Privacy as a feature
RigSense is operated by Topo Intel LLC, a Texas limited liability company. RV owners choose off-grid living because they value independence. An app that tracks, profiles, or monetizes your data betrays that trust. Our privacy posture isn't defensive compliance — it's an active commitment to the community we're building for.
What we collect — and don't
Data is split into four clear categories. Most sensor data never leaves your iPhone.
- BLE sensor readings (Mopeka, SeeLevel, TPMS, Ruuvi, Epoch/SOK BMS)
- Shore power data (Power Watchdog — voltage, current, wiring status)
- Leveling data (CoreMotion accelerometer or LevelMate sensor)
- Sensor history (compacted on-device)
- Peplink local API responses
- Local hardware APIs (Starlink dish, Victron Cerbo GX, Peplink router) communicate over your RV's local WiFi network using HTTP. These devices do not support HTTPS. Traffic stays on your local network and is never sent to our servers. Data includes rig telemetry only (signal strength, battery status, solar yield) — no personal information.
- Alert thresholds & evaluation results
- Offline-first data (checklists, timers, calculators)
- Cached map tiles
- Draft community contributions (before submit)
- Convoy P2P snapshots (device RAM, encrypted)
- Account credentials (hashed + salted)
- Rig profile (dimensions, equipment)
- Saved spots & stay history
- Submitted community contributions (reviews, tips, photos — see community photos below)
- Convoy invite code + expiry (no member data)
- Convoy relay snapshots (in-memory only, not persisted)
- Victron VRM — OAuth token exchange
- Apple StoreKit — payment processing
- Device IMEI / hardware serial numbers
- Contacts, microphone, or camera
- Photos from your library beyond the ones you explicitly upload
- Advertising identifiers (IDFA never requested)
- Cross-app tracking data
- Browsing history
- Biometric data
| Data category | Lawful basis | Justification |
|---|---|---|
| Account (email, password hash) | Contract | Required to provide the service |
| Rig profile, saved spots, stay history | Contract | Core service functionality |
| GPS location (active navigation) | Contract | Required for navigation and spot-finding |
| GPS location (background route tracking) | Off by default; requires explicit opt-in | |
| BLE sensor data (on-device) Mopeka, SeeLevel, TPMS, Ruuvi, Epoch/SOK BMS, Power Watchdog, LevelMate |
N/A | Not transmitted — processed locally on iPhone. Tank levels, tire pressure, temperature, shore power voltage, leveling angles never leave your device. |
| Victron VRM cloud data | User initiates OAuth connection; revocable anytime | |
| Connected vehicle (future — Phase 5D) | User-initiated OAuth with granular scope selection; not yet available in the current app | |
| Community contributions | User explicitly submits; can delete own contributions | |
| Convoy sharing | Double opt-in; each data point has independent toggle; all off by default | |
| Payment information | Contract | Processed by Apple StoreKit — RigSense never sees card data |
| Crash reports & analytics | Legitimate interest | Anonymized, aggregated, no PII — used for app stability only |
Photos you upload to community spots
RigSense lets you upload photos to public spots so other users can see what a place actually looks like. We want to be precise about how those photos are stored and served, because the model has trade-offs that aren’t obvious from the upload screen.
How photos are stored. When you upload a photo, it goes to a Supabase Storage bucket called location-photos. The bucket is configured as public — meaning each photo is reachable at a stable, unique URL. This is the same model used by most photo-heavy apps (Instagram, Twitter, Reddit, Yelp). It keeps the app fast, lets photos render in spot detail views without a per-image authentication round-trip, and works with standard CDN caching.
What that means for you. Once you upload a photo, anyone with the URL can view it. The URL doesn’t require a RigSense account or a password. The URL also doesn’t expire on its own.
How to delete a photo. Open the photo in the app, tap the … menu, and choose Delete Photo. The file is removed from RigSense storage immediately, the photo disappears from the spot for everyone, and the URL starts returning 404 to anyone who tries it. The Delete action is only available to the photo’s author — nobody else can remove your photos through that path. (Reports of policy-violating content go through the Report flow, which routes to our moderation team.)
If a photo URL was shared and the recipient downloaded the image to their device before you deleted it, that copy is theirs — same as any other photo-sharing platform. We can remove the file from our storage; we can’t reach into other people’s devices.
Deletion log. When a photo is deleted, we keep a short audit record — who deleted it, which spot it was attached to, the storage path that was removed, the timestamp, and the reason (author self-service, moderator action, or admin purge). This record persists after the photo file and contribution row are gone. The image data itself is not retained. The log is read-restricted to our moderation team and the platform service role; it is never exposed to other users or to the public. The purpose is forensics: if a photo is reported by another user as harmful and the author deletes it before review, we still need to know it existed. The log row is itself deleted if the spot is deleted, or unlinked from a user account if the user invokes their right-to-erasure under GDPR.
What we recommend. Treat photos uploaded to community spots the way you’d treat a photo posted to a public Instagram account or shared in a public forum. Don’t upload anything you wouldn’t want a stranger to see.
Reporting and moderation. Every uploaded photo carries a Report action. If you see something that violates our guidelines, report it. Reported photos are reviewed and removed if they break our rules. Reports are logged and the reporting user is never disclosed to the photo’s author.
Photos you don’t upload. RigSense never accesses your camera roll or photo library beyond the specific photos you choose to attach to a contribution. We don’t scan your library, we don’t auto-upload, and we don’t read EXIF metadata other than the orientation tag needed to display the photo correctly.
Your rights
All GDPR individual rights are implemented via in-app controls — no need to email us for most requests. US users are protected under the same framework, which exceeds CCPA/CPRA requirements.
How long we keep data
Every data type has a defined retention period. Nothing is kept indefinitely unless it's community content you chose to make public.
| Data type | Retained for | Deletion trigger |
|---|---|---|
| On-device sensor data | Raw 30 min · minute averages 48 hr · 15-min averages 90 days | Auto-compacted on device; never transmitted |
| Account data | Duration of account | Account deletion request |
| Stay history | Duration of account | Account deletion or manual per-stay deletion |
| Sensor readings (backend) | 12 months rolling | Auto-purge after 12 months; immediate on account deletion |
| Vehicle health snapshots | 12 months rolling | Auto-purge or on vehicle disconnection |
| OAuth tokens (Victron VRM) | Until revoked | User disconnects integration or deletes account |
| Community contributions | Indefinite (public) | User deletes own content; anonymized on account deletion |
| Crash / analytics logs | 90 days | Auto-purge |
| Database backups | 30 days rolling | Encrypted; purged on rotation |
| Convoy session data | In-memory only | Never persisted to database; lost when session ends |
| Convoy snapshots (relay) | In-memory only | Never persisted; lost on channel close |
How we protect it
Security is built into every layer — from device storage to API communication to infrastructure. No third-party analytics SDKs that phone home. No Facebook SDK. No Google Analytics.
Third-party data processors
Every third party that touches user data has a signed Data Processing Agreement (DPA). We have no data processors for advertising, profiling, or data enrichment — because we don't do any of those things.
Third-party data source APIs
To provide location intelligence features, RigSense calls the following public and commercial APIs on your behalf. These APIs receive only your GPS coordinates — no account identifiers, email addresses, or personal data are ever transmitted. All calls are proxied through our Cloudflare Worker; your device never contacts these services directly.
Account deletion pipeline
When you delete your account, everything goes. A 7-day grace period lets you cancel if you change your mind. After that, the pipeline is irreversible.
Contact us about privacy
If you have questions about this policy, want to exercise a data right not available in-app, or need to report a concern — reach out directly. We read every email.
support@rigsense.app · Typical response within 24–48 hours