Legal

Privacy Policy

Effective date: 2 April 2026 · Last updated: 2 April 2026

Plain-English summary: CityNav collects the minimum data needed to make navigation work. We do not sell your personal data. Location data is processed on your device and is never stored on our servers unless you explicitly activate Live Location Sharing. You can delete your account and all associated data at any time.

Who We Are
Data We Collect
How We Use Your Data
Legal Basis (GDPR)
Data Sharing & Third Parties
Location Data
Cookies & Local Storage
Data Retention
Your Rights
Children’s Privacy
International Transfers
Security
Changes to This Policy
Contact Us

1. Who We Are

CityNav (“we”, “us”, “our”) operates the CityNav web application and mobile application (collectively, the “Service”), which provides tourist navigation, real-time transit information, and related travel services for 27 major cities worldwide.

For the purposes of applicable data-protection legislation (including the UK GDPR and EU GDPR), CityNav is the data controller of personal data collected through the Service.

2. Data We Collect

We collect only what is genuinely necessary to provide and improve the Service.

2.1 Information you give us directly

Account information — When you sign in via Replit OAuth, we receive your name, email address, and profile picture from your Replit account. You can browse CityNav without signing in; an account is only required to access premium features.
Subscription & payment information — When you subscribe to CityNav Premium, payment is processed by Stripe. We receive a Stripe customer ID and subscription status; we never see or store your full card number, CVV, or bank details.
Emergency contacts — If you use the SOS feature, you voluntarily provide a phone number. This number is used solely to send a one-time emergency SMS and is not retained beyond the active session.
Live Location Sharing — If you choose to share your location, a temporary tracking session is created. The recipient accesses your position via a unique link. Sessions expire automatically after 8 hours and can be revoked at any time.
Trip Journal entries — Notes and photos you add to your Trip Journal are stored locally in your browser’s storage by default and are not transmitted to our servers unless you explicitly save them to your account.

2.2 Information we collect automatically

Usage data — Pages visited, features used, search queries (destination names, not your home address), and navigation mode selected. This is collected in aggregate and cannot be linked back to an individual without your account data.
Device & technical data — Browser type, operating system, screen resolution, and app version. Used for compatibility and bug-fixing.
Session data — A session cookie keeps you logged in. See Section 7.
Error logs — If the app crashes or encounters an error, a log entry (with no personally identifiable information) may be recorded to help us fix the issue.

2.3 Information we do not collect

Precise GPS co-ordinates stored server-side (location stays on your device except during active Live Location Sharing sessions).
Camera images or video from AR Navigation.
Contacts from your phone or address book.
Advertising identifiers or cross-site tracking data.

3. How We Use Your Data

Purpose	Data used	Can you opt out?
Providing navigation & transit directions	Destination search terms; device location (on-device only)	N/A — core service
Account authentication	Name, email, profile picture (from OAuth)	Yes — browse without signing in
Processing subscriptions	Stripe customer ID, subscription status	Yes — use free features only
Sending SOS emergency alerts	Phone number you provide	Yes — feature is opt-in
Live Location Sharing	GPS co-ordinates during active session	Yes — feature is opt-in
Service improvement & bug fixing	Aggregate usage data; error logs	Partial — see cookie settings
Legal obligations	Account & billing records	No — required by law

We do not use your data for targeted advertising, profiling, or selling to third parties.

4. Legal Basis for Processing (GDPR)

If you are located in the UK or European Economic Area, we process your personal data on the following legal bases:

Performance of a contract — To deliver the Service you have requested (navigation, account management, subscriptions).
Legitimate interests — To improve the Service, fix bugs, and maintain security — where these interests are not overridden by your rights.
Consent — For optional features such as Live Location Sharing and device location access. You may withdraw consent at any time.
Legal obligation — To comply with applicable laws, such as retaining billing records.

5. Data Sharing & Third Parties

We share personal data only with the limited set of third parties required to operate the Service:

Third party	Purpose	Data shared	Privacy policy
Stripe	Payment processing	Email, subscription plan	stripe.com/privacy
Google Maps Platform	Interactive maps, routing, Places search	Destination search terms; approximate location (sent to Google APIs on your request)	policies.google.com/privacy
Twilio	SOS emergency SMS delivery	Recipient phone number, message content (one-time per SOS activation)	twilio.com/legal/privacy
Replit	OAuth authentication & hosting infrastructure	Name, email, profile picture (at login)	replit.com/site/privacy

We do not share data with data brokers, advertising networks, or analytics companies. We do not sell personal data.

We may disclose information if required by law, court order, or to protect the safety of users or the public — and only to the extent strictly necessary.

6. Location Data

CityNav is a navigation app, so location is central to many features. Here is exactly how we handle it:

On-device only (default) — Your GPS co-ordinates are obtained via the browser’s Geolocation API and processed locally on your device to calculate routes and show your position on the map. This data is not transmitted to CityNav servers in normal use.
Google Maps API calls — When you request directions, your origin/destination (which may be your current location) is sent to Google’s servers to calculate the route. This is governed by Google’s privacy policy.
Live Location Sharing (opt-in) — If you activate this feature, your GPS co-ordinates are sent to our server every 10 seconds and stored temporarily (maximum 8 hours, or until you revoke the session). Only people with your unique link can view your position. Sessions are deleted when they expire or are revoked.
SOS Emergency — Activating SOS sends your current GPS co-ordinates within the emergency SMS message. No server-side location log is retained beyond the Live Location Sharing session automatically created at the same time.
AR Navigation & Camera — The AR feature uses your device camera to overlay directional arrows. No images or video are ever captured, transmitted, or stored. Camera access is used in read-only streaming mode and only while AR mode is active.

You can revoke location permission at any time in your browser or device settings. Doing so disables GPS-dependent features but does not affect other parts of the Service.

7. Cookies & Local Storage

7.1 Strictly necessary cookies

We set one session cookie (connect.sid) to keep you logged in. This cookie expires when you close your browser or after 7 days of inactivity. Without it, you would need to log in on every page load. This cookie cannot be disabled while you are signed in.

7.2 Local storage

We use your browser’s localStorage to remember preferences such as your saved city, Trip Journal entries, and UI settings. This data stays on your device and is not transmitted to us.

7.3 No advertising or tracking cookies

We do not use Google Analytics, Facebook Pixel, or any third-party tracking scripts. The only external scripts loaded are the Google Maps JavaScript API (for maps) and Stripe.js (for payment forms on the Subscribe page).

8. Data Retention

Account data — Retained for as long as your account is active. Deleted within 30 days of account deletion request.
Subscription & billing records — Retained for 7 years to comply with financial regulations, even after account deletion.
Session data — Deleted after 7 days of inactivity or immediately on logout.
Live Location Sharing sessions — Automatically purged after 8 hours or immediately on manual revocation.
Error logs — Retained for 30 days then automatically deleted.

9. Your Rights

Depending on where you live, you may have the following rights regarding your personal data:

Access — Request a copy of the personal data we hold about you.
Correction — Ask us to fix inaccurate or incomplete data.
Erasure — Request deletion of your personal data (“right to be forgotten”). We will comply within 30 days, subject to legal retention requirements.
Portability — Receive your data in a machine-readable format.
Objection — Object to processing based on legitimate interests.
Restriction — Ask us to pause processing while a dispute is resolved.
Withdraw consent — For features requiring consent (e.g. location sharing), withdraw at any time without affecting prior lawful processing.
Complain — Lodge a complaint with your national data-protection authority. In the UK, this is the Information Commissioner’s Office (ICO); in the EU, your local supervisory authority.

To exercise any of these rights, contact us at the details in Section 14. We will respond within 30 days (UK/EU GDPR requirement).

10. Children’s Privacy

CityNav is not directed at children under the age of 13 (or under 16 in EU/UK jurisdictions). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. International Data Transfers

Our servers are hosted by Replit, Inc. (United States). If you are located in the UK or EU, your data may be transferred to and processed in the US. Where this occurs, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, and the UK International Data Transfer Agreement (IDTA), to safeguard your data.

Google and Stripe also process data internationally. Both companies participate in approved data transfer frameworks and maintain adequate safeguards.

12. Security

We take reasonable and appropriate technical and organisational measures to protect your data, including:

TLS/HTTPS encryption for all data in transit.
Hashed and salted session tokens; no plaintext passwords stored (authentication is delegated to OAuth providers).
Database access restricted to server-side processes only; no direct public access.
Stripe handles all card data in a PCI-DSS compliant environment — we never touch raw card numbers.
Location data for Live Location Sharing stored with automatic 8-hour expiry.

No system is 100% secure. If you discover a security vulnerability, please report it responsibly to the contact address below.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and, where required by law, notify you by email or by a prominent notice within the Service. Your continued use of CityNav after the effective date of changes constitutes acceptance of the updated policy.

We encourage you to review this page periodically.

14. Contact Us

If you have any questions, requests, or complaints regarding this Privacy Policy or our data practices, please contact us:

CityNav Privacy

Email: privacy@citynav.app

Website: https://citynav.replit.app/privacy

We aim to respond to all data-related requests within 5 business days and will always meet the statutory 30-day deadline under UK/EU GDPR.