receive your IP address and viewport. [PLACEHOLDER: map tile provider]
We do not sell your personal data and we do not use advertising trackers.
6. Retention
We keep personal data only for as long as needed for the purposes above. As a guide:
- Account & profile data: while your account is active.
- Approximate location: processed transiently while sharing is on and not retained as a location history beyond what is needed to show you on the map. [PLACEHOLDER: exact retention period]
- Messages, road spots and reviews: kept while relevant to the community, then deleted or anonymised. [PLACEHOLDER: retention period]
- After account deletion: removed or anonymised, except where law requires retention. [PLACEHOLDER: legal retention period]
7. Your rights (Art. 15–22 GDPR)
You have the right to:
- Access your data (Art. 15).
- Rectify inaccurate data (Art. 16).
- Erase your data — the "right to be forgotten" (Art. 17).
- Restrict processing (Art. 18).
- Data portability — receive your data in a portable format (Art. 20).
- Object to processing based on legitimate interests (Art. 21).
- Not be subject to solely automated decisions with legal effect (Art. 22).
- Withdraw consent at any time, without affecting prior processing.
To exercise any right, contact [PLACEHOLDER: privacy / data-subject request email]. We will respond within one month as required by Art. 12 GDPR. You can also delete your account in-app to trigger erasure.
8. International transfers
We aim to keep processing within the EU/EEA. Where a processor transfers data outside the EU/EEA, we rely on appropriate safeguards under Chapter V GDPR, such as an adequacy decision or Standard Contractual Clauses. [PLACEHOLDER: list any non-EU/EEA transfers & safeguards]
9. Complaints to a supervisory authority
If you believe we have mishandled your data, you may lodge a complaint with a data protection supervisory authority, in particular in your country of residence or place of the alleged infringement (Art. 77 GDPR). Our lead supervisory authority is [PLACEHOLDER: competent supervisory authority & contact]. We would appreciate the chance to address your concern first.
10. Contact & changes
Questions about this policy? Contact [PLACEHOLDER: privacy contact email]. We may update this notice; the "Last updated" date above reflects the current version, and material changes will be communicated in-app.