Privacy Policy
Version 1.2 — In effect since 5 July 2026.
1. Introduction
This privacy policy describes how the ATEQO mobile application (“the App”) collects, uses and protects the personal data of its users (“you”). It is drafted in accordance with Regulation (EU) 2016/679 on the protection of personal data (“GDPR”) and the French Data Protection Act (loi Informatique et Libertés) of 6 January 1978, as amended.
Using the App implies acceptance of the terms of this policy. If you do not agree, you are advised not to use the App.
2. Data controller
The App is published by an independent developer, a working professional delivery driver, acting in a personal capacity.
- Contact for any question relating to data protection: cargo.app.admin@gmail.com
In the absence of a dedicated legal entity, the publisher acts as the data controller within the meaning of Article 4 of the GDPR for the data collected through the App.
3. Data collected and processed
3.1 Data you provide directly
| Data | Purpose | Legal basis |
|---|---|---|
| Email address | Account creation, authentication, password reset | Performance of a contract (Article 6(1)(b) GDPR) |
| Password | Authentication (stored in hashed form, never in plain text) | Performance of a contract |
| Username (optional) | Display in your profile | Consent (Article 6(1)(a)) |
| Sign-in via a Google account (optional, alternative to email) | Your name and Google email address are shared with us to create your account and generate an initial username (editable afterwards) | Performance of a contract (Article 6(1)(b) GDPR) |
| Delivery addresses you enter | Organising and optimising your route | Performance of a contract |
| Notes attached to a stop (optional) | Reminder for your deliveries | Performance of a contract |
| Starting point (“base”) address | Calculating the route from your depot or home | Performance of a contract |
3.2 Data collected automatically
| Data | When | Purpose |
|---|---|---|
| Precise GPS location | Only during active navigation (explicitly started by you) | Centring the map, calculating the distance to the next stop, detecting arrival (< 80 metres) |
| IP address, device type and OS version | When calls are made to the backend server | Rate limiting (anti-abuse), technical logs |
| Language, country (inferred from your device settings), account creation date and last sign-in date | At sign-in | Remembering your language across your devices; anonymised internal statistics (language / country breakdown) to improve the App |
3.3 Data processed on an ephemeral basis
| Data | Processing |
|---|---|
| Parcel label image | Captured by the camera when you start a scan. Sent to a third-party service (Google Cloud Vision) for optical recognition of the address. The image is never stored on our servers: it is transmitted, processed, and the text result is returned to you. The request is instantaneous. |
3.4 What we do not collect
- Your real first and last name — unless you choose to sign in via Google: your Google name is then shared with us to generate an initial username, which you can change at any time
- Your phone number
- Your date of birth
- Your banking data (handled directly by Google Play during a purchase, never by ATEQO)
- Your contacts, your calendar, your personal photos
- Your health or fitness data
- Any sensitive data (racial origin, political opinions, religion, etc.)
- Any advertising or tracking data (no Google Analytics, Firebase, Sentry, or equivalent)
4. Recipients of your data
ATEQO relies on the following technical sub-processors. None of these third parties uses your data for targeted advertising or resale purposes.
| Sub-processor | Service provided | Data transmitted |
|---|---|---|
| Supabase Inc. (United States) | Database hosting + authentication | Email, hashed password, username |
| Google LLC — Google Sign-In (United States) | Alternative authentication to email | Name and email address of your Google account, only if you choose this sign-in method |
| Google LLC — Google Play Billing (United States) | Processing of premium payments and subscriptions | Payment is handled by your Google Play account — ATEQO receives no banking data |
| RevenueCat, Inc. (United States) | Technical subscription management (purchase validation, premium status) | Account identifier (anonymous) and subscription status — no banking data |
| Google LLC — Cloud Vision API (United States) | Optical recognition of addresses on labels | Parcel image transmitted ephemerally during a scan |
| Google LLC — Maps Platform (United States) | Mapping, geocoding, address suggestions | Addresses entered, search sessions |
| Vercel Inc. (United States) | Hosting of the backend API | IP address, HTTP headers, authentication tokens (validated then not stored) |
No sharing of your data with third parties for commercial, advertising or external statistical purposes takes place.
5. Transfers outside the European Union
The sub-processors listed above are based in the United States. Transfers of data to these recipients are governed by:
- the standard contractual clauses adopted by the European Commission (decision 2021/914 of 4 June 2021);
- for providers that adhere to it: the EU-US Data Privacy Framework, deemed adequate by the European Commission in its decision of 10 July 2023.
These mechanisms ensure a level of data protection equivalent to that required by the GDPR.
6. Data retention periods
| Type of data | Retention period |
|---|---|
| User account (email, hashed password, username, language, country, sign-in dates) | For as long as your account exists. Deletion is possible directly within the App (Account tab → Account management → Delete account), on request by email, or after 3 years of total inactivity. |
| Addresses, stops, route history | Stored locally on your device only. Erased when the App is uninstalled. |
| GPS location | Held in RAM only for the duration of active navigation. Lost at the end of the session. |
| Parcel label image | Ephemeral — not stored by ATEQO. Google Cloud Vision retention policy: 24 hours maximum on Google's side. |
| Server logs (IP, headers) | 30 days maximum on Vercel's side, in accordance with their standard hosting policy. |
| Subscription status (via Google Play / RevenueCat) | For as long as the subscription is active + the statutory accounting period (10 years for financial transactions). |
7. Your rights
In accordance with Articles 15 to 22 of the GDPR, you have the following rights over your personal data:
- Right of access (Article 15): obtain a copy of the data concerning you
- Right to rectification (Article 16): correct inaccurate data
- Right to erasure (Article 17, the “right to be forgotten”): request the deletion of your data
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20): receive your data in a structured format
- Right to object (Article 21)
- Right to withdraw your consent at any time, for processing based on consent
Exercising your rights
Send your request by email to cargo.app.admin@gmail.com. We undertake to respond within one month, in accordance with Article 12 of the GDPR.
Complaints
You also have the right to lodge a complaint with the French Data Protection Authority (Commission Nationale de l'Informatique et des Libertés, CNIL): www.cnil.fr.
8. Local storage on your device
ATEQO uses your device's native local storage mechanisms (localStorage on the webview side, @capacitor/preferences on the native Android side) to remember:
- the list of your current stops
- your favourite starting point
- your route history
- your display preferences (tutorial counter, last scan postcode)
This data remains exclusively on your device. It is never transmitted to a server. Uninstalling the App erases it permanently.
ATEQO uses no advertising cookies or third-party trackers.
9. Security
The following measures protect your data:
- Encryption in transit: all network communications use HTTPS with TLS 1.2 minimum.
- Passwords: stored only in hashed form (bcrypt) on the Supabase side, never in plain text.
- Row Level Security (RLS): active policies on the Supabase tables to ensure that a user can only access their own data.
- Purchase validation: subscriptions are verified directly with Google Play Billing (store-side validation via RevenueCat).
- No local storage of sensitive tokens: Supabase sessions use time-limited JWTs, automatically renewed.
No system is infallible. In the event of a data breach affecting your information, you will be informed within 72 hours of our becoming aware of it, in accordance with Article 34 of the GDPR.
10. Minors
ATEQO is intended for professional delivery drivers and is not designed for users under the age of 16. No collection of data from minors is intentional. If you are under 16, you are advised not to use the App.
If you are a parent or legal guardian and notice that a minor has provided data through the App, contact us at cargo.app.admin@gmail.com for immediate deletion.
11. Changes to this policy
This policy may evolve to reflect technical, legal or feature changes to the App. Any substantial change will be notified:
- by updating the “In effect since” date at the top of this document;
- for major changes (a new category of data, a new recipient, a change of purpose): by a notification within the App at your next sign-in.
Continued use of the App after notification constitutes acceptance of the new version.
12. Contact
For any question, request relating to your rights, or report of an incident:
Maximum response time: one month.