Privacy Policy
For Backseat Geologist
Last Updated: 2026-06-23
About this Policy
This Privacy Policy explains how Backseat Geologist ("the App") handles information when you use it.
The App is provided by Blake Morgan, an individual sole trader at 2212 Oakawana Dr NE, Atlanta, GA 30345, USA ("we," "our," "us"). For privacy questions, write to support@backseatgeologist.com.
This Policy applies to users worldwide. Sections marked "EU/UK" set out additional rules and rights for users in the European Economic Area, the United Kingdom, and Switzerland under the GDPR, UK GDPR, the Swiss Federal Act on Data Protection, and the ePrivacy Directive.
The short version
- You don't create an account. We don't know who you are.
- Your routes, preferences, and downloaded audio live on your device — not on our servers.
- The App looks up the geology around you directly from a public scientific database — that lookup does not go through our server. To write the narration, the App then sends our server the name of the area you're in (town or county level) and the geological details, with nothing that identifies you.
- We keep a simple per-install usage counter — not your name or location — so we can enforce your subscription's monthly limits.
- We use Firebase Analytics to understand how the App is used. In the EU/UK we ask for your consent before turning it on.
- You can delete everything by uninstalling the App.
1. Information stored on your device
The following is stored locally on your device in platform-managed secure storage (iOS Data Protection on iOS; Android File-Based Encryption on Android). We do not see it, and it is deleted when you uninstall the App:
- Routes you create or download. Including the geological segments and audio files associated with them.
- App preferences. Your selected voice, audience setting (kids / family / enthusiast), analysis interval, language, and similar settings.
- Usage counters. The App tracks how much you've used certain features so it can enforce the limits of your subscription tier. These counters never leave your device.
- Subscription state. Held by Apple's StoreKit (on iOS) or Google Play Billing (on Android) on your behalf. Apple or Google — not we — sees your payment information.
- A widget snapshot. If you use the home-screen widget, the App caches your most recent location locally so the widget can show what's beneath you. This cache lives only on your device and updates roughly every five minutes when you have moved more than fifty meters.
- Firebase Installation ID — only if you have consented to Firebase Analytics (see §3). You can revoke consent in App Settings, which clears the identifier.
2. Information we send to our server
Our backend (api.backseatgeologist.com, hosted on Cloudflare's global Workers platform) receives requests from the App when you use features that need processing the App can't do offline.
2.1 To generate geological narration
When you ask the App to describe an area, it sends to our server:
- The geological unit identifiers for the area you are exploring or driving through
- A human-readable name for that area at town or county granularity (e.g., "near Boulder, Colorado") — never your precise coordinates or street address
- Your selected audience setting and language
- Your subscription tier (so the appropriate model and length limits are applied)
- Your client platform (iOS or Android)
Our server then forwards the prompt to Google's Gemini API. We use the paid Gemini API tier, which means your prompt is not used by Google to train its models.
2.2 To generate audio
When the App needs spoken audio, it sends our server the text to be spoken and your voice and speaking-rate selection. Our server forwards the request to Microsoft Azure, Google Cloud, or Cloudflare Workers AI depending on your selected voice. The audio comes back, gets cached on your device, and is played for you.
2.3 To browse the curated route gallery
The App fetches the catalog of available routes by route ID. No data about you is sent. Anonymous download counts are recorded so we can see which routes are popular.
2.4 When you plan a route (optional)
Route planning is an optional feature. Most exploration uses the App's "explore" mode, which works from your live location without sending your coordinates to our server. If you choose to plan a route, the App sends our server the precise start, end, and any waypoint coordinates for that route so it can be calculated. These coordinates are forwarded to Google's routing service, used to return the route, and are not retained on our server afterward or stored against any identifier.
2.5 A per-install identifier for quota enforcement
Every request to our server includes a per-install identifier (X-Install-Id) and your subscription tier (X-Tier). The identifier is a random value generated on your device — it is not your name, your Apple or Google account, or any hardware, advertising, or tracking ID. We use it for one purpose: to count how many times each feature has been used in the current month so we can enforce your subscription's limits.
The only thing stored against this identifier is an aggregate usage counter — "this install called this feature N times this month." It is never linked to your location, the areas you look up, the narration you receive, or any other content. Those records carry no identifier at all (see §7).
2.6 What we do not send
- No name, email, phone number, or other contact information (we don't ask for any).
- No hardware identifier, advertising ID, or cross-app tracking identifier. The only identifier we use is the random per-install value described in §2.5.
- No coordinates for the geology lookup — that request goes directly from your device to the public Macrostrat database and does not pass through our server. The optional route-planning feature (§2.4) is the only place precise coordinates reach our server.
- No payment information — Apple (iOS) or Google Play (Android) handles all billing.
3. Information collected by Firebase Analytics
The App uses Google's Firebase Analytics (which is built on Google Analytics 4) to understand how the App is used. We do not use Firebase Analytics for advertising, attribution, audience export, cross-device tracking, or to feed Google's other products.
3.1 Consent — EU/UK
If you are in the European Economic Area, the United Kingdom, or Switzerland, Firebase Analytics is not initialized when the App first launches. The App will ask whether you consent to its use. The lawful basis for this processing is your consent (GDPR Art. 6(1)(a) and ePrivacy Directive Art. 5(3) for the local identifier).
You can change your choice at any time in App Settings → Privacy → Manage Analytics Consent. Withdrawal does not affect any processing that took place before withdrawal.
3.2 What Firebase Analytics collects
If you opt in (or if you are outside the EU/UK):
- Pseudonymous identifiers: a Firebase App Instance ID (created by Google's SDK on your device). On iOS, your Identifier for Vendors (IDFV) is also captured. On Android, the App Set ID (a vendor-scoped identifier) is captured. Neither identifier ties to your real-world identity.
- Standard events fired automatically by Google's SDK: first launch, app updates, OS updates, in-app purchases, screen views, and session start/end.
- Custom events we log: voice generation requests, route analyses, geology description requests, audio cache hits, exploration sessions, and subscription paywall views.
- Device and app context: app version, OS version, device model, language, and broad geographic region.
3.3 How Google handles this data
Per Google's documentation for Google Analytics 4:
- For users in the European Union, Google drops your IP address at the network edge before logging the event, then derives only your country.
- For users outside the European Union, Google may use the IP address for finer geolocation.
- We have set Firebase Analytics data retention to 14 months. Data is permanently deleted at the end of that window.
- We have disabled Google Signals (cross-device modeling) in EU/UK regions.
- We have disabled the use of our Firebase Analytics data to improve other Google products and services.
3.4 What Firebase does not collect
- iOS: we do not request App Tracking Transparency permission, and we do not collect Apple's IDFA (advertising identifier). Android: we do not declare the
AD_ID permission and we do not collect Google's Advertising ID. - We do not use Firebase Crashlytics, Performance Monitoring, In-App Messaging, Remote Config, Cloud Messaging, or Firebase Authentication.
4. Location data
4.1 Permissions
The App asks for foreground ("When in Use" on iOS / "While Using the App" on Android) location access for navigation and exploration. If you grant background location access ("Always" on iOS / "Allow all the time" on Android), the App can play geology narration while your phone is locked or showing a different app.
4.2 How location is used
- Your current coordinates are sent directly from your device to the public Macrostrat geological database (operated by the Wisconsin Geological and Natural History Survey at macrostrat.org) to identify the rock formations beneath you. This request does not pass through our server. Macrostrat does not require an account; only coordinates are sent.
- Your coordinates are turned into a town or county name (e.g., "Boulder, Colorado") by the platform geocoder (Apple's Core Location on iOS; Android's Geocoder on Android). This is handled by the operating system, which resolves the name using Apple's or Google's geocoding service — the coordinates do not go to our server. Only the resulting place name is included in the prompt sent to our server (see §2.1).
- When the App displays the geological map overlay, it requests map tiles from our tile server (tiles.backseatgeologist.com) by tile index. Tile indices identify the area of the map you are viewing at a coarse, neighborhood-or-larger granularity — not your precise location — and are used only to serve the correct map imagery.
- Routes you save are stored locally on your device. When you use the optional route-planning feature, the start, end, and waypoint coordinates are sent to our server to calculate the route, as described in §2.4; they are not retained afterward.
- The home-screen widget caches your most recent location locally; this cache lives only on your device.
4.3 Location is personal data
For users in the EU/UK, location data linked to a device is personal data under GDPR. We rely on the legal basis of contract performance (GDPR Art. 6(1)(b)) for the location processing strictly necessary to provide the features you ask for: generating narration and, where you use it, calculating a route. For narration, the granularity used in our server-side prompt is town or county — the minimum necessary to give the LLM enough context to write a good description. For route planning, the precise coordinates you provide are processed only to calculate that route and are not retained. The geology lookup itself uses your coordinates only on your device and in the direct request to Macrostrat; those coordinates do not reach our server.
5. How we use the information
- To run the App. Generate narration, deliver audio, identify formations, navigate routes.
- To enforce subscription limits. Counters on your device compare your usage to your tier.
- To improve the geological output. We retain the prompt sent to the LLM and the response it returned in our database for up to 24 months, with no user identifier attached, for quality monitoring and to publish aggregate metrics ("X geology descriptions delivered this year"). See §7.
- To monitor backend health. Our backend host (Cloudflare) keeps short-lived request logs for up to 7 days.
- To understand product usage via Firebase Analytics, where you have consented or are outside the EU/UK.
6. Companies that process information for us
The following companies process information on our behalf when you use the App. They act as our processors and are not permitted to use the data for their own purposes.
- Cloudflare, Inc. — hosts our backend (Cloudflare Workers, R2 object storage, D1 database, Workers AI). Cloudflare briefly processes your IP address at the network edge to route requests; it is not retained for our use beyond the 7-day Workers log window.
- Google LLC — provides Firebase Analytics (where applicable, see §3) and the Gemini large language model (paid tier; your prompts are not used to train Google's models). Google Cloud also provides text-to-speech for some voices and geographic services for elevation and routing lookups on our server.
- Microsoft Corporation — provides Azure Cognitive Services Speech (text-to-speech) for premium voices.
- Apple Inc. (iOS users) — provides StoreKit for in-app subscriptions and CoreLocation for on-device geocoding. Apple sees your purchase but we never receive your payment information or Apple ID.
- Google LLC — Google Play (Android users) — provides Google Play Billing for in-app subscriptions and the Android Location/Geocoder APIs. Google sees your purchase but we never receive your payment information or Google account details. (Google's separate role as our Firebase Analytics and Gemini provider is described above.)
- Macrostrat (Wisconsin Geological and Natural History Survey) — public scientific data service queried for geological formations. We send only coordinates; no identifier accompanies the request.
7. Quality monitoring of LLM prompts and responses
To improve the quality of the geology narration, we record each prompt sent to the language model and the response it returned in our backend database. Each record contains:
- The prompt text — which includes the town or county name reverse-geocoded from your location, your audience setting, and the geological context — but no identifier for you
- The response text
- Quality metrics calculated from the response (length, geological term density, audience appropriateness, content depth)
- The timestamp, audience setting, context (exploration / navigation / overlook), client platform, and subscription tier
No identifier in the record connects it to you, your device, or your installation. Records are not joined with backend request logs. We retain these records for up to 24 months and then permanently delete them.
EU/UK: The lawful basis for this processing is our legitimate interest (GDPR Art. 6(1)(f)) in maintaining and improving the quality of the App's geological output. We have weighed this interest against your privacy and consider it proportionate because: no user identifier is stored, the location granularity in the prompt is town- or county-level, and you can object as described in §10.
8. International data transfers
Our backend runs on Cloudflare's global edge network. The companies named in §6 are headquartered in the United States and may process data there.
For transfers from the EEA, UK, or Switzerland to the United States, we and our processors rely on the following safeguards:
- Google LLC — certified under the EU-US Data Privacy Framework, the UK Extension to the DPF, and the Swiss-US DPF.
- Microsoft Corporation — certified under the EU-US Data Privacy Framework and its UK and Swiss extensions.
- Apple Inc. — certified under the EU-US Data Privacy Framework.
- Cloudflare, Inc. — certified under the EU-US Data Privacy Framework. Where data does leave the EU, Cloudflare also offers Standard Contractual Clauses (Commission Decision 2021/914).
- Macrostrat — public scientific service hosted in the United States. Only coordinates are shared, with no associated identifier.
You can request more detail on any specific transfer by writing to support@backseatgeologist.com.
9. Data retention
- On your device — until you delete the route, clear the cache, reset the App, or uninstall.
- Prompts and responses on our server — up to 24 months, then permanently deleted (§7).
- Server request logs (Cloudflare) — 7 days.
- Curated gallery routes on our server — until removed by us.
- Anonymous gallery download counts — up to 24 months.
- Firebase Analytics events at Google — 14 months (the maximum we configure for the standard GA4 tier).
10. Your rights
10.1 Available to all users
- Delete any saved route or downloaded audio in the App.
- Reset all preferences from App Settings.
- Withdraw or grant Firebase Analytics consent at any time (EU/UK users see a prompt at first launch; users elsewhere can disable analytics in App Settings → Privacy).
- Uninstall the App to remove everything stored on your device.
- Email us at support@backseatgeologist.com with any privacy question or complaint.
10.2 Additional rights for users in the EU, UK, and Switzerland
Under the GDPR, UK GDPR, and the Swiss Federal Act on Data Protection, you have the rights to:
- Access the personal data we hold about you (GDPR Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data (Art. 17)
- Restrict processing (Art. 18)
- Data portability in a structured, machine-readable format (Art. 20)
- Object to processing based on legitimate interest (Art. 21) — including the prompt-quality monitoring described in §7
- Withdraw consent at any time, where consent is the basis (Art. 7(3))
- Lodge a complaint with your supervisory authority (Art. 77). For EEA users, find your country's authority at edpb.europa.eu/about-edpb/about-edpb/members_en. For UK users, the Information Commissioner's Office is at ico.org.uk. For Swiss users, the FDPIC is at edoeb.admin.ch.
Because the App does not require an account, almost everything we process is linked to no identifier at all — your geology lookups, the narration sent to you, and the place names in our quality records (§7) cannot be traced back to you. The one identifier we can search on is the per-install value described in §2.5, but the only data held against it is an aggregate monthly usage counter for quota enforcement — no location, no content. These counters are automatically deleted after 14 months and stop being added to when you uninstall the App. If you would like us to delete them sooner, contact us and we will help locate the relevant records. We will respond within 30 days of receiving a verifiable request. If you believe a paid gallery purchase is associated with you, please include enough context (purchase date, Apple receipt or Google Play order ID) for us to investigate.
EU/UK representative (Article 27). Article 27 of the GDPR (and the UK GDPR) can require a controller established outside the EU/UK to appoint a local representative. That obligation does not apply where processing is occasional, does not involve large-scale processing of special categories of data, and is unlikely to result in a risk to people's rights and freedoms (Art. 27(2)(a)). We have assessed our processing against that test and consider the exemption to apply, because:
- We collect no account, name, contact details, hardware identifier, or advertising ID, and no special-category data.
- The core feature — exploring the geology beneath your live location — runs on your device and through a direct request to a public database; those coordinates never reach our server.
- The only precise coordinates that reach our server come from the optional route-planning feature, which most users do not use and which is used occasionally rather than continuously. Those coordinates are processed solely to calculate the route and are not retained.
- The only identifier we store is a per-install value linked solely to aggregate usage counts (§2.5), with no location or content attached.
We keep this assessment under review and will appoint an Article 27 representative if our processing changes such that the exemption no longer applies. If you are an EU/UK user with a concern about this, please contact us at support@backseatgeologist.com and we will respond directly.
To exercise any of these rights, email support@backseatgeologist.com.
11. Children
Backseat Geologist is intended for users aged 16 and older. We do not knowingly collect information from children under 16.
The App's "kids" audience setting tailors the content style of the narration for an adult listener who wants to share simpler descriptions with children riding along — it is not a mode for use by children themselves.
If you believe a child under 16 has used the App and provided information, please contact us so we can investigate.
12. Security
All network requests use TLS (HTTPS). On-device data is held in platform-managed secure storage protected by hardware-backed encryption when the device is locked (iOS Data Protection on iOS; Android File-Based Encryption on Android). Our backend on Cloudflare benefits from Cloudflare's standard security controls (DDoS protection, web application firewall, encrypted-at-rest storage). No system is perfectly secure, and we cannot guarantee absolute protection of any data we do retain.
13. Changes to this Policy
We will update this Policy when our practices change. Material changes will be highlighted in the App on first launch after the change takes effect, and the "Last Updated" date at the top will reflect when the change was made.
EU/UK: Material changes that depend on consent will require fresh consent before the new processing begins.
This App is built around a privacy-by-design principle: keep personal data on your device, where it belongs. Where data does leave your device, send the minimum necessary, link it to no one, and delete it when it is no longer needed.