## Track & Travel — Privacy Policy

Effective Date: December 8, 2025  

Last Updated: December 8, 2025

NYX KNIGHT (sole proprietor) (“we”, “us”, “our”) operates the Track & Travel mobile app. This Policy explains how we collect, use, share, secure, and delete data in line with India’s DPDP Act 2023, IT Act 2000, GDPR (EU/UK), and CCPA/CPRA (California). Contact: `nyx.ctrlsup30@gmail.com`. Address: Hyderabad, Telangana, India.

We minimize data, keep OCR on-device, and do not sell personal data. The app offers currency conversion, OCR-based price reading (on device), saved locations, trips/expenses, ad-supported access for free users, and premium subscriptions.

### 1) Information We Collect

Only what is needed to provide the service; no biometrics, health data, or payment card data.

- Authentication (optional): email, name, profile image from Google/Apple sign-in (via Supabase).

- Preferences: language and currency selections.

- Subscription metadata: status (active/trial/cancelled), product ID, expiration timestamps (no payment card data—billing stays with app stores).

- Saved locations: coordinates and labels you save.

- Trips and expenses: trip names, expense amounts, currencies, categories, notes.

- Device/app data: device model, OS version, app version, IP address (approximate region for rate reliability), connectivity status.

- Ads (Google Mobile Ads SDK): device/instance identifiers required to serve rewarded ads; we request non-personalized ads by default and do not profile for targeted advertising.

- On-device OCR: camera images/text are processed locally only and not uploaded.

- Diagnostics: minimal crash/error context and request metadata needed to operate the service; retained short term (see retention).

We do not collect contacts, messages, photo library contents (outside explicit picker use), precise GPS unless you choose “use my location” for nearby country selection, or browsing history.

### 2) How We Use Data

- Provide conversions, OCR scanning, saved locations, trips/expenses.

- Authenticate sessions and manage subscriptions (Supabase + RevenueCat).

- Enforce access model (premium/trial vs. ad-supported credits).

- Serve rewarded ads for free users (non-personalized by default).

- Maintain security, prevent abuse, and debug issues.

- Respond to support/rights requests.

- Comply with legal obligations.

We do not use data for targeted advertising or selling.

### 3) Legal Bases

- DPDP: consent for optional features; legitimate use for service delivery, fraud prevention, and legal compliance.

- GDPR: contract necessity; legitimate interests (security/reliability); consent where required; legal obligations.

- CCPA/CPRA: service-provider use only; no “sale” or “sharing” for cross-context behavioral ads.

### 4) Sharing and Processors

No selling. Limited sharing under DPAs:

- Supabase (processor): auth/profile metadata, preferences, subscription status. Security controls (TLS, RBAC, SOC 2/ISO attestations).

- RevenueCat (processor): subscription status metadata; no card data.

- App stores (Google/Apple): billing/receipts per store terms; we do not receive card data.

- Google/Apple OAuth: account email/name/avatar when you sign in.

- Google Mobile Ads SDK: rewarded ads for free users; non-personalized by default.

- Legal compliance: disclosures only when required by law/court order.

### 5) Storage, Security, Transfers

- Storage: Preferences, ad-credit data, and most caches stay on-device. Cloud data (auth, subscription metadata, saved locations, trips/expenses) is stored in Supabase in compliant regions (EU/US). OCR data remains on-device.

- Security: TLS 1.3 in transit; AES-256 at rest via platform services; least-privilege access; MFA for admin; vulnerability monitoring. Report issues to `nyx.ctrlsup30@gmail.com`.

- Transfers: When processed outside your region, we use Standard Contractual Clauses (GDPR) and DPDP-equivalent safeguards plus encryption. No high-risk transfers without protections.

### 6) Retention and Deletion

- Active use: data kept while needed to provide the service.

- Deletion: on verified request, active data is deleted within **30 days**; no backups are retained afterward; irreversible once completed.

- Temporary data: OCR artifacts are ephemeral (deleted immediately); ad-credit/local caches are device-local and user-controllable.

- Legal holds: retained only if lawfully required, then deleted when the obligation ends.

### 7) Your Rights

You may request access, correction, deletion, restriction/objection (where applicable), portability, consent withdrawal, and nominee rights (DPDP). We respond within 30 days (extensions for complex cases). No fee unless requests are excessive.

- How to submit: email `nyx.ctrlsup30@gmail.com` with subject “Privacy Rights Request - Track & Travel,” include the account email/device ID and verification details.

- Deletion process details: see `Legal_files/Delete Account.md` and the hosted link.

### 8) Children and Age

Because subscriptions/payments are involved, the service is intended for adults (18+). Users under 18 require verifiable parental/guardian consent. We do not knowingly collect data from children under 13; if discovered, we delete it.

### 9) Changes to this Policy

Material changes (e.g., new data uses) will be notified at least 30 days in advance via in-app notice or email (if available). Continued use after the effective date means acceptance. Historical versions available on request.

### 10) Contact and Grievance

- Email: `nyx.ctrlsup30@gmail.com`

- Address: Hyderabad, Telangana, India

- Escalation: DPDP Board (India), relevant EU/UK authority, or CPPA (California), as applicable.

We design Track & Travel to process as little data as possible while delivering the service. © 2025 NYX KNIGHT.