Our stance
Privacy as a feature
RV owners choose off-grid living because they value independence. An app that tracks, profiles, or monetizes your data betrays that trust. Our privacy posture isn't defensive compliance — it's an active commitment to the community we're building for.
1
Your data is yours.
We never sell, share, or monetize personal data. No ad networks. No data brokers. No "anonymized" datasets sold to third parties.
2
Minimum viable data.
We collect only what's needed to deliver the feature you're using. If you don't use a feature, we don't collect its data.
3
Local-first processing.
BLE sensor data (Mopeka, TPMS, Ruuvi) is processed entirely on-device. It never touches our servers unless you explicitly contribute it to community features.
4
You control the connections.
Every hardware integration requires your explicit action to connect. Disconnect any integration at any time — we immediately revoke access and purge cached data.
5
Transparency over legalese.
This policy is written in plain language. Every data collection point in the app includes a human-readable explanation of what's collected, why, and where it goes.
Data collection
What we collect — and don't
Data is split into four clear categories. Most sensor data never leaves your iPhone.
Stays on device — never transmitted
- BLE sensor readings (Mopeka, TPMS, Ruuvi)
- Sensor history (compacted on-device)
- Peplink local API responses
- Alert thresholds & evaluation results
- Offline-first data (checklists, timers, calculators)
- Cached map tiles
- Draft community contributions (before submit)
- Caravan P2P snapshots (device RAM, encrypted)
Transmitted to RigSense (encrypted)
- Account credentials (hashed + salted)
- Rig profile (dimensions, equipment)
- Saved spots & stay history
- Submitted community contributions
- Caravan invite code + expiry (no member data)
- Caravan relay snapshots (in-memory only, not persisted)
Transmitted to third parties (consent only)
- Victron VRM — OAuth token exchange
- Renogy — SDK authentication
- Smartcar — OAuth token to OEM cloud
- Apple StoreKit — payment processing
Never collected — ever
- Device IMEI / hardware serial numbers
- Contacts, photos, microphone, or camera
- Advertising identifiers (IDFA never requested)
- Cross-app tracking data
- Browsing history
- Biometric data
| Data category | Lawful basis | Justification |
|---|---|---|
| Account (email, password hash) | Contract | Required to provide the service |
| Rig profile, saved spots, stay history | Contract | Core service functionality |
| GPS location (active navigation) | Contract | Required for navigation and spot-finding |
| GPS location (background route tracking) | Off by default; requires explicit opt-in | |
| BLE sensor data (on-device) | N/A | Not transmitted — processed locally on iPhone |
| Victron / Renogy / EcoFlow cloud data | User initiates OAuth connection; revocable anytime | |
| Smartcar / connected vehicle | User-initiated OAuth with granular scope selection | |
| Community contributions | User explicitly submits; can delete own contributions | |
| Caravan sharing | Double opt-in; each data point has independent toggle; all off by default | |
| Payment information | Contract | Processed by Apple StoreKit — RigSense never sees card data |
| Crash reports & analytics | Legitimate interest | Anonymized, aggregated, no PII — used for app stability only |
GDPR & CCPA
Your rights
All GDPR individual rights are implemented via in-app controls — no need to email us for most requests. US users are protected under the same framework, which exceeds CCPA/CPRA requirements.
Access & Portability (Art. 15, 20)
Export a complete copy of your personal data — spots, stays, sensor history, contributions — in JSON/CSV format within 48 hours.
Settings → Privacy → "Download My Data"
Rectification (Art. 16)
All profile data — rig specs, account details, preferences — is editable in-app at any time.
Settings → Profile
Erasure (Art. 17)
Delete your account and all associated data. Includes a 7-day grace period to cancel. Backup purge completes within 30 days.
Settings → Account → "Delete My Account"
Restriction & Objection (Art. 18, 21)
Disable individual integrations without deleting your account. Opt out of anonymized analytics at any time.
Settings → Privacy → Analytics toggle
No Automated Decision-Making (Art. 22)
RigSense doesn't make automated decisions with legal or significant effects. Spot recommendations and energy estimates are suggestions only.
No action required
Right to Know (CCPA)
We never sell personal data — so the "right to opt out of sale" is inherently satisfied. The free tier is fully functional without any data sharing beyond account basics.
No action required
Lifecycle
How long we keep data
Every data type has a defined retention period. Nothing is kept indefinitely unless it's community content you chose to make public.
| Data type | Retained for | Deletion trigger |
|---|---|---|
| Account data | Duration of account | Account deletion request |
| Stay history | Duration of account | Account deletion or manual per-stay deletion |
| Sensor readings (backend) | 12 months rolling | Auto-purge after 12 months; immediate on account deletion |
| Vehicle health snapshots | 12 months rolling | Auto-purge or on vehicle disconnection |
| OAuth tokens (Victron, Smartcar) | Until revoked | User disconnects integration or deletes account |
| Community contributions | Indefinite (public) | User deletes own content; anonymized on account deletion |
| Crash / analytics logs | 90 days | Auto-purge |
| Database backups | 30 days rolling | Encrypted; purged on rotation |
| Caravan session data | Max 14 days | Auto-deleted hourly; no location history stored server-side |
| Caravan snapshots (relay) | In-memory only | Never persisted; lost on channel close |
Technical measures
How we protect it
Security is built into every layer — from device storage to API communication to infrastructure. No third-party analytics SDKs that phone home. No Facebook SDK. No Google Analytics.
Transit
TLS 1.3 for all API communication. Certificate pinning in the iOS app.
Backend storage
AES-256 encryption at rest for PostgreSQL. Encrypted R2/S3 buckets.
Device storage
iOS Keychain for tokens. SwiftData with NSFileProtectionComplete.
Authentication
JWT with 15-minute access tokens + 30-day refresh tokens rotated on use. bcrypt with cost factor 12 for passwords.
OAuth tokens
Encrypted with a per-user key before database storage. Never appear in logs.
API access
Rate limiting per user. Anomaly detection for credential stuffing.
Infrastructure
Cloudflare WAF + DDoS protection. Server access via SSH key only.
Logs & monitoring
PII-scrubbed logs — no emails, GPS coordinates, or OAuth tokens in output. 72-hour breach notification pipeline per GDPR Article 33.
Article 28 processors
Third-party data processors
Every third party that touches user data has a signed Data Processing Agreement (DPA). We have no data processors for advertising, profiling, or data enrichment — because we don't do any of those things.
Smartcar
Vehicle health data (fuel, tires, DTCs) · SOC 2 Type 2, ISO 27001/27701 certified
DPA signed
Victron Energy
VRM installation data for energy system monitoring
DPA signed
Renogy
Energy system data for solar and battery monitoring
DPA signed
Apple (StoreKit)
Payment processing for subscriptions · RigSense never sees card data
Apple EULA
Cloudflare
CDN, WAF, and DNS · Request metadata (IPs) only
DPA signed
Database host (Supabase / Neon)
PostgreSQL hosting · All data encrypted at rest
DPA signed
Transactional email provider
Email addresses only · Account verification and receipts
DPA signed
How it works
Account deletion pipeline
When you delete your account, everything goes. A 7-day grace period lets you cancel if you change your mind. After that, the pipeline is irreversible.
1
Tap Settings → Account → Delete My Account — plain-language confirmation dialog explains consequences
2
7-day grace period begins — you can cancel at any time during this window
3
All OAuth tokens revoked (Smartcar, Victron, Renogy) — third-party access cut off immediately
4
User record, rig profiles, stay history permanently deleted from the database
5
Community contributions anonymized — your content remains but your identity is replaced with "deleted user"
6
All sensor readings and vehicle health data purged
7
Backup purge queued — completed within 30 days (encrypted backups rotated and overwritten)
8
Confirmation email sent — your email address itself is then deleted after confirmation is sent
Questions
Contact us about privacy
If you have questions about this policy, want to exercise a data right not available in-app, or need to report a concern — reach out directly. We read every email.
Privacy inquiries
support@rigsense.app · Typical response within 24–48 hours
Email Us
support@rigsense.app · Typical response within 24–48 hours