Privacy

You can use the builder without an account. Even then, your browser generates a random, pseudonymous visitor ID so we can count usage, and your trips are stored locally on your device. The categories below cover both anonymous visitors and account holders.

We do not knowingly collect special-category data (such as health or religion). Google acts as its own independent controller for the data it processes when you sign in with Google.

For EU and UK users, the list maps each use to a lawful basis under the GDPR / UK GDPR. For California users, these are also our business and commercial purposes under the CCPA / CPRA.

• Run the service (contract). Account management, saving trips, computing routes, geocoding searches, and processing payments through Stripe.
• Keep it secure and working (legitimate interests). Security and abuse prevention, rate limiting, debugging through logs, and first-party product analytics. We have weighed these interests against your rights.
• Analytics cookies (consent). Google Analytics and any other non-essential cookies rely on your consent where ePrivacy requires it (the EU and UK); you can withdraw it at any time. Any future marketing email will also rely on consent.
• Tax and financial records (legal obligation). Keeping billing records tied to your Stripe payments for as long as tax and accounting law requires.

We do not use your data for automated decision-making that produces legal or similarly significant effects (resolving your plan tier and enforcing usage caps is not such a decision).

One More Road does not use advertising cookies. The app mostly relies on your browser's storage (IndexedDB, localStorage, sessionStorage) rather than cookies, and sign-in tokens are held in memory by the auth library, not a persistent cookie. The exception is Google Analytics 4, which sets its own cookies on the production site.

If you are in the EU, UK, or Switzerland, Google Analytics stays off unless you turn it on; until then it sets no cookies and collects nothing. Everywhere else it is on by default. You can opt in, or change your choice at any time, from "Cookie preferences" in the Tools menu, and we honor Global Privacy Control (GPC) browser signals as a request to keep analytics off.

We share data only with the providers we need to run One More Road. We do not sell your personal data, and we do not share it with data brokers.

• Amazon Web Services (AWS), us-east-2. Cognito (auth), DynamoDB (main store), S3 (large route geometry), API Gateway and Lambda (backend), CloudWatch (logs). All account and trip data lives here.
• Stripe. Payments, subscriptions, and charges. Receives your email, a userId reference, subscription details, and charges/refunds.
• Google. Google Analytics 4 (production only) and Google Sign-In, if you choose "Continue with Google" (Google is a separate controller for the data it processes).
• Mapbox and MapTiler. Place search and map tiles; receive your search queries and the map area you are viewing.
• OpenRouteService (ORS). Fallback routing and geocoding; receives stop coordinates and search text when used.
• OpenStreetMap, OpenMapTiles, and Overpass. Open map data and tiles, plus ferry-route tracing (Overpass receives a ferry leg's start and end coordinates).
• Self-hosted (Valhalla, Photon, OSRM). Our primary routing and place-search engines run on our own infrastructure, so those coordinates and queries are not handed to a third party. A privacy positive.

Where a provider processes personal data on our behalf, we put data-processing terms in place with them.

California "sharing". We do not sell your personal information, and we do not use it for cross-context behavioral advertising. We honor Global Privacy Control (GPC) browser signals as an opt-out request.

Depending on where you live, you have the following rights. To use any of them, email support@onemoreroad.com. You can also edit your email, name, and username yourself on your account page. Before we act on an access, deletion, or portability request, we verify that you control the account.

If you are in the EU or UK:

• Access: ask for a copy of the personal data we hold about you.
• Rectification: correct inaccurate data (most fields are self-editable on your account page).
• Erasure: ask us to delete your account and data (see the note below).
• Restriction: ask us to pause processing while a dispute is resolved.
• Portability: ask for your account and trip data in a structured, machine-readable format (you can also export individual trips as GPX, KML, or GeoJSON in the app today).
• Object: object to processing based on our legitimate interests, such as first-party analytics.
• Withdraw consent: where we rely on consent, withdraw it at any time; doing so is as easy as giving it.
• Automated decisions: we do not make automated decisions with legal or similarly significant effects about you.

We respond within one month (extendable by up to two further months for complex requests). You may also complain to a supervisory authority: your local Data Protection Authority in the EU, or the Information Commissioner's Office (ICO) in the UK.

If you are in California:

• Know / access: request the categories and specific pieces of personal information we collect, their sources, our purposes, and the recipients.
• Delete: request deletion, subject to legal exceptions (such as completing a transaction or keeping tax records).
• Correct: correct inaccurate personal information.
• Opt out of sale / sharing: we do not sell your data; see the California sharing note above for the analytics opt-out and our handling of Global Privacy Control signals.
• Limit sensitive personal information: we minimize sensitive data and do not use it beyond permitted purposes.
• Non-discrimination: exercising any right will not change the service or price you get.

We respond to California requests within 45 days (extendable by another 45). You may also contact your state Attorney General.