Privacy Promise
The whole policy, in plain language. What we collect, how long we keep it, who can see your location, and how to delete it — written to clear the bar Mozilla's *Privacy Not Included reviewers set, not to satisfy a lawyer.
The promise
Three commitments are binding — they define the business, not just this page. Everything below is how we keep them.
We never sell or broker your location data. Ever.
No data brokers, no "aggregated" resale, no advertising partners. We make money from people who choose to pay us — never from access to where you've been.
We run no ad-tech and build no advertising profile.
There is no ad network, and no third-party advertising or analytics SDK riding along in the app. Your movements are not inventory.
Sharing is isolated at the broker, not just in the app.
Your location is relayed only to people who share at least one team with you — enforced by access-control rules in the message broker itself.
What we collect
We practise data minimisation: we collect what the service needs to work, and nothing extra. Here is the complete list.
- Location updates
- Coordinates, timestamp, and basic device battery/accuracy, sent by the OwnTracks app you install. Only while you have sharing on.
- Account details
- Your email address and a hashed password, used to sign in and to recover your account.
- Team membership
- Which teams you belong to and your role in each — so the broker knows who may receive your location.
- Operational logs
- Minimal server logs needed to run and secure the service. Kept briefly, never used to profile you, never sold.
What we never collect or do
- ✕ No contacts, no browsing, no microphone. We don't read your address book, your other apps, or anything beyond the list above.
- ✕ No advertising identifiers. No IDFA/AAID collection, no ad-network SDKs, no cross-app tracking.
- ✕ No third-party analytics. No Google Analytics, no Facebook SDK, no session-replay tools watching you use the app.
- ✕ No selling, no brokering, no "anonymised" resale. Your data is never a product, in any form.
- ✕ No dark patterns. No cookie wall on load, no fake urgency, no essential feature held hostage to create anxiety.
How sharing is isolated
Druptrails routes location through an EMQX MQTT broker. Access is governed by access-control list (ACL) rules at the broker: a device may only publish to its own topics, and may only subscribe to teammates who share at least one team with it.
This matters because the guarantee lives below the application. With a typical app, a permission check is a line of code — a bug in that check can leak data. Here, even if an application query were flawed, the broker will not deliver a message to a client that has no ACL grant for it. Team membership is the boundary, and it is enforced at the infrastructure layer.
Leave a team and your grant is revoked: your location stops reaching its members right away. You only ever share with people you have explicitly teamed with.
In short: sharing is not a setting we promise to honour — it is a rule the broker enforces on every single message.
Retention — you choose
You decide how long location history is kept. Pick a window per team; when data ages past it, it is removed automatically.
- Default
- 30 days of history. Old points fall off the map automatically.
- Options
- 30 days, 90 days, up to 2 years, or keep-until-deleted — set per team.
- Export
- Download your full history at any time, in an open format — yours to take with you.
Deletion — one click, and it's gone
You can delete your history, leave any team, or delete your entire account from within the app. Deletion actually deletes — there is no 30-day "soft delete" limbo where we quietly keep a copy. Once purged from active systems, residual data clears from encrypted backups on their normal rotation.
Security & an honest caveat
Connections between the OwnTracks app, our broker, and the web app are encrypted in transit with TLS. The OwnTracks protocol is open and auditable, so its behaviour can be inspected rather than taken on faith — and you can self-host it if you'd rather not trust us at all.
We will not overclaim end-to-end encryption. To relay your location to teammates, our server processes and stores it — so it is not end-to-end encrypted in the strict sense. OwnTracks offers optional payload encryption, but that makes little sense for relaying between users on a shared server unless every teammate shares a secret. We'd rather be precise than market a guarantee we don't deliver.
What we do promise is concrete and defensible: data minimisation, no selling and no ad-tech, broker-level team isolation, TLS in transit, and retention you control.
The basics (we do these too)
- Sharing is consent-based. Nothing is shared until you join a team and turn it on.
- You can pause sharing anytime, from the app, without leaving your teams.
- It's clear when you're sharing, with a persistent indicator — no silent tracking.
Changes & contact
If we change what we collect or how we handle it, we'll update this page and tell you in advance — by email, because it affects your account, not to re-engage you. We will never weaken the three binding promises above; doing so would make this a different product.
Questions, or want your data? Email privacy@druptrails.com, or read about the OwnTracks app to understand the open protocol underneath.