Privacy Policy

PRIVACY POLICY

Updated at April 21st, 2026

This Privacy Policy describes how OnTheRoad processes the personal data of users of the OnTheRoad mobile application (the "App" or the "Service") pursuant to Regulation (EU) 2016/679 ("GDPR") and Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018 (the "Italian Privacy Code").

By using the App, you confirm that you have read and understood this Privacy Policy. Consent-based processing is obtained separately, when you register or when you first enable the specific feature.

1. Data Controller

The data controller is Arjola Sulcaj, an Italian sole proprietorship.

Business address: Milan, Italy
Italian VAT number (P.IVA): 14686910960
Privacy email: privacy@ontheroads.app
Support email: support@ontheroads.app

No Data Protection Officer (DPO) has been appointed because the processing does not fall within the mandatory cases set out in Article 37 GDPR. For any data-protection request, please write to privacy@ontheroads.app.

2. Definitions

Personal data: any information relating to an identified or identifiable natural person (Article 4 GDPR).
Processing: any operation performed on personal data (collection, storage, access, modification, erasure, etc.).
User / You: the natural person using the App, whether as a Participant or as a trip Organizer.
Organizer: a user who creates and manages trips on the Platform and may receive payments through our payment processor.
Participant: a user who joins a trip organized by another user.
App / Service: the OnTheRoad mobile application distributed via the App Store and Google Play.
Processor: a third-party vendor that processes personal data on behalf of the Controller under an agreement pursuant to Article 28 GDPR.

3. What data we collect

Data you provide directly during registration or profile update:

name / username
email address
phone number (optional, not shown on public profile)
date of birth
spoken languages (optional)
city of residence (optional), country code (ISO-3166-1 alpha-2), continent and geographic coordinates (latitude/longitude) of the selected city — derived from an OpenStreetMap-based geocoding service (Photon/Komoot) when you pick a city from the autocomplete. Used to display residence on the public profile (which can be disabled in privacy settings) and for aggregated statistics
bio, profile picture, cover image, nickname and social links (optional)
travel preferences and preferred destinations
password (stored hashed using industry-standard algorithms, never in plaintext)

Data generated through use of the App:

trips you create, trips you join, messages exchanged in trip discussions, follows/followers, reviews left for Organizers;
technical logs necessary for service operation (IP address, access timestamp, device type, App version), kept only as long as strictly necessary for security and debugging;
push-notification tokens (APNs for iOS, FCM for Android), generated by the device operating system.

Optional device permissions you grant:

Camera: allows you to take and upload photos directly from the App (for profile picture, cover image, trip images).
Photo library: allows you to upload existing photos from your device.
Location (while in use): allows your position indicator to be shown on the map while you select the destination of a trip. Location is processed locally by the iOS/Android operating system and is not transmitted to or stored on OnTheRoad servers.

All of the permissions listed above are optional and can be revoked at any time from the device system settings, without preventing the general functioning of the App.

Payment data: when a Participant pays a trip fee, card details are entered directly into the interface of our payment processor Stripe and never transit through OnTheRoad servers. See Section 9 for details.

4. Special categories of data (Article 9 GDPR)

OnTheRoad does not request or intentionally process special categories of personal data under Article 9 GDPR (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, data concerning health, sex life or sexual orientation).

If you spontaneously choose to enter, in your bio or in discussion messages, information falling within the special categories of Article 9 GDPR, processing is based on your explicit consent (Article 9(2)(a) GDPR) and is limited to display within the App. We recommend that you do not enter special-category data that is not strictly necessary for the purpose of organising the trip.

5. Purposes and legal bases for processing

We process your personal data for the following purposes, each relying on the legal basis indicated:

(a) Service delivery — creation and management of the account, publication of the profile, creation of and participation in trips, group discussions, in-app notifications.
Legal basis: performance of a contract to which you are party (Article 6(1)(b) GDPR).
(b) Payments and refunds — processing of participation fees, application of the platform commission, execution of refunds in case of cancellation or no-show.
Legal basis: performance of the contract (Article 6(1)(b) GDPR).
(c) Tax and accounting obligations — issuance of tax documentation, retention of accounting records, DAC7 reporting to the Italian Revenue Agency (see Section 14).
Legal basis: compliance with a legal obligation (Article 6(1)(c) GDPR), pursuant to Article 2220 of the Italian Civil Code and Legislative Decree 32/2023.
(d) Platform security and fraud prevention — monitoring of access, detection of abuse, moderation of reported content, blocking of fraudulent accounts.
Legal basis: legitimate interest of the Controller in the security of its users and service (Article 6(1)(f) GDPR).
(e) Service communications — transactional emails (registration confirmation, password reset, trip notifications, payment receipts).
Legal basis: performance of the contract (Article 6(1)(b) GDPR).
(f) Push notifications — delivery of device notifications relating to messages, trips, profile activity.
Legal basis: user consent expressed through the device-level system permission (Article 6(1)(a) GDPR), revocable at any time from system settings.
(g) Analytics and diagnostics — use of error-monitoring (Sentry) and product-analytics (Mixpanel) tools to improve App stability and functionality. Data is pseudonymised (numeric user ID).
Legal basis: legitimate interest of the Controller in improving the service (Article 6(1)(f) GDPR); you have the right to object at any time by writing to privacy@ontheroads.app.
(h) Legal defence and response to authority requests — retention of data needed to establish, exercise or defend legal claims; compliance with orders from judicial or public-safety authorities.
Legal basis: legitimate interest (Article 6(1)(f) GDPR) and legal obligation (Article 6(1)(c) GDPR).

We do not use your data for automated profiling that produces legal effects (Article 22 GDPR), nor for third-party marketing, nor for behavioural advertising.

6. External data processors

To provide the Service we rely on selected third-party vendors with whom we have entered into agreements pursuant to Article 28 GDPR. Each vendor processes data only on our behalf and according to our written instructions:

Stripe Payments Europe, Ltd. (Ireland) — payment processing, Stripe Connect onboarding of Organizers, identity verification, custody of banking data. Stripe acts as a Processor for transaction data processed on behalf of OnTheRoad, and as an independent Controller for KYC/AML data of Organizers, in compliance with its own regulatory obligations (anti-money laundering, customer identification). Policy: stripe.com/privacy.
Google Cloud EMEA Limited (Ireland) — hosting of backend infrastructure and database. Processing regions primarily within the EU. Policy: cloud.google.com/terms/cloud-privacy-notice.
Resend, Inc. (United States) — delivery of transactional emails (registration, password reset, receipts, notifications). Extra-EU transfer covered by Standard Contractual Clauses (SCC) and, where applicable, EU-US DPF. Policy: resend.com/legal/privacy-policy.
Cloudflare, Inc. (United States) — DNS management for the ontheroads.app domain and inbound email routing. Cloudflare may process user IP addresses for network security and attack mitigation purposes. Extra-EU transfer covered by SCC and, where applicable, EU-US DPF. Policy: cloudflare.com/privacypolicy/.
Apple Inc. (United States) — Apple Push Notification service (APNs) infrastructure for iOS. The push token is an opaque identifier and does not contain personal information in clear text. Extra-EU transfer covered by SCC and, where applicable, EU-US DPF. Policy: apple.com/legal/privacy/.
Google LLC (United States) — Firebase Cloud Messaging (FCM) push infrastructure for Android. The push token is an opaque identifier. Extra-EU transfer covered by SCC and, where applicable, EU-US DPF. Policy: firebase.google.com/support/privacy.
Expo, Inc. (United States) — App build and over-the-air update platform. Does not receive personal data of end users; processes only our developer data. Policy: expo.dev/privacy.
Sentry, Inc. (United States) — error tracking for the App and backend. Data sent is pseudonymised (user ID, not name/email). Extra-EU transfer covered by SCC. Policy: sentry.io/privacy/.
Mixpanel, Inc. (United States) — product analytics. Data is pseudonymised (numeric distinct ID). Extra-EU transfer covered by SCC. Policy: mixpanel.com/legal/privacy-policy/.
Komoot GmbH (Germany) — Photon geocoding service based on OpenStreetMap, used for city-of-residence search. Policy: komoot.com/privacy.
Hi Tally BV (Belgium) — collection of voluntary user feedback via an external form accessible from the App. Tally processes only the data the user chooses to enter in the form (free text and, if provided, a contact email). Data storage exclusively in the EU. Policy: tally.so/help/privacy-policy.

An up-to-date list of processors is available on request at privacy@ontheroads.app. We do not sell or share your personal data with advertisers, data brokers or commercial partners.

7. Transfers of data outside the EU

Some of our vendors are based in the United States (Resend, Cloudflare, Sentry, Mixpanel, Expo) or use infrastructure that may involve transfers of data outside the European Economic Area. For such transfers we apply the safeguards provided by Chapter V GDPR:

EU-US Data Privacy Framework (DPF) — where the vendor is certified under the adequacy Decision adopted by the European Commission on 10 July 2023;
Standard Contractual Clauses (SCC) approved by the European Commission under Decision 2021/914, supplemented by appropriate technical and organisational measures where necessary.

You may request a copy of the safeguards in place by writing to privacy@ontheroads.app.

8. Retention periods

We retain personal data only for the time strictly necessary for the purposes for which it was collected, and in any event:

Account data (profile, password hash, preferences): for the entire duration of the account. Upon account deletion, data is removed from production systems within 30 days and from backups within a further 90 days.
Public content (trips, messages, reviews): upon account deletion the user's content is anonymised (attributed to "Deleted user") to preserve the coherence of trip discussions and reviews already left for other users.
Payment and transaction data (amount, date, fee, commission): 10 years from the date of the transaction, pursuant to Article 2220 of the Italian Civil Code and applicable Italian tax legislation. Card data is NEVER retained by OnTheRoad (see Section 9).
Data subject to DAC7 reporting (transmitted XML file, Entratel receipt): 10 years from the date of transmission, pursuant to Article 2220 of the Italian Civil Code and Legislative Decree 32/2023.
Technical access and security logs: up to 30 days, unless longer retention is required for investigation of security incidents.
Support emails: 24 months from the last interaction.
Data retained for legal defence: until expiry of the statute of limitations for the relevant rights (generally 10 years under Article 2946 of the Italian Civil Code).

9. Payment data

All payments made through the App are processed by Stripe Payments Europe, Ltd., a payment processor certified PCI-DSS Level 1, the highest level of certification for payment-data security.

Credit or debit card details (PAN, CVV, expiry date) are entered directly into Stripe's secure interface and never transit through nor are stored on OnTheRoad servers. We receive from Stripe only an opaque token, the amount, the date and the status of the transaction.

For Organizers who receive payments, onboarding (identity verification, document upload, bank-account data) takes place on the Stripe Connect platform. Such data is processed by Stripe as an independent controller for the purposes of customer identification (KYC) and anti-money laundering (AML) required by applicable law.

10. Security measures

We adopt appropriate technical and organisational measures, as required by Article 32 GDPR, to protect data against unauthorised access, loss, destruction or disclosure. In particular:

transmission of data between App and backend exclusively over an encrypted TLS 1.2+ channel (HTTPS);
passwords stored using a strong hashing algorithm, never in plaintext;
stateless authentication via JSON Web Tokens (JWT) with expiration;
rate limiting on sensitive endpoints to prevent abuse;
database access protected by separate credentials, least-privilege principle;
regular, encrypted backups;
automated error monitoring via Sentry.

No system is fully secure. In the event of a personal-data breach posing a risk to the rights and freedoms of data subjects, we will comply with the notification obligation to the Italian Data Protection Authority within 72 hours and with communication to affected users, pursuant to Articles 33 and 34 GDPR.

11. Minors

The App is reserved for persons who have reached 18 years of age, consistently with our Terms and Conditions. We do not knowingly collect personal data of persons under the age of 18. If we become aware that an account has been created by a minor, we will close it and delete data processed without an adequate legal basis.

If you are a parent or guardian and believe that a minor has provided personal data to the App, please write to privacy@ontheroads.app.

12. Local storage technologies

OnTheRoad is a native mobile application and does not use profiling cookies or third-party tracking cookies. The App uses only on-device local storage (AsyncStorage / SecureStore) to save:

the JWT authentication token, required to keep the session active;
the selected language and certain interface preferences;
a temporary cache of data already received from the server, to improve responsiveness.

Uninstalling the App removes this data from the device.

13. Your rights

As a data subject, under Articles 15 to 22 GDPR you have the right to:

Access (Article 15): obtain confirmation that your data is being processed and receive a copy of it;
Rectification (Article 16): obtain correction of inaccurate data or completion of incomplete data;
Erasure (Article 17): obtain deletion of data, subject to tax and DAC7 retention obligations;
Restriction (Article 18): request the restriction of processing in the cases provided by law;
Portability (Article 20): receive, in a structured, commonly used and machine-readable format, the data you have provided and, where technically feasible, transmit it to another controller;
Objection (Article 21): object to processing based on legitimate interest (in particular for analytics and diagnostics);
Withdrawal of consent: where processing is based on consent, you may withdraw it at any time, without prejudice to the lawfulness of processing based on consent before its withdrawal.

How to exercise your rights. You can exercise your rights:

from the App settings (edit profile, privacy management, account deletion);
by writing to privacy@ontheroads.app.

We will respond to your request within one month, extendable to up to three months in cases of particular complexity. We may ask you to verify your identity before acting on the request. Exercising your rights is free of charge; we reserve the right to charge a reasonable fee for manifestly unfounded or excessive requests (Article 12(5) GDPR).

Complaint to the supervisory authority. Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali), Piazza Venezia 11, 00187 Rome, website www.garanteprivacy.it, pursuant to Article 77 GDPR, or with the supervisory authority of your habitual residence in the EU.

14. Mandatory Reporting to the Italian Revenue Agency (DAC7 Directive)

If you use our Services as an Organizer and receive payments through the Platform, please be advised that OnTheRoad is required by law to report certain data concerning you to the Italian Revenue Agency (Agenzia delle Entrate) on an annual basis. This obligation arises from Italian Legislative Decree No. 32 of 1 March 2023, which transposes Council Directive (EU) 2021/514 (commonly known as "DAC7") and applies to all digital platforms operating within the European Union.

If you use the Platform exclusively as a Participant, without receiving payments, this section does not apply to you.

What data we report

For Organizers subject to the reporting obligation, we report the following data:

first name, last name or company name;
residential address or registered office;
tax identification number and/or VAT number, where applicable;
date and place of birth (for natural persons);
EU Member State of tax residence;
financial account identifier (IBAN) to which payments are credited;
number of transactions and total amount received on the Platform during the year, broken down by quarter;
commissions and taxes withheld by us.

This is the same data you provide during onboarding on our payment processor Stripe. In accordance with the principle of data minimisation set forth in Article 5(1)(c) of the GDPR, OnTheRoad does not duplicate or permanently store in its own databases the identification, tax or banking data required for DAC7 reporting. Such data remains held by Stripe Payments Europe, Ltd., acting as an independent data controller for identity verification and anti-money laundering purposes. OnTheRoad accesses this data on-demand, once a year only, exclusively to generate the annual report to the Italian Revenue Agency. Upon completion of processing, OnTheRoad retains in its own records only the XML file transmitted and the receipt issued by the Revenue Agency.

When reporting is excluded

You are excluded from reporting if, during the calendar year, you cumulatively completed fewer than 30 transactions and received total payments not exceeding €2,000. If you exceed even one of these two thresholds, your data falls within the reporting obligation.

Legal basis and retention period

The legal basis for processing is compliance with a legal obligation, pursuant to Article 6(1)(c) of Regulation (EU) 2016/679 (GDPR), in implementation of Legislative Decree 32/2023. Your consent does not constitute the legal basis for processing: any withdrawal of consent or closure of your account does not exempt OnTheRoad from the obligation to report data relating to the period during which you operated on the Platform.

The documents retained for 10 years from the date of transmission, in accordance with Article 2220 of the Italian Civil Code and applicable tax legislation, are exclusively the XML file actually transmitted to the Revenue Agency and the transmission receipt. The underlying identification and banking data remains held by Stripe under the Stripe terms of service and is not stored in duplicate by OnTheRoad.

Method and timing

Reporting takes place annually by 31 January of the year following the reference year, electronically through the official channels of the Italian Revenue Agency dedicated to DAC7 reporting (Entratel/Fisconline or SID, depending on the reporting party). The Italian Revenue Agency will then carry out the automatic exchange of information with the tax authorities of other EU Member States, as provided for by the DAC7 Directive.

By 31 January of each year, we will send you via email a PDF copy of the data concerning you that has been transmitted. The same document will be available in your personal area on the Platform.

Your obligations

To enable us to correctly fulfil the reporting obligation, you undertake to:

provide truthful, complete and up-to-date data during onboarding on the Stripe payment platform;
promptly update your data in the event of relevant changes (for example, change of residence, opening of a VAT number, change of bank account);
respond within the stated deadlines to any requests for supplementary documentation from OnTheRoad.

In the event of failure to respond within 60 days of the second reminder, OnTheRoad reserves the right to temporarily suspend payments to you until the situation is regularised.

Limitations on your rights

Given the legal obligation nature of the processing, certain data subject rights under the GDPR are limited in relation to data subject to DAC7 reporting. In particular, the right to erasure (Article 17 GDPR), the right to restriction of processing (Article 18 GDPR), the right to data portability (Article 20 GDPR) and the right to object (Article 21 GDPR) cannot be exercised with respect to data reported or to be reported to the Revenue Agency until the expiry of the 10-year retention period.

The right of access (Article 15 GDPR) and the right to rectification (Article 16 GDPR) remain fully exercisable, the latter being exercisable before the annual data transmission. You also retain the right to lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it).

Organizers with tax residence outside the EU

If you are a tax resident in a state outside the European Union, we may request the documentation necessary to verify your non-EU tax residence. In that case, DAC7 reporting does not apply, but you remain solely and exclusively responsible for the tax obligations of your country of residence.

Important clarification

DAC7 reporting does not replace your personal tax filings. You remain solely responsible for the correct fulfilment of tax obligations relating to payments received on the Platform. For clarification on your tax position, we encourage you to consult your tax adviser.

15. Links to other sites and services

The App may contain links to third-party sites or services (for example, social links entered by the user in their profile, public information pages). OnTheRoad is not responsible for the privacy practices of such third parties. Please review their respective policies.

16. Changes to this Privacy Policy

We may update this Privacy Policy to reflect changes to the Service, to our vendors or to applicable law. In the event of substantive changes, we will notify you through the App or by email with reasonable notice before they take effect. The most up-to-date version is always available inside the App and at api.ontheroads.app/privacy-policy/. The date of last update is shown at the top of the document.

17. Governing law and jurisdiction

This Privacy Policy is governed by Italian law and the GDPR. For any dispute concerning the processing of personal data, the court of the place of residence or domicile of the data subject has jurisdiction where the data subject is a consumer, in accordance with the provisions of the Italian Consumer Code (Legislative Decree 206/2005); the right to lodge a complaint with the Italian Data Protection Authority is without prejudice.

18. Sign-in via third-party providers (Google, Apple)

The OnTheRoad App allows sign-in via Google Sign-In and Sign in with Apple. When you choose to use either service, we receive from the respective provider the identifying data needed to create or recognize your account.

Data received from Google: verified email address, first and last name (if available), profile picture URL (if any), unique Google identifier («sub» claim), system locale.

Data received from Apple: verified email address (potentially in the form of a privacy relay alias such as «@privaterelay.appleid.com»), first and last name (provided only on the first sign-in), unique Apple identifier («sub» claim). Apple never provides a profile picture.

What we do NOT store: provider access tokens are never persisted. Identity verification happens on each sign-in by querying the provider directly; OnTheRoad does not call Google or Apple APIs on your behalf in any other context.

Legal basis: performance of the contract (art. 6.1.b GDPR) for account creation and management; legitimate interest in fraud prevention and security (art. 6.1.f GDPR) for provider identity verification.

International transfers: Google LLC and Apple Inc. are independent controllers based in the United States. Data transfers occur under the Standard Contractual Clauses adopted by the EU Commission and the applicable adequacy frameworks. For more details on Google's and Apple's data processing practices please consult:

Google Privacy Policy: policies.google.com/privacy
Apple Privacy Policy: apple.com/legal/privacy

Right to disconnect: at any time you can unlink your Google or Apple account from the «Linked accounts» section of your profile. Unlinking keeps your OnTheRoad account active provided you have set a password; otherwise, the App will prompt you to set one before proceeding so you do not lose access.

19. Contact

For any question or request concerning the processing of your personal data you can contact us:

Privacy email: privacy@ontheroads.app
General support email: support@ontheroads.app
Data Controller: Arjola Sulcaj — Italian VAT 14686910960 — Milan, Italy