Data controller
The controller of personal data processed in connection with MetroRadar is Przemysław Królikowski, the creator and operator of the MetroRadar app.
For privacy questions, rights requests or account deletion, email metroalertwarszawa@gmail.com or use the contact form and select “Privacy and personal data”. No data protection officer has been appointed; you can contact the controller directly.
Scope of this policy
This policy covers the MetroRadar mobile app for iOS and Android, metroradar.pl, its contact form and newsletter subscription, as well as correspondence and requests connected with the service.
App Store, Google Play, transport operators and external websites apply their own privacy policies. MetroRadar does not receive full payment-card details when you use an external voluntary-support link.
Data we process
The scope depends on the features you use and the permissions you grant. Not every user provides every category listed below.
The website currently uses no advertising cookies or marketing profiling. A hosting provider may keep short-lived technical logs for security and delivery. If consent-based analytics is introduced, an appropriate consent mechanism will be shown first.
Account and identity
Examplesdisplay name, email address, user ID and, when using Sign in with Apple, an Apple private relay address
Purposeaccount management, settings synchronisation and identifying the author of a report
Travel preferences
Examplessaved routes, favourite stations and lines, selected transport modes, alert and theme settings
Purposepersonalising the app and selecting relevant alerts
Community reports
Examplesreport content and category, line or station, time, verification status and author ID
Purposepublishing, verifying and moderating passenger information
Device and app
Examplesdevice type, operating system, app version, Firebase installation ID and push token
Purposedelivering alerts, security, diagnostics and service operation
Optional location
Examplesapproximate device location after permission is granted
Purposeshowing nearby stations, incidents and location-based features
Contact and website
Examplesname, email, subject and message; IP address held briefly for rate limiting
Purposereplying to enquiries and protecting the form against abuse
Newsletter subscription
Examplesemail address, selected language, subscription source, consent version and timestamp, subscription status and technical identifier
Purposesending the newsletter and managing confirmation and unsubscribe requests
Purposes and legal bases
We process data to perform the service and contract (Article 6(1)(b) GDPR), on the basis of consent for the newsletter and optional features such as location (Article 6(1)(a)), for legitimate interests such as security, abuse prevention, diagnostics and moderation (Article 6(1)(f)), and to comply with legal obligations (Article 6(1)(c)).
The newsletter is voluntary and independent of the app account. It becomes active only after email confirmation. Every newsletter includes a link for withdrawing consent and removing the address from the list.
Providing account data is voluntary but may be necessary for synchronisation and community features. You can still use core alerts and choose routes manually without granting location access.
Location and push notifications
The app may request approximate location, including in the background only where a feature requires it and you grant permission. It is used to show nearby stations or incidents, not for advertising or to build a journey history. You can disable the permission in iOS or Android settings.
To deliver alerts, we process a push token assigned to the app installation and your selected routes, lines and stations. Notifications are delivered through Firebase Cloud Messaging and, on iOS, Apple Push Notification service. You can disable them in the app or system settings.
Where data comes from
Data comes directly from you when you register, configure the app, save routes, submit reports, contact us or subscribe to the newsletter; from your device after permission or as part of technical operation; and from authentication and infrastructure providers where needed.
WTP and operator announcements are aggregated to report disruptions. Do not include another person’s personal data, identity documents or sensitive information in community reports.
Recipients and service providers
We do not sell personal data or provide it to advertisers. Necessary data may be processed by Google Firebase for authentication, Firestore, cloud functions, hosting, messaging and diagnostics; Apple for sign-in and iOS notifications; Google for Android services, Play distribution and Gmail; hosting providers; and public authorities or advisers where required by law.
Each provider receives only the data required to deliver its service and acts under appropriate data-protection terms or agreements.
Transfers outside the EEA
Some technology providers may process data outside the European Economic Area, particularly in the United States. Transfers rely on a GDPR-approved mechanism, such as an adequacy decision, the EU–US Data Privacy Framework or Standard Contractual Clauses, with additional safeguards where required.
How long data is retained
Account details, routes, stations and preferences are retained until you delete them or close the account. Community reports are retained as needed to operate and preserve incident history, then deleted or irreversibly detached from the account. Push tokens remain until sign-out, feature disablement, account deletion or token inactivity.
An active newsletter address is retained until unsubscribe or withdrawal of consent. An unconfirmed subscription expires after 48 hours and is deleted in the next cleanup cycle, no more than 12 hours later. Correspondence is normally retained for up to 12 months after a case closes. The form IP rate-limit entry stays in server memory for no more than 15 minutes. Operational data is generally deleted or anonymised within 30 days of account deletion; rotating backups expire on their normal cycle.
Account and data deletion
Delete your account from the profile settings in the app. If you no longer have access, email us from the address associated with the account or use the contact form. We may ask you to confirm your identity to protect the account.
Deletion covers the account and directly related data. Data required for law, security or legal claims will be restricted and erased after the applicable period. Anonymous information that can no longer identify a person is not personal data.
The newsletter is independent of the app account. Deleting the account does not automatically unsubscribe the newsletter; use the unsubscribe link in any newsletter or contact the controller.
Delete your account in the app or submit a request
Use the account deletion option in profile settings. If you cannot access the app, contact us from the email address linked to your account.
Your rights
Under the GDPR, you may request access, rectification, erasure, restriction, data portability and, where applicable, object to processing. You may withdraw consent at any time without affecting earlier lawful processing.
You may also lodge a complaint with the President of the Polish Personal Data Protection Office (UODO). We normally respond within one month; complex requests may lawfully take longer.
Security
We use access controls, authentication, encrypted transmission, least-privilege rules, backups and abuse controls appropriate to the scale and risk of the service. No internet service can guarantee absolute security, so suspected incidents are assessed and handled in accordance with applicable law.
Children
MetroRadar is a general public-transport information service and is not directed at children under 13. We do not knowingly request sensitive information from children. A parent or guardian who believes a child provided unnecessary personal data should contact us.
Changes and contact
We may update this policy when the app, providers or law change. Material changes will be communicated in the app or on the website, and the date above will be updated.
Questions and requests can be sent to metroalertwarszawa@gmail.com or through the contact form.