Privacy Policy
How RelicRoute collects, uses, and protects your data.
Last updated: 17 May 2026
This Privacy Policy explains how RelicRoute collects, uses, and protects your personal data when you use our mobile application ("the App"), our website at relicroute.co.uk ("the Site"), and related services (together, "the Service"). We've tried to write it in plain English. If anything's unclear, get in touch.
1. Who we are
The data controller for your personal data is RelicRoute.co.uk ("we", "us", "our"), a sole trader based in Wales.
For any privacy-related questions or to exercise your rights, contact us at privacy@relicroute.co.uk.
2. What data we collect
2.1 Information you give us
| Data | Why we have it |
|---|---|
| Email address and password | To create and secure your account. |
| Display name or username | To identify you within the Service. |
| Profile details (optional, e.g. detector model, experience level) | To personalise your experience. |
| Find logs you create — photos, descriptions, dates, categories, notes | This is the core of the Service; we store it so you can keep and access your records. |
| Location data attached to finds and routes (GPS coordinates, place names) | To pin finds on maps and let you plan and review trips. |
| Support messages and feedback you send us | To respond and improve the Service. |
2.2 Information we collect automatically
| Data | Why we have it |
|---|---|
| Device information (device type, OS version, app version, language) | To deliver and troubleshoot the Service. |
| Approximate location (derived from IP address) | For security, fraud prevention, and basic analytics. |
| Precise location (only when you grant the App permission) | For mapping, route planning, and pinning find locations. You can revoke this in your device settings at any time. |
| Usage data (features used, screens viewed, session length, crash reports) | To understand how the Service is used and fix problems. |
| Cookies and similar technologies on the Site | See section 8. |
2.3 Information from third parties
If you sign in using a third-party login (such as Apple or Google), we receive limited profile information from them — typically your email address and name. If you subscribe through the Apple App Store or Google Play Store, those providers process your payment and share limited transaction information with us. We do not see or store your full payment card details.
2.4 A note on photo metadata (EXIF)
Photos you upload may contain embedded metadata, including the GPS coordinates where the photo was taken. We use this to help map your finds. If you'd rather we didn't store that metadata, you can strip it from photos before uploading using your device's photo settings or a third-party tool.
3. How we use your data
We use your personal data to:
- Provide, operate, and maintain the Service;
- Create and manage your account;
- Store, display, and let you search your finds, routes, and notes;
- Send service-related messages (account confirmations, security alerts, important updates);
- Provide customer support;
- Improve the Service through analytics and (where you've opted in) feedback;
- Detect, prevent, and address fraud, abuse, and security issues;
- Comply with our legal obligations;
- Where you've opted in: send you marketing emails about new features, tips, or updates. You can unsubscribe at any time using the link in any email.
4. Legal bases for processing
Under UK GDPR, we process your personal data on the following bases:
- Contract — to provide the Service you've signed up for (your account, your find logs, your routes).
- Legitimate interests — to keep the Service secure, prevent fraud and abuse, understand how it's used, and improve it. We balance these interests against your rights and only rely on this basis where it's appropriate.
- Consent — for things you specifically opt in to, such as marketing emails or non-essential cookies. You can withdraw consent at any time.
- Legal obligation — to comply with applicable laws, such as tax record-keeping or responding to lawful requests from authorities.
5. Sharing your data
We do not sell your personal data. We share it only in the following circumstances:
- Service providers ("processors") who help us run the Service under contract — for example, cloud hosting, email delivery, analytics, and crash reporting providers. They process data on our instructions and are bound by confidentiality and data protection obligations.
- Other users, but only for information you choose to share (for example, if you publish a find or route to a community feed). You control what you share.
- Authorities or third parties where we're legally required to disclose data, or where it's necessary to protect our rights, your safety, or the safety of others.
- A buyer or successor if our business is sold or merged; in that case we'll let you know in advance.
Our main service providers currently include Amazon Web Services (Lambda, API Gateway, S3, CloudFront CDN, Cognito, CDK), Google Play Store — Android app distribution, Expo / EAS (React Native), RevenueCat — (billing management), DataMapWales, Historic England, Natural England, British Geological Survey (BGS), Portable Antiquities Scheme, National Library of Scotland, OpenStreetMap (Overpass API). We'll keep this list up to date as the Service evolves.
6. Your find locations — and what stays private
We know how much your detecting permissions and productive sites matter to you. By default, your find logs and saved sites are private to your account. We will never publish your precise find locations without your active choice to share them, and we will not sell or share them with advertisers or marketers.
If we add community or sharing features in future, you'll be in control of what's shared, with whom, and at what level of detail (for example, the option to obscure exact coordinates).
7. International transfers
Some of our service providers are based outside the UK, including in the European Economic Area and the United States. Where we transfer your data outside the UK, we rely on appropriate safeguards — typically UK adequacy regulations, the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses — to ensure your data is protected to UK standards.
8. Cookies and similar technologies
Our Site uses a small number of cookies and similar technologies:
- Strictly necessary cookies — needed for the Site to function (for example, remembering your preferences or keeping you signed in).
- Analytics cookies — to understand how visitors use the Site so we can improve it. These are only set with your consent.
You can manage your cookie preferences using the banner shown when you first visit the Site, or by adjusting your browser settings. The App itself doesn't use browser cookies, but does use equivalent device identifiers for similar purposes.
9. How long we keep your data
- Account and content data — kept while your account is active. If you close your account, we delete or anonymise it within 30 days, except where we're required to keep certain records for longer (for example, transaction records for tax purposes, typically 6 years).
- Support correspondence — kept for up to 2 years after the issue is resolved.
- Analytics and logs — kept in identifiable form for up to 14 months, then aggregated or deleted.
- Backups — may persist for a short period after deletion before being overwritten in the normal course of our backup cycle.
10. Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you;
- Rectify inaccurate or incomplete data;
- Erase your data ("the right to be forgotten") in certain circumstances;
- Restrict how we process your data in certain circumstances;
- Object to processing based on legitimate interests, and to direct marketing at any time;
- Data portability — receive a copy of the data you've given us in a structured, commonly used format;
- Withdraw consent at any time for any processing based on consent.
To exercise any of these rights, email privacy@relicroute.co.uk. We'll respond within one month. There's no charge in most cases.
If you're not happy with how we've handled your data, you can complain to the UK Information Commissioner's Office (ICO) at ico.org.uk — but we'd appreciate the chance to put things right first.
11. Security
We take security seriously and use industry-standard measures to protect your data, including encryption in transit (HTTPS/TLS), encrypted storage, access controls, and regular review of our systems. No system is perfectly secure, but we work to minimise risk and will notify you and the ICO if a personal data breach occurs that's likely to affect your rights.
12. Children
The Service isn't intended for children under 16. We don't knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we'll delete it.
13. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we'll let you know — for example, by posting a notice on the Site or in the App, or by emailing you. The "last updated" date at the top tells you when the current version took effect.
14. Contact
If you have questions about this Privacy Policy or how we handle your data, email privacy@relicroute.co.uk.
Questions? Email privacy@relicroute.co.uk.