Convoi — Privacy Policy
Effective date: set this to the date of your first Play Store release before publishing this page.
Contact: privacy@convoi.app (replace with the real published address)
What Convoi is
Convoi is a mobile app for motorcycle riders who ride in groups. Riders share their live location with a small group (“a convoy”) they explicitly join. The app shows everyone on a live map, lets the group plan a route together, exchanges turn-by-turn navigation, and opens a push-to-talk voice channel. There is no public profile, no content feed, no recommendation algorithm, and no advertising.
This policy explains what personal data we process to make that work, who else sees it, how long we keep it, and how you can take it back.
Data we collect from you directly
We collect only the data you give us on purpose.
| What | When | Used for |
|---|---|---|
| Email address | Sign-up via email/password, or via Google Sign-In | Authenticating you on every app launch; sending password resets |
| Display name | At sign-up (or pulled from Google Sign-In) | Showing other convoy members who you are on the map and in chat |
| Profile photo (optional) | When you upload one via Settings, or pulled from Google Sign-In | Avatar on the map and in chat |
| Bike make / model / year (optional) | When you fill them in Settings | Letting other riders see what you ride |
| Intercom brand (optional) | Settings dropdown | Pairing tips when riders meet up |
| Photos you send in chat | When you tap “Send photo” inside a convoy | Sharing with the other members of that convoy only |
| Voice audio | Only while you are inside an active voice channel in a convoy you joined | Carried in real-time to the other riders in that voice channel; never recorded on a server |
Data the app collects automatically
These are collected as a side effect of the app running. You can turn most of them off — see “Your controls” below.
Location
While a convoy is active and you have it open, Convoi reads your GPS position every few seconds and writes it to our database. The other riders in your convoy see your latest position on the live map. Specifically:
- What is stored: latitude, longitude, recorded-at timestamp, speed (when the device provides it), heading (when available).
- When it stops: the moment you leave the convoy screen and the convoy is no longer active for you. We do not run a background location tracker outside an active convoy.
- Foreground service notification: on Android, while a convoy is active, you see a persistent notification reminding you that your location is being shared. Tapping it returns you to the convoy.
- Retention: location samples are kept while the convoy is ongoing. After the convoy ends, the per-second history is collapsed into the trip summary (start/end, distance, duration, rough polyline) and stored against your account; individual per-second samples older than 30 days are deleted.
Device identifier (push notifications)
We register your device with Firebase Cloud Messaging and store the returned FCM token on your account row so we can send pushes (chat messages while the app is closed, convoy invites, friend requests, SOS alerts).
Crash and error reports
Crashes and unhandled exceptions are sent to Sentry. Each report includes a Convoi-generated anonymous user id (the same one we use internally — never your email or name), the device model, Android or iOS version, and the stack trace. We have configured Sentry to not include device IP addresses or email addresses with reports. Filters strip transient network errors that aren’t actionable.
Last-seen timestamp
Every 60 seconds while the app is in the foreground we update a
last_seen_at timestamp on your account. This is used to show
other riders in your convoys whether you’ve been active recently
(it’s the “Last seen 5m ago” tag on the roster).
Locale + theme preferences
Stored locally on your device in SharedPreferences only. We never
upload them.
Who we share data with
Convoi runs on managed cloud services. We do not sell, license, or share your data with advertisers, data brokers, or any third party not in the list below. Each service processes data only as needed to deliver Convoi to you.
| Service | What they process | Where |
|---|---|---|
| Supabase | Account row (email, display name, avatar URL, FCM token, bike info, intercom brand), convoy memberships, location samples, chat messages, status events, friendships, groups | EU region (Frankfurt) |
| Firebase Cloud Messaging | FCM token + push notification payloads (sender, event type, convoy id) | Google global infrastructure |
| Mapbox | Tile + Directions API requests — your origin, route waypoints, and destination as plain coordinates | Mapbox global infrastructure |
| LiveKit Cloud | Voice audio in real-time only while you’re inside a convoy’s voice channel; never recorded server-side | LiveKit global edge |
| Sentry | Anonymized crash reports as described above | Sentry EU region |
| Google Sign-In | If you sign in with Google, Google handles the OAuth handshake. Convoi receives the OAuth id token (email, name, optional photo) which we then exchange with Supabase | Google global |
Each of those providers has their own privacy policy. Links:
- Supabase: https://supabase.com/privacy
- Firebase: https://firebase.google.com/support/privacy
- Mapbox: https://www.mapbox.com/legal/privacy
- LiveKit: https://livekit.io/privacy
- Sentry: https://sentry.io/privacy/
- Google: https://policies.google.com/privacy
We share data with these processors only as needed to operate Convoi for you. We are not paid by them to share data, and we don’t combine your data across our services for any purpose other than the features described above.
Your controls
Inside the app
- Locations: stop sharing by leaving the convoy. The map will immediately stop receiving your position.
- Voice channel: mute the mic from the voice sheet, or leave the channel entirely.
- Push notifications: Settings → Notifications (system-level)
→ toggle “Convoy updates” / “SOS alerts” off independently. On
Android, channels are per-locale (
Convoy güncellemeleri/Convoy updates). - Profile photo / bike info: edit or clear in Settings → Profile.
- Display name: Settings → Profile.
- Crash reports: there is no in-app toggle yet, but Sentry only receives reports when the app actually crashes. Reports never contain personal content (no chat text, no location, no email).
Export your data
Email privacy@convoi.app with the email address you signed up with. We send back a JSON export of:
- Account row (email, display name, bike info, intercom brand)
- Convoys you created or joined (id, name, dates, participants)
- Location samples retained at the moment of the request
- Chat messages you sent
- Status events you fired
- Friendships and groups you own
We do not include other riders’ data in your export — they would get their own export the same way.
Turnaround: 7 days max.
Delete your account
Email privacy@convoi.app from your account’s email address with the subject “Delete my Convoi account”. We delete everything in the table above within 30 days, except:
- Anonymized crash reports that don’t contain personal data, for the purpose of fixing reliability bugs.
- Trip summaries you sent to other riders. If you were on a group ride, the other riders still see that ride in their history; your participation in it is part of their data.
The Supabase account row is deleted (cascading to convoys, locations, messages, friendships). The FCM token is dropped. Your voice audio was never stored, so there’s nothing to delete on the LiveKit side.
Retention summary
| Data | How long |
|---|---|
| Account row | While your account exists |
| Active-convoy location samples | While the convoy is ongoing |
| Historical location samples (per-second) | 30 days, then deleted |
| Trip summaries | Indefinitely (while account exists) |
| Chat messages | Indefinitely (while the convoy exists in any participant’s account) |
| Voice audio | Not stored — peer-to-peer relayed through LiveKit in real-time |
| FCM token | Until you sign out or the token rotates |
| Crash reports | 90 days (Sentry retention setting) |
| Last-seen timestamp | Overwritten every minute; not historical |
Children
Convoi is not designed for children. The Play Store listing is rated for adults (18+) because it includes peer-to-peer voice chat and live location sharing — neither belongs in a children’s app. We do not knowingly collect personal data from anyone under 18. If you believe a minor is using Convoi with a parent’s account, please email privacy@convoi.app and we will help you remove them.
International transfers
Most processing happens in Supabase’s EU region. Some processors (Mapbox, LiveKit, Firebase) are global by design. By using Convoi you consent to your data being processed in the regions listed in the “Who we share data with” section.
Security
- All connections to Convoi’s servers go over HTTPS / WSS.
- Passwords are hashed by Supabase (bcrypt) — we never see them in plaintext.
- Voice audio is end-to-end DTLS-encrypted by LiveKit.
- Row-level security policies in Supabase ensure that you can read only your own data + the convoys you’re a member of.
- Access to the production database is restricted to the maintainer’s account and is audited via Supabase.
Despite this, no online service is 100% breach-proof. If we learn of a breach affecting your data we will notify you within 72 hours at the email address on your account.
Changes to this policy
When we change this policy in a way that affects how your data is processed, we will:
- Update the “Effective date” at the top.
- Show an in-app notice on the next launch summarizing the change.
- If the change is material (e.g. a new processor is added, or retention extends), require you to accept the new terms before the app continues.
The full change history is visible in the Git history of
docs/legal/privacy.md on the Convoi repository (link in the
support page).
Contact
Questions, exports, deletions, or complaints:
If you’re an EU resident and we have not responded to a privacy request within 30 days, you can complain to your national data protection authority. For Turkey: KVKK (https://www.kvkk.gov.tr/).