Privacy policy

Rienly is a tool for logging your driving — kilometres, trips, and odometer readings. We hold the minimum data needed to provide that service, host it in the EU, and we do not sell your personal data. The sections below explain exactly what we collect, why, who we share it with, and what rights you have.

The data controller responsible for your personal data is RIEN Network AB (org.nr 559323-5277), registered at Bockhornsvägen 5, 58732 Linköping, Sweden. You can reach us about anything in this policy at privacy@rienly.com.

We have not designated a Data Protection Officer (we are a small operator); the contact email above handles all privacy requests, including those under Quebec Law 25 where it serves as the privacy officer contact.

• Provide the core mileage-logging service.

• Process subscriptions and verify your entitlement to premium features.

• Detect and prevent fraud against our subscription system.

• Diagnose crashes and improve reliability.

• Understand which features are used so we can prioritise development (only if you have not opted out of analytics).

• Show banner advertising to free-tier users so the service can sustain itself; Premium and trial users see no ads.

• Comply with legal obligations, such as tax records and lawful information requests.

• Contract (Art. 6(1)(b)): your account, settings, driving log, GPS data, and payment metadata.

• Consent (Art. 6(1)(a)): PostHog analytics; website analytics cookies (Google Analytics on rienly.com); turning on GPS tracking; personalized advertising via Google AdMob (free tier only — non-personalized contextual ads run on legitimate-interest basis). You can withdraw consent at any time from Settings, or for website cookies via the Cookie settings link on rienly.com.

• Legitimate interest (Art. 6(1)(f)): Sentry crash reports, security audit logs, non-personalized contextual advertising on the free tier.

• Legal obligation (Art. 6(1)(c)): tax-related subscription records, response to lawful information requests.

We use the following sub-processors. Each receives only what it needs for the stated purpose.

• Supabase — EU (Ireland). All your app data: database, authentication, edge functions, file storage.

• Apple App Store — receipt JWS for subscription validation.

• Polar — Android subscription processing; receives your Supabase user ID and plan information.

• Mapbox — bounding-box coordinates for generating static map thumbnails of your trips.

• Google — OAuth ID token, only when you choose Sign in with Google.

• Google AdMob — banner advertising on the free tier only; receives your device's advertising identifier (where allowed), IP address, device model and OS, and the screen the ad appeared on. See the next section for full details.

• Sentry — stack traces tagged with your account ID, EU-hosted.

• PostHog — anonymous events, EU-hosted; opt-out available in Settings.

• Google Analytics — website (rienly.com) traffic analytics, loaded only if you accept the cookie banner; receives a randomly-generated visitor ID, the pages you view, and a truncated IP for approximate region. Never linked to your Rienly account.

We do not sell personal data to anyone. Free-tier users see banner advertising provided by Google AdMob; the data flow is described in the next section. Premium subscribers and accounts in the 7-day Premium trial are ad-free.

Free-tier users see banner advertising in Rienly. Premium subscribers and accounts in the 7-day Premium trial do not see ads. Ads are provided by Google AdMob.

What is shared with Google AdMob when an ad is shown:

• Your device's advertising identifier (IDFA on iOS, GAID on Android) — only if you have allowed App Tracking on iOS and have not opted out of personalized ads in the consent form.

• Your IP address — used by Google for fraud prevention, frequency capping, and coarse geolocation.

• Which Rienly screen and slot requested the ad.

• Your device model, operating system version, and time zone.

What is NOT shared with Google AdMob: your email, your Rienly account ID, your driving log, your trips, your GPS data, your odometer values, photos, or notes. None of your driving content ever leaves our systems for advertising purposes.

Personalized vs non-personalized ads. The first time an ad is about to load, Google's User Messaging Platform (UMP) asks whether Rienly may share data with advertising partners for personalized ads. If you decline — or if you have denied App Tracking on iOS — you still see ads, but Google delivers non-personalized ones based only on context (which screen, which country) rather than a profile.

How to change your mind. Settings → Legals → Advertising preferences re-opens the consent form. On iOS, Settings.app → Rienly → Allow Tracking flips the system-level switch.

How to remove ads completely. Subscribe to Premium.

Google's privacy policy applies to data Google receives: https://policies.google.com/privacy. Google's role as a controller for advertising-identifier processing is described there and at https://policies.google.com/technologies/partner-sites.

This section covers the Rienly marketing website at rienly.com. It does not apply to the mobile app, which sets no cookies and uses the separate, anonymous analytics described above.

No cookies until you accept. On your first visit the website shows a cookie banner. Nothing is loaded and nothing is sent to Google until you choose Accept. Your theme choice and your cookie choice are kept in your browser's local storage (not cookies) and are never transmitted to us or anyone else.

Google Analytics 4. If you accept, we load Google Analytics 4 (measurement ID G-GXJ52EQ4TV) to understand how the site is used — pages viewed, rough traffic volume, the referring site, and an approximate region derived from a truncated IP address. Google then sets two cookies, _ga and _ga_<id>, lasting up to two years, holding a randomly-generated visitor ID. We never receive your full IP address, name, or email through Analytics, and Analytics data is never linked to your Rienly account.

Consent and how to change it. We use Google Consent Mode v2 with all storage set to denied by default. Rejecting is exactly as easy as accepting, and you can change your mind any time through the Cookie settings link in the website footer. Declining has no effect on your use of the site.

Legal basis. Your consent (GDPR Art. 6(1)(a)) and the consent requirement for storing or reading cookies under the ePrivacy Directive as implemented in Sweden (lagen om elektronisk kommunikation). Google acts as our processor for Analytics under Google's data-processing terms; data may be processed in the United States under the EU-US Data Privacy Framework (Google is certified) and the Standard Contractual Clauses. Google's privacy policy: https://policies.google.com/privacy.

Some of the sub-processors above are based in the United States (Polar, Google, Google AdMob, Mapbox). Transfers of personal data to these processors are covered by the Standard Contractual Clauses adopted by the European Commission, and / or the EU-US Data Privacy Framework where the processor is certified. If you are in the EU, EEA, or UK and would like a copy of the relevant safeguards, contact us at the email above.

• Account, settings, cars, trips, readings, subscription state: for the life of your account.

• Free-tier accounts inactive for more than 2 years (no driving data logged in that period): automatically deleted via a daily server-side job. Premium subscribers and accounts still in their 7-day trial are excluded.

• Raw GPS points: 60 days, then automatically deleted; map thumbnails kept indefinitely.

• Subscription and security audit events: retained long-term for fraud detection and tax records.

• Billing and invoice records for paid subscriptions: 10 years per Swedish Bokföringslagen and equivalent EU rules. These records are held by Apple (iOS purchases) and Polar (Android purchases), not by RIEN Network AB.

• Analytics events (PostHog): per PostHog default retention.

When you delete your account from Settings → Account → Delete account, all account-bound data is erased via Supabase cascade deletion. Audit and security log rows are anonymised (your user ID is removed) and retained for fraud-detection purposes only.

Rienly is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you are a parent or guardian and believe a child has signed up, contact us at the email above and we will delete the account.

• All data in transit is protected by TLS.

• Supabase row-level security gates every read and write to the user who owns the row.

• Passwords are hashed by Supabase Auth — we never see them in plaintext.

• Backend secrets live in Supabase's secret store, not in source code.

• Databases and observability backends are EU-hosted.

• Employee access is limited to what is necessary; no third party has access for marketing or research purposes.

We do not engage in automated decision-making that produces legal or similarly significant effects on you (GDPR Art. 22; Quebec Law 25 §12.1).

If we make material changes to this policy, we will announce them in the app on next launch and update the effective date at the top of this screen. Continued use of the app after a material change indicates acceptance of the updated policy.

RIEN Network AB (org.nr 559323-5277)

Bockhornsvägen 5, 58732 Linköping, Sweden

privacy@rienly.com

Swedish data protection authority: Integritetsskyddsmyndigheten (IMY), https://www.imy.se.