France Metro Guide

Your privacy, in plain language.

France Metro is a small, transit-focused app for Paris. We built it to help you get around — not to follow you around. Here's exactly what the app reads, where the data goes, and what stays on your device. No fine print.

No ads, ever
No accounts
No advertising IDs
No data sales
No cross-app tracking

Effective date 25 April 2026 Data controller Mokhtar Mokhtar Contact mokhtarsayed98@gmail.com

At a glance

Four answers, before the fine print.

Data sent off-device

Only when you ask for it

Your location and search terms — only when a feature needs them, only to IDFM via our proxy. Plus anonymous usage and crash pings to Firebase.

Personal data we store

None

No accounts, no profiles, no databases of users. Firebase keeps anonymous aggregates — never individual records about you.

Advertising / tracking

None

We don't request your IDFA, don't run ads, don't sell data, don't share with advertisers. Tracking is off in our iOS Privacy Manifest.

Linked to your identity

None

The app has no login. Firebase events use an anonymous install ID that resets when you uninstall — no name, email, or device ID we control.

How data moves

From your phone to a route, in three hops.

Step 1

Your phone

location · query

Step 2

Our Worker

+ secret key

Step 3

IDFM (Paris)

Your phone sends only the query. The Cloudflare Worker we operate adds the IDFM API key (which lives only on the Worker — never on your phone) and forwards the request. IDFM responds, the Worker passes it back, and your phone displays a route. Nothing is stored along the way.

Reads

What the app reads from your device.

Precise location with permission

When you tap "Use my location" or open a feature that needs your position (nearest station, routes from here, live departures near you), the app asks the operating system for your latitude and longitude. iOS and Android always ask for permission first; you can deny or revoke any time in your system settings. Coordinates are:

Sent to IDFM for the duration of that one request.
Forwarded through our Cloudflare Worker, which adds the API credential and forwards. The Worker does not log or store coordinates.
Not stored by the app on your device or on any server we operate.
Not linked to any identifier — no account, no device ID sent.

Search queries

When you search for a station, address, or place, the typed text is sent to IDFM's geocoding service to get matching results. The query is forwarded through the same Cloudflare Worker. Recent searches are saved only on your device — clearable any time from inside the app.

Saved places & favourites

Stations or addresses you save (Home, Work, custom favourites) are stored only on your device, in the operating system's secure storage (Keychain on iOS, Keystore on Android). They never leave your device.

App preferences

Theme (light/dark), language (EN/FR/AR), and similar settings are stored locally. They never leave your device.

Analytics & crashes

Why Firebase, and what's actually inside.

This section explains exactly what Google Firebase does inside the app. We've chosen the most conservative settings available and disabled every advertising-related feature — the in-code consent flags adStorage, adUserData, adPersonalizationSignals are all set to denied.

Why we use it

We're a small project. To improve France Metro we need to know two things: which features actually help people (so we focus on what matters) and when the app crashes (so we can find and fix bugs quickly). That's it. We're not building advertising profiles, behavioural models, or anything sold to third parties.

What Firebase Analytics collects

App eventsAggregated counts like "search opened" or "route planned". No content of your queries, no addresses, no destinations.

Session signalsWhen the app starts, how long it's open, the screen you're on. Helps us tell if a feature is broken or unused.

Approximate contextCountry (from IP, then IP discarded), device model, OS version, app version, language.

Anonymous Firebase Install IDA random identifier so Firebase counts "1 install" instead of doubling. Resets when you uninstall.

What Firebase Crashlytics collects

Crash stack tracesWhen the app actually crashes — so we can see which line of code failed and ship a fix.

Recent breadcrumbse.g. "user opened route planner" — context for the crash. Never personal content.

Device + OS versionCaptured at the moment of the crash so we can reproduce.

What we have turned off

Advertising IDIDFA / GAID never requested. On iOS we deliberately don't show an ATT prompt.

Ad personalisation signalsAll three Firebase consent flags (adStorage, adUserData, adPersonalizationSignals) set to denied at every launch.

User IDsWe never call setUserId. Nothing in Firebase events links to a person.

Custom user propertiesThat could re-identify you. None set.

Debug events in productionAnalytics are disabled in debug builds (kReleaseMode). Dev clicks don't pollute prod stats.

Where it goes

Firebase data is processed by Google on its servers (typically EU/US) and is subject to Google's Privacy Policy and Firebase data-handling terms. Google retains analytics data per its standard retention settings; we do not modify those defaults.

Not collected

What we deliberately don't do.

Advertising IDsNo IDFA, no Android Advertising ID. NSPrivacyTracking=false.

User accountsNo email, password, social login, or phone number.

Social-media SDKsNo Facebook, no Google Sign-In, no Twitter/X.

Third-party ad networksThe app contains zero ads.

Data salesWe don't sell, rent, or share user data with anyone for marketing.

Payment dataThe app is free, no payments processed.

Contacts, photos, mic, cameraApp never requests these permissions.

Search content in analyticsFirebase sees that "a search happened", not the address you typed.

Third parties

Where data flows through.

Île-de-France Mobilités (IDFM)

IDFM is the public-transport authority for the Paris region and the source of the live transit data the app shows you. When you use a feature that needs live data, your location coordinates and/or search query are sent to IDFM's PRIM and Instant System APIs. Their handling is governed by their privacy policy at iledefrance-mobilites.fr.

Google Firebase

We use Google Firebase Analytics and Crashlytics to receive the anonymous events and crash reports described above. Google acts as our data processor: we configure what's collected, Google stores and aggregates it. All advertising-related Firebase features are explicitly disabled by us. See Google's Privacy Policy and Firebase's data handling overview.

Cloudflare

Requests from the app to IDFM are forwarded through a Cloudflare Worker we operate (france-metro-idfm-proxy.mokhtarsayed72.workers.dev). Cloudflare's role is purely transport. The Worker we run does not log request bodies, coordinates, or search terms. See Cloudflare's privacy policy.

OpenStreetMap

If the app displays a map, tiles are loaded from OpenStreetMap or a community provider. Your IP is visible to that provider for the duration of the tile request (as with any web request). We send no account or device identifier. See OpenStreetMap's privacy policy.

Storage

How data is stored.

On your device: all preferences, search history, and saved places are stored locally. Sensitive items use Keychain (iOS) or Keystore (Android) — encrypted by the OS.
On our servers: nothing user-specific. We do not operate a database storing personal data. The Cloudflare Worker forwards requests in real time and does not retain them.
On Google's servers (Firebase): anonymous analytics events and crash reports as described in Analytics, retained per Google's standard Firebase retention.
Backups: on Android we set android:allowBackup="false" with strict dataExtractionRules — app data is excluded from cloud backup and device-to-device transfer unless you opt in.

Security

Defence in depth.

HTTPS only for every network request. Cleartext disabled (Android networkSecurityConfig, iOS App Transport Security).
Certificate pinning on IDFM and proxy hosts to detect MITM attacks.
Runtime self-protection (RASP) via FreeRAsp/Talsec — refuses to run on rooted/jailbroken devices, with a debugger or Frida hook attached, on emulators, on a tampered APK, or when installed from an unofficial store.
Code obfuscation (--obfuscate + --split-debug-info) and resource shrinking on release builds.
FLAG_SECURE on Android blocks screenshots and screen recordings; iOS performs equivalent snapshot redaction natively.
Secrets isolation: the IDFM API key for our PRIM rotation lives only on the Cloudflare Worker, never in the shipped APK/IPA.
Apple Privacy Manifest declares the app does not track users, lists every data type collected, and states each is not linked to identity.

Your rights

What you control.

Because we don't store personal data on our servers, most rights you'd have under data-protection laws are already exercised by default: there is no profile of you to access, correct, or delete on our side. You can also:

Access & portability: see and export your saved places and history from inside the app at any time.
Erasure: uninstall the app — all local data goes with it. Uninstalling also resets the anonymous Firebase Install ID, breaking any link between past anonymous events and future installs. Or use the in-app "Clear history" / "Remove saved place" controls.
Withdraw consent: revoke location permission in your OS settings — the app keeps working without live location features. We're working on an in-app toggle to also disable analytics and crash reporting; until that ships, uninstalling is the way to opt out completely.
Object / Restrict / Lodge a complaint: contact us, and where applicable, lodge a complaint with your local data-protection authority.

EEA (GDPR): the legal basis for processing your location and search query is your explicit consent (Art. 6(1)(a) GDPR), given when the app asks for permission. Anonymous analytics and crash data rely on legitimate interest (Art. 6(1)(f)) — improving the service and keeping it stable — with no advertising or profiling. Withdraw consent or object by emailing us or uninstalling the app.

California (CCPA/CPRA): we do not sell or share personal information. No "Do Not Sell" obligation because we don't sell. You retain your right to know, delete, and non-discrimination.

Children

Children's privacy.

France Metro is a general-audience transit app and is not directed at children under 13 (or under 16 where local law sets a higher age). We do not knowingly collect any data from children. If you believe a child has used the app and want to confirm what (if anything) is on their device, see "Erasure" above — uninstalling removes everything.

Changes

Changes to this policy.

If we add a feature that meaningfully changes what data the app reads or where it goes (e.g. user accounts, ads, expanded analytics), we will:

Update this page and bump the effective date at the top.
Mention the change in the app's release notes.
For material changes, ask for fresh consent inside the app where the law requires it.

Previous versions remain available on request via the contact email below.

Contact

Contact.

For privacy questions, requests under GDPR/CCPA, security reports, or anything else related to this policy, write to:

Mokhtar Mokhtar
mokhtarsayed98@gmail.com