# Moriva — Privacy Policy

**Last updated:** 2026-05-18
**Effective date:** TBD — set on first Play Store publish

---

## Plain-language summary

Moriva is a personal GPS tracker that runs on your phone. Almost all your data — every visit, location, and GPS point — stays on your phone and is never sent anywhere.

There are exactly three situations in which any data leaves your device, and we want to be honest about each one:

1. **To convert your GPS coordinate into a street address**, the coordinate is sent to OpenStreetMap's Nominatim service. Your IP address is necessarily included in the network request (that's how the internet works). No name, no account, no device ID accompanies the request.
2. **To create a cloud backup**, you can choose to upload an encrypted file to *your own* Google Drive or OneDrive. The file is encrypted with a password only you know **before** it leaves your phone, using AES-256-GCM. We never see the file content or your password.
3. **If crash reporting is enabled in this build**, technical information about an app crash (stack trace, device model, OS version) is sent to Sentry. Your location data is never included.

We have no servers. There is no account to create. We collect zero analytics. We have no idea who you are.

---

## Who we are (Data Controller)

- **Operator:** Mr. Claes
- **Country:** Belgium (EU)
- **Contact:** info@moriva.app
- **App identifier:** `app.moriva.tracker`
- **Data Protection Officer:** Not required (we do not engage in regular and systematic monitoring of data subjects on a large scale, nor do we process special categories of data at scale). The controller above acts as the contact point for data protection matters.

---

## Data we process

The table below lists every category of data the app handles and exactly where it goes.

| Data type | Where it lives | Why | What leaves your device, if anything |
|-----------|----------------|------|---------------------------------------|
| GPS coordinates (latitude, longitude, accuracy, timestamp) | Your phone only | Detect and record your visits | **Nothing.** GPS data is never transmitted by Moriva itself. (Exception: see "Nominatim" below.) |
| Visit records (location reference, arrival, departure, duration) | Your phone only | Build your timeline and reports | Nothing |
| Tracked locations (coordinates, radius, optional name and category, visit stats) | Your phone only | Recognise places you visit repeatedly | Nothing |
| Optional category labels and notes you add | Your phone only | Personalisation | Nothing |
| Tracking settings (battery mode, intervals, schedule) | Your phone only | Remember your preferences | Nothing |
| Address / place-name lookups | Your phone (30-day cache) | Display human-readable place names instead of raw coordinates | **Sent to Nominatim** (see next section) |
| Encrypted backup file (when you tap "Backup now") | Your Google Drive or OneDrive | Restore data after reinstall or on a new phone | **Sent to Google/Microsoft as an opaque encrypted blob** (see "Backup" section) |
| OAuth access + refresh tokens | Android SecureStore (hardware-backed encryption on most devices) | Authenticate backup uploads/downloads | Sent only to Google or Microsoft, never to us |
| Crash reports (only if active in this build) | In-memory until a crash occurs | Diagnose app crashes | Sent to Sentry (see "Crash reporting" section) |

### What we do NOT collect

- No analytics events of any kind — no "app opened", no "feature used", no session tracking
- No advertising identifier (no GAID, no IDFA)
- No account creation — there is no login, no registration, no password reset
- No name, email, phone number, or identity data
- No contacts, microphone, camera, or calendar access — these permissions are never requested
- No third-party SDKs that collect behavioural data (beyond the optional Sentry crash reporting described below)

---

## Address lookups via Nominatim (be aware: coordinates leave your device)

When the app encounters a location it has never seen before, it converts the GPS coordinate into a human-readable address (street name, city, country) by sending an HTTPS request to **Nominatim**, the geocoding service operated by the OpenStreetMap Foundation.

### What is sent

- **Latitude and longitude** of the location (with up to 5 decimal places — roughly 1 metre precision)
- **HTTP headers**, including:
  - Your **IP address** (necessarily, as part of the TCP/IP connection)
  - A `User-Agent` header identifying the app: `Moriva/1.x (location-tracking; contact@moriva.app)`
- **No identifier of you, no account, no device ID, no app instance ID** is transmitted in either the request body or the headers (beyond what the network stack itself sends — IP address only)

### What comes back

- The street address or place name in the same language as your device, if available, otherwise English
- This response is **cached on your phone for 30 days** to avoid repeated requests for the same location

### Who is Nominatim

- Operated by the **OpenStreetMap Foundation** (registered charity, servers in Germany)
- Used by thousands of apps and websites worldwide
- See their privacy policy: https://wiki.osmfoundation.org/wiki/Privacy_Policy

### Your control

- If you do not move to new locations, no Nominatim requests are made (cache hits only)
- A three-mode setting under **Settings → Privacy → Address lookup** lets you choose:
  - **Full** (default) — new coordinates are resolved via Nominatim
  - **Cache only** — never make new requests; reuse only addresses already cached on your device. New visits show raw coordinates until you visit somewhere already seen before
  - **Off** — never resolve; raw coordinates are always shown. Zero outgoing requests to Nominatim from the app

### Legal basis

We rely on **Article 6(1)(b) GDPR — necessary for the performance of the contract you entered into with us** when you installed Moriva: the app's core function is to show you where you have been, and a list of raw GPS coordinates is not what a normal user expects. Reverse-geocoding is the minimum technically necessary to deliver that function.

---

## Encrypted cloud backup (technical detail)

You can optionally back up your data to either Google Drive or OneDrive. This feature is **off by default** — you must explicitly tap "Connect" in Settings → Cloud backup to authorise it, then tap "Backup now" to create each backup.

### What is in the backup file

A single encrypted JSON blob containing:

- All your visit records (every visit, with timestamps, location reference, duration, optional notes)
- All your tracked locations (coordinates, radius, names, categories, visit stats)
- All GPS points stored on the device (typically one point every 30 seconds while tracking was active)
- Your category list, tracking settings, and schedule

The backup includes everything required to rebuild your timeline on a new device. It does **not** include OAuth tokens or passwords.

### How encryption works

1. You enter a password (chosen by you, never stored anywhere)
2. The app generates a fresh random 16-byte **salt** and a fresh random 12-byte **nonce** for this backup
3. The password is stretched into a 256-bit AES key using **PBKDF2-SHA256 with 310,000 iterations** (the current OWASP recommendation for 2025; the iteration count will increase over time to keep pace with computing power)
4. The plaintext JSON is encrypted with **AES-256-GCM** — this is authenticated encryption that also detects tampering: any single bit-flip in the file invalidates the entire backup
5. The encrypted bytes (with the salt and nonce prepended in plain text — they're not secret, they're just needed to decrypt) are uploaded to your Drive

### What the cloud provider sees

- **Google Drive** sees a file named `moriva-backup-YYYY-MM-DD-HHMMSS.bak` (or similar) inside a folder called "Moriva Backups" in your Drive
- The file contents are opaque encrypted bytes — Google cannot read them
- File size, upload time, and the folder name are visible to Google as normal Drive metadata

### What we see

**Nothing.** We have no server. The OAuth tokens that authenticate your uploads are stored only on your phone. We have no way to read your backups, intercept them, or know that you made one.

### Important: password recovery is impossible

If you lose your password, **the backup is permanently unrecoverable**. There is no password reset, no key escrow, no recovery code. This is by design — anything else would mean we (or some other party) could decrypt your data, which we explicitly cannot do.

Choose a password you can remember or write it down in a secure place (e.g. a password manager).

### What "Drive scope" means

The OAuth scope we request is **`drive.file`** (Google) and **`Files.ReadWrite` + `offline_access`** (Microsoft). This means Moriva can only see and modify files that Moriva itself created. We **cannot** see your photos, documents, or any other file in your Drive. You can verify this in your Google Account permissions page.

### Legal basis

**Article 6(1)(a) GDPR — your explicit consent.** Each time you tap "Backup now" or connect a Drive account, you actively choose to send a file to your own cloud storage. You can revoke this consent at any time using the "Disconnect" button in Settings → Cloud backup, or via your Google or Microsoft account settings.

---

## Plain-format exports (CSV and GPX)

Independent of the encrypted cloud backup, you can export your data in standard portable formats from **Settings → Export**:

- **Visits CSV** — one row per recorded visit (location name, address, categories, coordinates, arrival, departure, duration). Opens cleanly in any spreadsheet.
- **GPS track GPX** — your raw GPS points from the last 12 months as a single GPX 1.1 track. Loads into Strava, Google MyMaps, Garmin, OsmAnd, or any GPX-aware tool.

Both files are written to your device first and then handed to the system's standard "share" dialog — you choose the destination (email, cloud drive, file manager). Moriva does not transmit them anywhere itself.

### Sensitive-place redaction

You can flag any tracked location as **Sensitive** in its detail screen. When you do:

- Visits at that location are **omitted from the Visits CSV**
- GPS points within at least 100 m of that location's centre are **omitted from the GPS track GPX**

This protects places you don't want to appear in plaintext exports (typically Home, but also clinics, places of worship, partners, etc) even when you legitimately want to share the rest of your data. The flag has **no effect on encrypted cloud backups** — those are unreadable to third parties anyway, so redacting from them would only mean losing the data on restore.

The success dialog after each export shows how many records were kept and how many were redacted, so you can confirm the protection actually fired.

---

## Crash reporting via Sentry

The app may contain Sentry crash reporting, an industry-standard service used by thousands of apps to detect and diagnose software crashes.

### Is it active in this build?

Sentry is active only if this specific app build was compiled with a Sentry DSN configured. To check, look at the "About" section in Settings — it will indicate whether crash reporting is enabled. In builds without a DSN, the Sentry SDK is present but inert.

### What Sentry receives, when a crash occurs

- The **stack trace** of the crash (which lines of code failed, in which file)
- **Device model** (e.g. "Samsung Galaxy S22"), **OS version** (e.g. "Android 14"), **app version**
- A **breadcrumb trail** of the last ~20 internal log events (text messages like `[Tracking] Service died, attempting restart` — these never contain coordinates or personal data)
- A random Sentry-generated event ID for deduplication

### What Sentry never receives (enforced in code)

- GPS coordinates
- Visit records, location names, or timestamps
- Backup file contents
- OAuth tokens or any credentials
- Default PII (`sendDefaultPii: false` is set at SDK initialisation)

### Performance traces

Up to 5% of app sessions also send a "performance trace" — this is timing data for navigation events (e.g. "the Settings screen took 320ms to render"). No personal data.

### Data residency

We use Sentry's **EU data-residency region** (`*.de.sentry.io` ingest endpoint). Data does not leave the EEA.

### Legal basis

**Article 6(1)(f) GDPR — legitimate interest** in identifying and fixing software defects reliably. The processing is minimal (no PII), the data is short-lived, and you have a right to object — see "Your rights" below.

---

## Retention

| Data category | Retention |
|--------------|-----------|
| GPS points, visits, locations, categories, settings (all on your device) | As long as you keep the app installed. Deleted immediately when you uninstall the app OR tap Settings → "Delete all data". |
| Geocoding cache (on your device) | 30 days from the last lookup of a given coordinate, then automatically refreshed on next access. |
| Encrypted backup files (on Google Drive / OneDrive) | Until you delete them. Moriva does not automatically delete old backups; the app's "retention" setting determines how many backups are kept at once (older ones are removed when a new one succeeds, if you set a limit). |
| OAuth tokens (on your device) | Until you tap Disconnect in Settings, or revoke access via your Google or Microsoft account. |
| Sentry crash reports (if active) | 30 days on Sentry's servers, then automatically deleted per Sentry's default retention. You can request earlier deletion (see "Your rights"). |
| Nominatim request logs | Per OpenStreetMap Foundation's policy — typically not retained beyond operational logs. See https://wiki.osmfoundation.org/wiki/Privacy_Policy |

---

## Your rights under GDPR

You have the following rights under the EU General Data Protection Regulation. Because almost all your data lives on your device, you can exercise most of them directly without contacting us.

| Right | How to exercise it |
|-------|---------------------|
| **Access (Art. 15)** | All your data is visible inside the app: the Today, Map, and Reports tabs show every visit. For data we (or third parties on our behalf) process — geocoding lookups, crash reports — contact us; we will provide what we have. |
| **Rectification (Art. 16)** | Edit or delete individual visits and location names from inside the app. |
| **Erasure / "Right to be forgotten" (Art. 17)** | Settings → "Delete all data" removes every stored visit, location, GPS point, schedule, and backup credential from your phone. To remove the encrypted backup from your cloud, sign in to Google Drive / OneDrive and delete the file from the Moriva folder. To request deletion of any Sentry crash reports linked to your device, contact us with your most recent app session timestamp. |
| **Restriction (Art. 18)** | Pause all data processing by stopping tracking (Today tab → Stop) and disconnecting cloud backup (Settings → Disconnect). |
| **Portability (Art. 20)** | Two paths: (a) **Settings → Export** offers one-tap unencrypted exports of your visits as CSV and your raw GPS points as GPX, both in structured, commonly-used, machine-readable formats, sharable to any destination you choose. (b) The cloud backup feature produces an encrypted JSON snapshot; once decrypted with your password it is also machine-readable. |
| **Objection (Art. 21)** | You can object to Nominatim geocoding or Sentry crash reporting by contacting us. |
| **Withdrawal of consent (Art. 7(3))** | The Disconnect button in Settings → Cloud backup revokes Moriva's OAuth access to your Drive immediately. |
| **Automated decision-making (Art. 22)** | The app does not engage in automated decision-making or profiling. |

### Right to lodge a complaint with a Data Protection Authority

If you believe your rights have been violated, you have the right to lodge a complaint with a Data Protection Authority. As we are established in Belgium, our lead supervisory authority is:

**Gegevensbeschermingsautoriteit / Autorité de protection des données (Belgian DPA)**
Drukpersstraat 35, 1000 Brussel, Belgium
https://www.gegevensbeschermingsautoriteit.be/

You may also lodge a complaint with the DPA of your own country if you reside in the EU/EEA. A full list is at https://edpb.europa.eu/about-edpb/about-edpb/members_en

### Response time

We respond to GDPR data-subject requests within **30 days** as required by Art. 12(3) GDPR. If a request is complex, we may extend by up to two additional months and will explain why.

---

## Children

Moriva is not intended for children under 16 and is not directed at children. We do not knowingly collect or process the data of users under 16, and the app does not request age, name, or any identifying information.

Because all data remains on the device and is never transmitted to us, no action by us is required to delete it: a parent or guardian can remove all stored information by either (a) uninstalling the app, or (b) opening Settings → "Delete all data". We operate no server and therefore hold no data about any user, including any minor.

---

## Security summary

- **Encryption:** AES-256-GCM (authenticated encryption) for backups
- **Key derivation:** PBKDF2-SHA256, 310,000 iterations (OWASP 2025 recommendation)
- **OAuth:** PKCE (RFC 7636) with a cryptographically random verifier; tokens scoped to app-created files only
- **Token storage:** Android SecureStore (hardware-backed encryption on most devices)
- **Password handling:** Your backup password is never persisted anywhere. If you lose it, the backup is permanently unrecoverable — by design
- **No server:** There is no Moriva account, no Moriva server, and no Moriva-side database that could be breached

---

## International transfers

| Recipient | Data location |
|-----------|---------------|
| Nominatim | Germany (EU). No transfer outside the EEA. |
| Google Drive (your account) | Depends on your account's region. Most EU users' data is stored on EU servers. See Google's privacy policy at https://policies.google.com/privacy |
| OneDrive (your account) | Depends on your account's region. EU users' data is typically stored on EU servers under Microsoft's "EU Data Boundary" commitments. See https://www.microsoft.com/trust-center/privacy |
| Sentry (if active in build) | EU data residency region (`*.de.sentry.io`). Data does not leave the EEA. |

We do not initiate transfers outside the EEA. If you choose a Google or Microsoft account configured for a non-EU region, the data location is determined by your account settings, not by Moriva.

---

## Changes to this policy

We will update this page when the app changes in a way that affects data processing. The "Last updated" date at the top reflects the most recent revision.

**Material changes** (new data types collected, new third-party recipients, expanded purposes, significantly longer retention) will be announced in the app's release notes and may require fresh consent where applicable.

**Cosmetic edits** (typo fixes, link updates, clarifications that do not change substance) are not material and are made silently.

---

## Contact

- **Email:** info@moriva.app
- **Postal address:** Available on request

We respond to data-subject requests within 30 days as required by GDPR Art. 12(3).

---

*This privacy policy is published in English as the authoritative version, with translations into Dutch, French, German, and Spanish for your convenience. In case of conflict between language versions, the English text prevails.*