Privacy Policy
Introduction
Reveal is operated by OVVA, s.r.o., a company registered in Slovakia. At Reveal, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and website.
Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the application.
Short Version
- We collect precise GPS location data only during active workouts, with your explicit consent, to track your routes and fitness activities.
- We use OpenStreetMap and Nominatim for map display and location naming (e.g., "Bratislava, SK"). No personal data is shared with them.
- Some third parties like Facebook and Twitter may know you visited this website if you use their services. We can't control them but we don't believe this knowledge poses any threat to you.
- If you sign up with us we take great care to keep your information safe and we'll never share it with others without your express permission.
- We never share your data with third parties except to help us deliver our own services.
- We will never provide your personal information or email address to any third parties for marketing purposes.
These are just the key points. If you need detail, keep reading.
Legal Basis for Processing
We process your personal data under the following legal bases under GDPR Article 6:
- Consent (Art. 6(1)(a)): For precise GPS location tracking, activity photos, marketing communications, and third-party integrations (Strava, Google).
- Contract Necessity (Art. 6(1)(b)): To provide your account, store your workout history, and deliver core app features you request.
- Legitimate Interest (Art. 6(1)(f)): For app analytics, fraud prevention, security monitoring, and service improvement — limited to non-identifiable or aggregated data where possible.
You may withdraw consent at any time in your account settings. Withdrawing consent for location data will disable GPS tracking, but you may still use non-location features of the app.
Information We Collect
We may collect information about you in various ways:
- Personal Data: Name, email address, and other contact information when you register for an account.
- Location Data: With your explicit consent, we collect precise GPS location data during active workouts. See the detailed Location Data section below.
- Usage Data: Information about how you use our application, including your interactions with features and content.
- Device Information: Information about your mobile device, including device type, operating system, and unique device identifiers.
Location Data
Location data is the core of our service. We collect:
| Data Type | When | How Long |
|---|---|---|
| Precise GPS coordinates (latitude, longitude) | During active workout recording, only while the app is in foreground | Retained as part of your workout history until you delete it |
| Timestamp | With each GPS coordinate | Same as above |
| Speed, elevation, heading | Derived from GPS during recording | Same as above |
| Route geometry (polyline of your path) | Synthesized from GPS points after workout ends | Same as above |
| Location name(e.g., "Bratislava, SK") | Reverse geocoded via Nominatim after workout ends | Same as above |
We do NOT collect location data:
- When the app is closed or in background, unless you explicitly start a workout and keep the app active
- Continuously or passively throughout the day
- From your device when location permissions are disabled
How we use location data:
- To record, display, and analyze your workout routes on the map
- To calculate distance, pace, elevation gain, and other fitness metrics
- To generate your personal "explored territory" heatmap
- To compare your routes with historical explorer journeys (aggregated, not shared)
- To label your activities with location names via reverse geocoding
Your control:
- You can disable GPS tracking in app settings or via your device's location permissions
- You can delete individual workouts or your entire account (see Right to Erasure below)
- Workouts can be marked as private (visible only to you) or public (visible to the Reveal community)
Health Data
Reveal does not generate or collect health data from your device sensors. We do not have access to your smartwatch, fitness band, or phone sensors for heart rate, blood oxygen, or other biometric measurements.
However, when you upload workout files (GPX, FIT, TCX, or via integrations like Strava) that were created by other apps or devices (such as smartwatches, bike computers, or fitness trackers), those files may contain health-related data. By uploading such a file to Reveal, you grant us access to process any health data contained within it.
Types of Health Data We May Process
| Data Type | Source | Purpose |
|---|---|---|
| Heart rate | Uploaded workout files (GPX, FIT, TCX) or Strava import | Displayed on activity charts and used for intensity zone analysis |
| Power / wattage | Uploaded workout files or Strava import | Displayed for cycling activities |
| Cadence | Uploaded workout files or Strava import | Displayed for running and cycling activities |
We do NOT:
- Collect heart rate or health data from your device sensors directly
- Use health data for medical diagnosis, treatment, or advice
- Share health data with third parties for marketing or advertising
- Sell or monetize health data in any form
Legal Basis for Health Data Processing
Processing of health data is based on explicit consent under GDPR Article 9(2)(a). This is separate from and in addition to your consent for location data processing under Article 6.
Before you upload your first workout file containing health data, we display a prominent in-app disclosure requiring your affirmative action. You must explicitly check a box stating:
"I explicitly consent to the processing of my health data (heart rate, power, cadence) contained in uploaded workout files for the purpose of displaying and analyzing my activities in Reveal."
This checkbox is not pre-ticked. You may withdraw this consent at any time in your account settings.
Your Control Over Health Data
- You can grant or withdraw health data consent independently from other permissions
- Withdrawing health data consent will hide heart rate, power, and cadence from your activities, but will not delete the underlying workout files
- To permanently remove health data, delete the individual workout or your entire account
- You can upload workout files without granting health data consent — GPS route and basic metrics will still display, but heart rate and similar data will be ignored
In-App Disclosures
Before collecting location data, we display a prominent in-app disclosure that:
- Clearly states that we collect precise GPS location data during workouts
- Explains that this data is used to record routes, calculate fitness metrics, and generate your personal map
- Requires your affirmative action (tapping "Allow" or "Start Workout") to proceed
This disclosure is separate from your device's permission dialog and our privacy policy. You must acknowledge it before location collection begins.
Cookies and Tracking Technologies
We use cookies and similar technologies to provide, protect, and improve our services. This section explains what we use, why, and how you can control it.
What Are Cookies?
Cookies are small text files stored on your device when you visit a website or use an app. We also use similar technologies such as localStorage, sessionStorage, and device identifiers.
Types of Cookies We Use
| Category | Purpose | Examples | Consent Required? |
|---|---|---|---|
| Necessary | Essential for the app and website to function | Authentication tokens, session management, security | No |
| Analytics | Understand how users interact with our service | Google Analytics 4 | Yes |
| Functional | Remember preferences and settings | Language preference, dark mode | Yes |
Specific Cookies and Technologies
| Name / Provider | Type | Purpose | Duration |
|---|---|---|---|
sb-access-token (Supabase) | Necessary | Authentication session | Session |
sb-refresh-token (Supabase) | Necessary | Maintain login session | 7 days |
| Google Analytics 4 | Analytics | Website usage statistics | 2 years |
| Firebase | Analytics / Functional | App analytics, crash reporting, push notification tokens | Varies |
Your Choices
- Necessary cookies cannot be disabled without affecting app and website functionality.
- Analytics and functional cookies are only activated after you grant consent via our cookie consent banner or in-app dialog.
- You can withdraw or modify your consent at any time via the cookie settings in our app or by clearing cookies in your browser or device settings.
How to Manage Cookies
- In the app: Visit Settings → Privacy → Cookie Preferences
- In your browser:Most browsers allow you to refuse or delete cookies. Check your browser's help section for instructions.
- Google Analytics opt-out: You can install the Google Analytics Opt-out Browser Add-on.
Legal Basis
- Necessary cookies: Legitimate interest (Article 6(1)(f) GDPR) — essential for service provision and security
- Analytics and functional cookies: Consent (Article 6(1)(a) GDPR) — collected via cookie banner before activation
Data Retention
We retain your data only as long as necessary:
| Data Category | Retention Period | Rationale |
|---|---|---|
| Account profile | Until account deletion | Contract necessity |
| GPS workout tracks | Until deletion by you or account deletion | Your choice — this is your data |
| Health data (HR, power, cadence) | Until deletion of the workout or account deletion | Your choice — stored as part of the uploaded file |
| Photos attached to workouts | Until deletion by you or account deletion | Your choice |
| Aggregated/anonymized stats | Indefinitely (after anonymization) | Legitimate interest in service improvement |
| Account deletion requests | 7 days (grace period), then permanent | GDPR compliance |
| Server logs (IP, device info) | 90 days | Security and fraud prevention |
| Marketing consent records | Until consent withdrawal + 3 years | Legal obligation (Slovak law) |
After the retention period expires, data is permanently deleted or irreversibly anonymized.
International Data Transfers
Your primary data is stored on servers located in the European Union (Stockholm, Sweden via Supabase; EU-based Vercel edge functions). However, some of our subprocessors may process data:
| Subprocessor | Purpose | Location | Safeguard |
|---|---|---|---|
| Supabase | Primary database & authentication | EU (Stockholm, Sweden) | EU data residency |
| Vercel | Web application hosting & edge functions | EU (Stockholm, Sweden) | EU data residency |
| OpenStreetMap (OSMF) | Map tiles | Global CDN | No personal data transmitted; tile requests are anonymous |
| Nominatim (OSMF) | Reverse geocoding | EU / Global | No personal data transmitted; only anonymized coordinates |
| Sentry | Error monitoring & crash reporting | EU (Germany) | EU data residency; DPA in place |
| Google Analytics 4 | Website analytics | EU (via Google EU data processing) | Google EU Data Processing Terms; IP anonymization enabled |
| Firebase Cloud Messaging (FCM) | Push notifications | Global (Google infrastructure) | Google EU Data Processing Terms; device tokens only; no message content stored |
| Cloudflare Turnstile | Bot protection on sign-in, sign-up & password reset | Global (Cloudflare edge network) | No advertising use; governed by Cloudflare's Turnstile Privacy Addendum |
We ensure all processing is protected by appropriate safeguards under GDPR Chapter V. For services where data may transit outside the EEA, we rely on EU Commission-approved Standard Contractual Clauses (SCCs) incorporated into our Data Processing Agreements (DPAs) with each provider. You may request a copy of these safeguards by contacting our DPO.
Important: When you view maps in Reveal, your device requests map tiles from OpenStreetMap servers. These requests include your IP address (standard for all web requests) but no account or personal identifiers. OpenStreetMap does not receive your GPS tracks, workout data, or identity. Reverse geocoding via Nominatim sends only the approximate center coordinate of your workout area, not your full route or identity.
Bot protection:We use Cloudflare Turnstile to protect sign-in, sign-up and password reset from automated abuse, including in invisible mode where no challenge is shown. To distinguish humans from bots, Turnstile may process limited device and network signals (such as your IP address and browser characteristics); Cloudflare does not use this data for advertising or profiling. This processing is described in Cloudflare's Turnstile Privacy Addendum.
Data Protection Officer (DPO)
As our core activities involve large-scale systematic monitoring of location data, we have appointed a Data Protection Officer (DPO) in accordance with GDPR Article 37.
Contact our DPO:
- Email: dpo@revealapp.eu
- Postal: OVVA, s.r.o., Staré Grunty 18, 841 04 Bratislava - Karlova Ves, Slovakia
You may contact our DPO regarding:
- Questions about this privacy policy
- Exercising your GDPR rights
- Concerns about how we process your personal data
- Data breach notifications
Our DPO is registered with the Slovak Office for Personal Data Protection.
Google User Data
When you choose to connect your Google account to Reveal, we request access to specific types of Google user data to enhance your experience. Below is a clear description of what data we access and how we use it:
Data We Access from Google
- Email Address: We access your Google account email address to create and authenticate your Reveal account.
- Profile Information: We may access your basic profile information (name, profile picture) to personalize your Reveal experience.
How We Use Google User Data
- Account Creation and Authentication: Your Google email is used to create your Reveal account and authenticate your login sessions.
- Profile Setup: Your name and profile picture are used to set up your Reveal profile, which you can modify at any time.
- Service Communication: Your email may be used to send important service notifications, security alerts, and updates about your Reveal account.
Data Sharing and Third-Party Access
We do not sell, rent, or share your Google user data with third parties for marketing or advertising purposes. Your Google user data is used exclusively within the Reveal application to provide our core services. We may share aggregated, anonymized data for analytics purposes, but this data cannot be used to identify individual users.
Data Retention and Deletion
- Data Storage: Google user data is stored securely in our encrypted database for as long as your account is active.
- Account Deletion: You can delete your Reveal account at any time from your account settings. Upon deletion, all associated Google user data will be permanently removed from our systems within 30 days.
- Revoke Access: You can revoke Reveal's access to your Google account at any time through your Google Account Permissions page. Note that revoking access may limit certain features of the Reveal application.
Security Measures
We implement industry-standard security measures to protect your Google user data, including encryption at rest and in transit, secure authentication protocols (OAuth 2.0), and regular security audits. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.
Compliance with Google API Services User Data Policy
Reveal's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use your Google user data only to provide and improve the features you have explicitly requested, and we do not use this data for any other purpose without your explicit consent.
Strava Integration
When you choose to connect your Strava account to Reveal, we request access to your Strava data to automatically import your fitness activities and enhance your travel tracking experience. Below is a clear description of what data we access and how we use it:
Data We Access from Strava
- Profile Information: We access your Strava profile data including your name, profile picture, athlete ID, location (city, state, country), and basic account information to create or link your Reveal account.
- Activity Data: With your permission (scope:
activity:read_all), we access your Strava activities including routes, distances, timestamps, GPS coordinates, elevation data, and activity types (running, cycling, hiking, etc.). - Public Activities Only: We only access activities you have marked as public or have explicitly shared with Reveal. Private activities remain private unless you change their visibility settings.
How We Use Strava Data
- Account Creation and Authentication: Your Strava profile information is used to create your Reveal account and enable seamless sign-in through Strava OAuth.
- Activity Import and Visualization: Your Strava activities are automatically imported and displayed on your personal Reveal map, allowing you to visualize your travel history and explored territories.
- Statistics and Gamification: Activity data (distances, elevation, activity types) is used to calculate your exploration statistics, achievements, and gamification metrics within Reveal.
- Historical Comparison: Your activity routes may be compared with historical explorer journeys to show how your travels align with famous expeditions.
Data Sharing and Storage
We do not sell, rent, or share your Strava data with third parties for marketing or advertising purposes.Your Strava data is stored securely in our encrypted database and used exclusively within the Reveal application. Activity data you choose to share publicly within Reveal (via your privacy settings) may be visible to other Reveal users, consistent with how Strava's own sharing features work.
Managing Your Strava Connection
- Disconnect Anytime: You can disconnect your Strava account from Reveal at any time through your account settings. This will stop new activity imports, but previously imported data will remain in your Reveal account unless you delete it manually.
- Revoke OAuth Access: You can revoke Reveal's access to your Strava account at any time through your Strava Connected Apps page. This will prevent Reveal from accessing new activities, but will not automatically delete data already imported.
- Data Deletion: To delete all imported Strava data, you can delete individual activities or your entire Reveal account from your account settings. Upon account deletion, all Strava-sourced data will be permanently removed from our systems within 30 days.
Compliance with Strava API Agreement
Reveal's use of Strava data complies with the Strava API Agreement and Strava's Terms of Service. We use your Strava data only to provide the features you have explicitly requested within Reveal, and we do not use this data for any other purpose without your explicit consent.
How We Use Your Information
We use the information we collect for various purposes, including:
- To provide and maintain our service
- To notify you about changes to our service
- To allow you to participate in interactive features of our application
- To provide customer support
- To gather analysis or valuable information so that we can improve our service
- To monitor the usage of our service
- To detect, prevent and address technical issues
Data Storage and Security
We use commercially reasonable methods to secure your personal information. However, please be aware that no method of transmission over the internet or method of electronic storage is 100% secure.
Disclosure of Data
We may disclose your personal information in the following situations:
- Legal Requirements: To comply with a legal obligation
- Business Transfers: In connection with a merger, acquisition, or sale of assets
- With Your Consent: With your explicit consent for other purposes
Your Data Protection Rights (GDPR Compliance)
Under the General Data Protection Regulation (GDPR), you have comprehensive rights regarding your personal data:
Right to Access (Article 15)
You have the right to access your personal information at any time through your account settings.
Right to Data Portability (Article 20)
You can export all your data in a machine-readable JSON format. This includes:
- Profile information and account settings
- All tracks, GPS data, and activity history
- Photos, comments, and social interactions
- Achievements and gamification data
- Activity logs and audit trail
To export your data:Visit your account settings and click "Export My Data". You can request a data export once every 24 hours. The export will be available for immediate download.
Right to Erasure / "Right to be Forgotten" (Article 17)
You have the right to request permanent deletion of your account and all associated data. Our deletion process:
- Grace Period: 7 days before permanent deletion
- Cancellation: You can cancel the deletion request in-app at any time during the grace period. When you cancel, we send you a confirmation email letting you know your account is no longer scheduled for deletion.
- Permanent Deletion: After the 7-day grace period, your account and all data are deleted automatically and irreversibly from our systems
What gets deleted: Your profile, all tracks and GPS data, photos, comments, social connections, achievements, and all activity logs are permanently deleted. We comply with data retention requirements under GDPR and may retain minimal anonymized metrics solely for legal compliance purposes (e.g., aggregated usage statistics without any personally identifiable information). These anonymized statistics cannot be traced back to you and are retained under our legitimate interest to maintain service quality and security.
To delete your account:Visit your account settings and click "Delete My Account". Follow the confirmation process. You can request account deletion once every 24 hours.
Other Rights
- Right to Rectification: Update inaccurate or incomplete information through your account settings
- Right to Restrict Processing: Request limitations on how we process your data
- Right to Object: Object to processing of your personal data for specific purposes
- Right to Withdraw Consent: Withdraw consent for data processing at any time
Exercising Your Rights
To exercise any of these rights, you can:
- Access your account settings for data export and account deletion
- Contact us at privacy@revealapp.eu
- Write to us at: OVVA, s.r.o., Staré Grunty 18, 841 04 Bratislava - Karlova Ves, Slovakia
Response Time: We will respond to your request within 30 days, as required by GDPR. For data exports through our automated system, the data is available immediately.
Children's Privacy
Our service is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16.
If you are between 13 and 16 years old, you may use our service only with verifiable parental consent. Please contact us at privacy@revealapp.eu to arrange this.
If we learn we have collected personal data from a child under 16 without parental consent, we will delete that data immediately.
Measuring Our Visitors
We measure visitors to our website using analytics tools. This records what pages you view within our site, how you arrived at our site, and some basic information about your computer. All of that information is anonymous – so we don't know who you are; just that somebody visited our site. The information we collect from analytics helps us understand what parts of our sites are doing well, how people arrive at our site, and so on. Like most websites, we use this information to make our website better.
You can learn more about Google Analyticsor opt out if you wish.
Social Networks
These services provide social buttons and similar features which we use on our website – such as the "Like" and "Tweet" buttons. To do so we embed code that they provide and we do not control ourselves. To function, their buttons generally know if you're logged in; for example, Facebook uses this to say "x of your friends like this". We do not have any access to that information, nor can we control how those networks use it. Social networks therefore could know that you're viewing this website if you use their services (that isn't to say they do, but their policies may change).
Email Communications
We may send you email notifications regarding your service (such as important account updates, security alerts) or which you have specifically requested (such as newsletters or notifications). You have the ability to opt out of any of this communication at any time from your account settings.
We will never provide your personal information or email address to any third parties except where they are specifically employed to help deliver our own services, as detailed above.
Payment Processing
We use payment providers to bill for our products online. These companies will have access to your personal and payment information. When paying by credit card, OVVA themselves do not ever have any access to your credit card details. We share information with these companies only to the extent necessary for the purposes of processing payments you make via our website.
Security Measures
OVVA takes many precautions to prevent the loss, misuse, or alteration of your personal information. These precautions include:
- Use of SSL encryption for sensitive data
- Hardware stored in secured datacenters behind firewalls
- All access to information restricted by password and/or secure key
- Restrictions to what information can be accessed via any location
- Regular security audits and monitoring
Whilst we take great care to ensure any confidential information remains protected, we cannot guarantee the security of data sent over the Internet. Of course, you are responsible for keeping your password and user details confidential. Nobody at OVVA will ever ask you for your password, so please don't trust anybody asking you for it.
Changes to This Privacy Policy
We may update our Privacy Policy from time to time, particularly as technology changes. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "effective date". We may also notify you of changes to our privacy policy by email.
Contact Us
If you have any questions about this privacy policy or your personal data, please write to us:
- Email: support@ovva.sk
- Post: OVVA, s.r.o., Staré Grunty 18, 841 04 Bratislava - Karlova Ves, Slovakia
- Reveal Support: privacy@revealapp.eu
- Data Protection Officer: dpo@revealapp.eu
Last updated: July 8, 2026