Privacy Policy
Last updated: 9 May 2026
1. Who We Are
This privacy policy ("Policy") is issued by 11X APPSTUDIO d.o.o., a limited liability company organised under the laws of the Republic of Serbia ("11X APPSTUDIO", "TripRank", "we", "us", or "our"). We are the data controller for the personal data processed in connection with the TripRank mobile application, the website at triprank.co, and any related services (together, the "Service").
Registered office: Bulevar Arsenija Čarnojevića 171/9, 11070 Belgrade, Serbia
Company registration number: 22172522
Tax ID (PIB): 115539889
Privacy contact / DPO: uros@11x.studio
This Policy applies to all users worldwide, with additional sections for users in the European Economic Area, the United Kingdom, Switzerland (Section 11), the United States — including California (Section 12), and other jurisdictions with specific requirements.
2. Summary
We try to keep what we collect to what the Service genuinely needs. In short:
- We collect location data to record your trips, show your speed, calculate statistics, alert you to known speed and red-light cameras, and provide rankings.
- We collect account data (email, display name, profile photo, country) so you can sign in and appear on leaderboards.
- We collect device and usage data for diagnostics, abuse prevention, A/B testing, and product improvement.
- We process subscription and purchase data through Apple, Google, and RevenueCat to manage paid features.
- We process uploaded vehicle photographs through fal.ai to generate AI car-modification previews.
- We do not sell your personal data, and we do not share it for cross-context behavioural advertising.
The full detail is in the rest of this Policy.
3. Categories of Personal Data We Process
3.1 Account & profile data
Email address, password (stored only as a salted hash via our authentication provider), username/display name, profile photo, country/region, age confirmation, language preference, and the unique identifier assigned to your account.
3.2 Location data (precise GPS)
Latitude, longitude, altitude, heading, GPS-reported speed, GPS accuracy, and the timestamp of each fix. We collect location only when:
- You have an active trip recording in the foreground, or
- You have explicitly enabled background trip tracking, or
- You have enabled the speed-camera / red-light-camera alert feature, which needs to know your approximate position to determine whether you are approaching a known camera.
You can revoke location permission at any time in your device's operating-system settings. Doing so will disable trip recording, speed display, and camera alerts.
3.3 Trip and driving data
Routes (sequences of GPS points), distance travelled, duration, average and maximum speed, elevation gain, fuel/electricity estimates derived from the above, achievements, and ranks. Trip data is associated with your account.
3.4 Vehicle photos and AI-generated images
If you use the AI car-modification feature, we process the vehicle photo you upload and the modification prompt you supply. The image is transmitted to our AI processor (fal.ai) to generate a modified output. See Section 6.
3.5 Device and technical data
Device model, operating system and version, app version, language, time zone, mobile carrier (where exposed by the OS), an installation identifier, advertising identifier (only if you have not opted out at the OS level), crash logs, performance traces, and approximate IP-derived location for fraud and abuse prevention.
3.6 Usage and analytics data
Screens viewed, features used, button taps, A/B-test variant assignments, session duration, referral source, and similar product-analytics events.
3.7 Subscription, purchase & referral data
Subscription status, plan, renewal/expiry dates, purchase tokens, RevenueCat subscriber identifier, and referral codes redeemed or generated. We do not receive or store your full payment-card number or bank details — those are handled exclusively by Apple, Google, and their payment processors.
3.8 Communications
If you contact us by email, in-app messaging, or via social channels, we keep your message and our response so that we can answer you and meet our legal record-keeping obligations.
3.9 Data we do not collect
We do not knowingly collect government identifiers, biometric data, health data, sexual-orientation data, religious data, or other "special category" personal data. Please do not submit such information to us.
4. How We Use Personal Data and the Legal Basis (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Creating and maintaining your account; authenticating you; delivering core trip-tracking and ranking features. | Performance of our contract with you (Art. 6(1)(b)). |
| Processing location to record trips and show your speed. | Performance of our contract with you (Art. 6(1)(b)) following your explicit OS-level location permission. |
| Speed-camera and red-light-camera alerts. | Performance of our contract with you (Art. 6(1)(b)); your in-app opt-in. |
| Generating AI car-modification images. | Performance of our contract (Art. 6(1)(b)); your explicit consent (Art. 6(1)(a)) for transferring the image to our AI processor. |
| Processing subscriptions, refunds, referral credits. | Performance of our contract (Art. 6(1)(b)); compliance with tax law (Art. 6(1)(c)). |
| Diagnostics, crash reporting, fraud and abuse prevention, securing the Service. | Our legitimate interests in operating a safe, working Service (Art. 6(1)(f)). |
| Product analytics, A/B testing, improvement of features. | Our legitimate interests (Art. 6(1)(f)); where required, your consent (Art. 6(1)(a)). |
| Sending service emails (e.g., password resets, billing receipts, material policy changes). | Performance of our contract (Art. 6(1)(b)). |
| Sending marketing communications. | Your consent (Art. 6(1)(a)), which you can withdraw at any time. |
| Complying with legal obligations and responding to lawful requests from authorities. | Compliance with a legal obligation (Art. 6(1)(c)). |
| Establishing, exercising, or defending legal claims. | Our legitimate interests in protecting our rights (Art. 6(1)(f)). |
5. Public Profile, Leaderboards & Social Features
By default, your username, profile photo, country, and aggregate trip statistics (such as total distance, rank position, badges) may be visible to other users on leaderboards and in social features. You can adjust visibility settings in the app, or set your profile to private. Your precise route data is never shown publicly.
If you choose to share a trip, screenshot, or AI-generated image to a third-party platform (Instagram, TikTok, etc.), that content leaves the Service and becomes subject to that platform's privacy practices. We have no control over how third parties handle content you publish there.
6. Service Providers (Sub-processors)
We rely on the following categories of third-party service providers. Each is contractually bound to process personal data only on our instructions and to implement appropriate security measures.
- Google Firebase (Google Ireland Ltd / Google LLC) — authentication, Realtime Database, Remote Config, Storage, crash reporting, push notifications.
- Google Cloud Run (Google Ireland Ltd / Google LLC) — backend hosting.
- RevenueCat, Inc. (United States) — subscription management, entitlement verification, server-to-server purchase events.
- Apple Inc. and Google LLC — in-app purchase processing, app distribution, push-notification delivery.
- fal.ai (FAL Group, Inc.) (United States) — AI image generation for the car-modification feature.
- Mixpanel, Inc. (United States) — product analytics.
- Mapbox, Inc. (United States) — map tiles and routing.
- Cloudflare, Inc. — website hosting, DDoS mitigation, CDN.
- Email and customer-support tooling — for handling messages you send us.
We may add or change service providers as the Service evolves. Material changes will be reflected in this Policy.
7. International Data Transfers
Some of our service providers are located outside the European Economic Area, the United Kingdom, or Switzerland (notably the United States). When we transfer personal data to such third countries we rely, as applicable, on:
- European Commission adequacy decisions (e.g., the EU–U.S. Data Privacy Framework, where the recipient is certified);
- Standard Contractual Clauses (Module 2 controller-to-processor) approved by the European Commission, supplemented where necessary;
- Your explicit consent, where the transfer is occasional and based on Article 49 GDPR.
You can request a copy of the safeguards we use by emailing uros@11x.studio.
8. How Long We Keep Your Data
- Account & profile data — for as long as your account is active, then deleted within 90 days of account closure unless we have a legal obligation to keep it longer.
- Trip and route data — for as long as your account is active, or until you delete the trip.
- Crash logs and diagnostic data — up to 90 days.
- AI-generated images — processed in real time; the input image and generated output may be cached for up to 30 days for delivery and abuse-prevention purposes, then deleted.
- Subscription and billing records — up to ten (10) years where required by Serbian tax and accounting law.
- Communications — up to three (3) years from last contact.
- Legal and dispute records — for the duration of the relevant limitation period.
Anonymised or aggregated data (which can no longer be associated with you) may be retained indefinitely.
9. Security
We use commercially reasonable technical and organisational measures to protect personal data, including encryption in transit (TLS), encryption at rest for stored credentials, access controls, principle-of-least-privilege for our staff, audit logging, and periodic review of our infrastructure. No method of transmission or storage is perfectly secure. If we ever become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the competent supervisory authority in accordance with applicable law.
10. Children
The Service is intended for users 18 years of age or older. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us at uros@11x.studio and we will delete the data promptly.
11. Your Rights (EEA, UK, Switzerland, Serbia)
Subject to local law, you have the right to:
- Access the personal data we hold about you;
- Rectify inaccurate or incomplete data;
- Erase your data ("right to be forgotten");
- Restrict or object to certain processing, including objection to processing based on our legitimate interests and to direct marketing;
- Portability — to receive your data in a structured, machine-readable format;
- Withdraw consent at any time where processing is based on consent (without affecting prior lawful processing);
- Lodge a complaint with your local data-protection authority. In Serbia this is the Commissioner for Information of Public Importance and Personal Data Protection (Poverenik); EEA users may complain to the authority in their member state of residence.
To exercise any of these rights, email uros@11x.studio. We may need to verify your identity before responding. We aim to respond within 30 days.
12. Notice to U.S. Residents (incl. California)
The categories of personal information we have collected in the past 12 months are described in Section 3. We have not sold personal information and have not "shared" personal information for cross-context behavioural advertising as those terms are defined under the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA"). California residents have the right to know, delete, correct, and limit use of sensitive personal information, and the right not to be discriminated against for exercising these rights. To submit a request, email uros@11x.studio. Authorised agents may submit requests on your behalf with proof of authorisation. Residents of other U.S. states with comprehensive privacy laws (Virginia, Colorado, Connecticut, Utah, Texas, etc.) have similar rights, which we honour through the same contact channel.
13. Cookies and Mobile Identifiers
Our website uses only strictly necessary cookies and does not set advertising cookies. Our mobile app uses platform-provided identifiers (Apple's IDFV / IDFA, Android's app-set ID and, where you have not opted out, the advertising ID) for diagnostics, attribution, and fraud prevention. You can reset or limit these identifiers in your device settings.
14. Automated Decision-Making
We do not engage in automated decision-making that produces legal or similarly significant effects on you within the meaning of Article 22 GDPR. Rankings and achievements are calculated algorithmically but are not used to make decisions about you outside the Service.
15. Changes to This Policy
We may update this Policy from time to time. If a change is material, we will notify you in-app or by email before it takes effect. The "Last updated" date at the top of this page shows when the current version became effective. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.
16. Contact
Questions, requests, or complaints about this Policy or our processing of your personal data:
11X APPSTUDIO d.o.o.
Bulevar Arsenija Čarnojevića 171/9, 11070 Belgrade, Serbia
Email: uros@11x.studio