Privacy Policy
Application: Suslik (Android package ro.suslik.app)
Data controller: Alexe Trofim, Romania
Contact: alexetrofim@gmail.com
Website: https://suslik.ro
Effective date: 13 July 2026
This Privacy Policy explains how the Suslik mobile application ("Suslik", "the app", "we", "us") processes personal data. Suslik is a compliance-first tool for legally authorized metal detectorists in Romania. It shows national RAN/LMI archaeological protected "no-go" zones, LiDAR relief where available, and an optional Premium probability layer, so that authorized users can stay legal and avoid protected sites. The app does not locate treasure or artifacts and does not guarantee any find.
Rezumat in limba romana (Romanian summary)
Aceasta este politica de confidentialitate a aplicatiei Suslik. Textul complet de mai jos este in limba engleza; acest rezumat prezinta pe scurt punctele esentiale.
- Fara cont si fara autentificare. Aplicatia nu creeaza conturi de utilizator si nu va cere sa va inregistrati.
- Locatie precisa doar in timpul unei sesiuni active. Aplicatia foloseste locatia GPS precisa numai cand porniti dumneavoastra o „Sesiune activa" (serviciu in prim-plan), pentru alerte de proximitate fata de zonele protejate, inregistrarea optionala a traseului si plasarea de puncte. Nu exista urmarire in fundal.
- Verificarea legala. Functia de verificare legala trimite o coordonata (latitudine/longitudine) catre serverul nostru (
/api/legal-check), unde este inregistrata fara identitate si fara cont, pentru a va spune daca punctul se afla intr-o zona protejata. - Date locale. Punctele, traseele, descoperirile si notitele dumneavoastra sunt stocate local pe telefon si nu sunt transmise catre noi.
- Date tehnice. Ca la orice serviciu de internet, serverele noastre proceseaza temporar adresa IP a dispozitivului pentru livrarea si securitatea cererilor.
- Fara reclame, fara vanzarea datelor, fara SDK-uri de urmarire. Datele sunt gazduite in UE (Vercel, Neon - Frankfurt).
- Drepturile dumneavoastra (GDPR): ne puteti contacta la alexetrofim@gmail.com.
- Aplicatia este destinata adultilor (18+) si nu se adreseaza copiilor.
1. Who we are
The data controller for the purposes of the EU General Data Protection Regulation (GDPR) and Romanian data protection law is Alexe Trofim, based in Romania. You can reach us at alexetrofim@gmail.com regarding any question about this policy or your personal data. Given the limited scope of our processing, we are not required to appoint a Data Protection Officer, but you can direct any privacy question to the contact above.
2. Our approach to privacy
Suslik is designed to collect as little personal data as possible. Version 1 of the app has no user accounts and no login. We do not ask for your name, email address, phone number, or any profile information. We do not use advertising, we do not sell data, and we do not embed third-party tracking or analytics SDKs.
3. What data we process
3.1 Precise location - only during an active session
The app requests access to precise location (ACCESS_FINE_LOCATION). Precise location is used only while you have started a "Sesiune activa" (active session), which runs as a user-initiated Android foreground service. During an active session, precise location is used to:
- provide proximity alerts when you approach a protected archaeological zone;
- optionally record a GPS track, if you choose to enable track recording;
- let you place pinpoints/waypoints at your current position.
This location processing happens on your device. The app does not collect location in the background, and this session location is not transmitted to us (it is stored locally, as described in section 3.3). Location processing stops when you end the session. The ongoing foreground-service notification (which requires the POST_NOTIFICATIONS permission) makes it clear when a session is active. The only time a location leaves your device is when you deliberately use the legal-check feature described in section 3.2.
3.2 Coordinates sent to the legal-check service
When you use the "legal check" feature, the app sends a single geographic coordinate (latitude and longitude) to our backend endpoint /api/legal-check. The server evaluates whether that coordinate falls inside a protected zone and returns the result. The submitted coordinate is logged in our database. The legal-check database entry itself contains only the coordinate and a timestamp - it is not stored with your name, an account, or a device identifier, because the app has no accounts and sends no user identity in the request. (Separately, as with any internet request, our infrastructure briefly processes your device's IP address - see section 3.5.) We use these logs to operate, secure, debug, and improve the legal-check service. Because a precise coordinate is transmitted off your device, this counts as collection of location data, and it is disclosed as such in our Google Play Data safety declaration.
3.3 Data stored locally on your device
Your own waypoints, GPS tracks, finds, and notes are stored locally on your device (in an on-device Room database). This data is not transmitted to us and we have no access to it. If you uninstall the app or clear its data, this information is deleted from your device.
3.4 Map and reference data we serve to the app
The app reads reference map data from our backend API - including RAN/LMI protected zones, probability-layer cells, and pinpoints. This is public reference data served to all users and contains no personal information about you. Loading it involves standard network requests over HTTPS.
3.5 Technical data automatically processed by our servers
Like any internet service, when the app connects to our servers - whether to load map/reference data or to perform a legal check - our hosting and database providers automatically receive and process technical connection data, including your device's IP address, the request time, and basic request metadata (such as the type of request). This is a necessary part of delivering any internet request and is used only to route the response, keep the service secure, and prevent abuse. We do not use this technical data to build a profile of you or to track you across other apps or websites, and we do not deliberately store your IP address together with your legal-check coordinate in order to identify you. An IP address can be personal data under the GDPR; where our processors retain it in short-lived security and operational logs, it is kept only for a limited period and then deleted or rotated out.
4. Permissions we use and why
ACCESS_FINE_LOCATION- precise location, used only inside a user-initiated active session for proximity alerts, optional track recording, and placing pinpoints. No background location.FOREGROUND_SERVICE/FOREGROUND_SERVICE_LOCATION- to run the active session as a visible foreground service while you use it.POST_NOTIFICATIONS- to display the foreground-service notification for the active session.INTERNET- to load map/reference data and to perform the legal-check request.
5. Purposes and legal bases (GDPR Article 6)
- Providing the active-session features (proximity alerts, track recording, pinpoints): processing of precise location on your device is carried out at your request. Legal basis: your consent, expressed by starting a session and granting the location permission, and performance of a service you request (Art. 6(1)(a) and 6(1)(b)). Track recording is optional and only occurs if you enable it. This session location is not transmitted to us.
- Legal-check coordinate processing: to tell you whether a location is inside a protected zone and to operate and secure that service. Legal basis: performance of the service you request (Art. 6(1)(b)) and our legitimate interest in operating, securing, and improving the service (Art. 6(1)(f)).
- Technical connection data (e.g. IP address): to deliver network responses, keep the service secure, and prevent abuse. Legal basis: our legitimate interest in a secure, functioning service (Art. 6(1)(f)).
- Serving public reference map data: legitimate interest in providing the app's core functionality (Art. 6(1)(f)).
We do not process special categories of personal data and we do not carry out automated decision-making that produces legal or similarly significant effects on you.
6. Data retention
- Local data (waypoints, tracks, finds, notes): kept on your device until you delete it or uninstall the app. We never receive it, so we cannot retain or delete it for you.
- Legal-check coordinate logs: retained for no longer than 12 months, after which they are deleted or irreversibly aggregated. Because these entries contain no identity, they cannot be attributed to a specific person.
- Technical/security logs (including IP address): short-lived infrastructure logs kept by our processors for a limited period (typically up to 30 days) for security and reliability, then deleted or rotated out.
7. Service providers (processors)
We use the following infrastructure providers strictly as data processors to run the service. They act on our documented instructions and are not permitted to use the data for their own purposes:
- Vercel - hosting of the backend API and website (EU region).
- Neon - PostgreSQL database hosting, used to store the legal-check coordinate logs (Frankfurt, EU).
We have data processing agreements (GDPR Article 28) in place with these providers, and they may rely on their own vetted sub-processors to deliver their infrastructure. Because these providers act only as processors on our behalf, giving them data to run the service is not a "sale" or a "sharing" of your personal data. We do not share your data with advertisers, data brokers, or any other third parties, and we do not sell your data.
8. International transfers
Our application servers and database are hosted in the European Union (Frankfurt / EU regions), and the service is designed so that personal data is processed within the EU/EEA. Some of our processors (for example, Vercel and Neon) are organisations whose parent entities are located in the United States, and in limited situations (such as support or maintenance) data may be accessed from outside the EEA. Where that is the case, the transfer is covered by appropriate safeguards, in particular the European Commission's Standard Contractual Clauses, together with the technical measures described in this policy (EU-region hosting, HTTPS/TLS encryption, and data minimisation). All communication between the app and our servers is encrypted in transit.
9. No advertising, no sale of data, no tracking
Suslik contains no advertising, performs no sale or sharing of personal data for marketing, and includes no third-party analytics or tracking SDKs. We do not build advertising profiles and we do not track you across other apps or websites.
10. Children
Suslik is intended for adults (18 years and older) engaged in a lawful hobby/interest. It is not directed at children and we do not knowingly process personal data of anyone under 18. If you believe a minor has used the app, please contact us and we will address it.
11. Data security
All network communication between the app and our backend uses HTTPS/TLS encryption. Access to our backend infrastructure is restricted. Because the legal-check logs contain no identity and the app stores your personal waypoints and finds only on your own device, the amount of personal data exposed to any potential incident is minimised by design. No method of transmission or storage is completely secure, but we take reasonable measures appropriate to the limited data we handle. In the event of a personal data breach that is likely to result in a risk to your rights, we will notify the competent supervisory authority within 72 hours where required, and affected individuals without undue delay where the risk is high.
12. Your rights under the GDPR
Subject to the conditions of the GDPR, you have the right to:
- access the personal data we process about you;
- request rectification of inaccurate data;
- request erasure ("right to be forgotten");
- restrict or object to processing, including processing based on legitimate interests;
- data portability, where applicable;
- withdraw consent at any time (for example, by ending a session or revoking the location permission in your device settings), without affecting the lawfulness of processing before withdrawal.
Please note an important limitation: because the app has no accounts and the legal-check logs contain no identifier linking a coordinate to you, we are generally unable to identify which log entries, if any, relate to you. Under GDPR Article 11, where we cannot identify you we may be unable to act on access, rectification, or erasure requests concerning that data unless you provide additional information enabling identification. Your on-device data (waypoints, tracks, finds, notes) is always under your own control and can be deleted directly on your device.
13. How to exercise your rights
To exercise any of these rights, or to ask a question about this policy, contact us at alexetrofim@gmail.com. We will respond within the timeframes required by the GDPR (generally within one month).
14. Right to lodge a complaint
If you believe your data protection rights have been infringed, you have the right to lodge a complaint with the Romanian supervisory authority, the National Supervisory Authority for Personal Data Processing (ANSPDCP, www.dataprotection.ro), or with the supervisory authority in your EU country of residence.
15. Changes to this policy
We may update this Privacy Policy from time to time. The current version is always published at https://suslik.ro/confidentialitate, with an updated effective date. Material changes will be reflected here.
16. Contact
Alexe Trofim
Email: alexetrofim@gmail.com
Website: https://suslik.ro
Romania
Effective date: 13 July 2026