This Privacy Policy explains how XYRA ("MRT Go", "we", "us", or "our") collects, uses, discloses, and protects your information when you use the MRT Go mobile application (the "App"), the MRT Go website, and any related services (collectively, the "Service").
We are committed to protecting your privacy and handling your data in an open and transparent manner in accordance with the Singapore Personal Data Protection Act 2012 (PDPA) and, where applicable, the EU General Data Protection Regulation (GDPR).
If you do not agree with this Privacy Policy, please do not use the App.
1. Who we are
MRT Go is operated by XYRA from Singapore. Email: hello@mrtgo.sg.
MRT Go is an independent product and is not affiliated with, endorsed by, or operated by SMRT Corporation Ltd, SBS Transit Ltd, the Land Transport Authority (LTA), or any other government agency in Singapore.
For PDPA purposes, our Data Protection Officer (DPO) can be reached at dpo@mrtgo.sg.
2. Summary in plain English
- We collect location data to plan journeys and alert you about your stop. Background location is used only during an active journey that you start.
- We store saved places, recent trips, and commute preferences locally on your device unless a future account-sync feature is enabled.
- We collect limited diagnostics and website analytics to improve the Service.
- We do not sell your personal data to anyone.
- We do not use your data for advertising.
- You can request deletion of personal data that we hold at any time.
3. Information we collect
Information you provide directly: support correspondence and any information you choose to include when contacting us.
Information stored locally on your device: saved places, recent destinations, recent trips, commute preferences, and active journey alert state. This data is used to make the App work and is not sent to our backend in the current version of the App.
Information collected automatically: approximate and precise location when you use location-based features, device model and OS version, anonymous or pseudonymous device identifiers used for diagnostics, website analytics events, and crash or error diagnostics.
The current version of the App does not provide account creation. If we introduce account sync, cloud-synced saved places, or account deletion in a future version, we will update this Privacy Policy before collecting account email addresses or storing saved places in an account.
We do not collect your contacts, photos, microphone audio, calendar, SMS or call logs, advertising identifiers for tracking, or biometric data.
4. Background location detail
MRT Go requests background location access for one purpose only: Active Journey Tracking.
When you tap Start Journey on a planned route, the App begins tracking your location in the background so it can alert you before you reach your destination, even if your screen is off or the App is closed. On Android, a persistent notification is shown for the entire journey. On iOS, the system status bar indicator shows when location is in use.
Tracking stops when your journey alert session completes, when you end or reset the journey alert session in the App, or when location monitoring is no longer needed for the active journey.
Location data is used in real time to compute distance to your stop. MRT Go configures its location tracking so raw device location records are not persisted in the App database. Location data is never sold, never shared with advertisers, and never used to build a profile of your movements.
You can revoke background location permission at any time in your device settings without losing the rest of the App's functionality.
5. How we use your information
We use the information we collect to:
- Provide the Service: plan journeys, show nearby stations, remember local preferences, send stop and disruption alerts.
- Improve the Service: diagnose crashes, prioritise fixes, and measure website performance.
- Communicate with you: reply to support requests and send important service notices.
- Comply with legal obligations.
- Protect the Service from fraud, abuse, and security incidents.
Under GDPR (where applicable), our legal bases are: consent for location permissions and notifications where the operating system or law requires consent; contract for the core Service; legitimate interests for security, diagnostics, and product improvement; and legal obligation for compliance.
6. Third-party service providers
We use the following processors under contractual data protection terms:
- Supabase: backend database for public service alerts.
- PostHog: crash and error diagnostics when enabled in release builds (error details, stack traces, device and environment details).
- Apple and Google: App distribution and push notifications (device push token).
- Vercel: website hosting and analytics (page views, referrers, browser and device information, and approximate location derived from network data).
We do not use third-party advertising SDKs.
7. International data transfers
Some of our service providers are based outside Singapore. Where we transfer personal data internationally, we use appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms under PDPA Section 26 and GDPR Chapter V.
8. Data retention
- Local saved places, recent trips, and commute preferences: stored on your device until you delete them in the App, clear App data, or uninstall the App.
- Active journey location: processed for the duration of the active journey alert session and not persisted by MRT Go as raw location history.
- Website analytics events: retained according to Vercel Analytics retention settings and deleted or aggregated when no longer needed for service improvement.
- Crash and error diagnostics: 90 days.
- Support correspondence: 2 years from last contact.
If a future version introduces accounts, we will provide an account deletion mechanism in the App and erase account personal data within 30 days after deletion, except where retention is required by law.
9. Your rights
Subject to applicable law, you have the right to access, correct, delete, and port your personal data; to withdraw consent; to object to processing based on legitimate interests; and to lodge a complaint with the Personal Data Protection Commission of Singapore (pdpc.gov.sg) or your local data protection authority.
To exercise these rights, email dpo@mrtgo.sg. We respond within 30 days. For data stored only on your device, you can delete it by using App controls, clearing App data, or uninstalling the App.
10. Security
We use HTTPS / TLS 1.2+ for data in transit, encryption at rest for backend storage, access controls limiting employee access on a need-to-know basis, and regular security reviews of our infrastructure. No system is perfectly secure; if we become aware of a personal data breach affecting you, we will notify you and the relevant authorities as required by law.
11. Children's privacy
MRT Go is not directed at children under 13 (or the equivalent minimum age in your country). We do not knowingly collect personal data from children under this age. If you believe a child has provided us with personal data, contact privacy@mrtgo.sg and we will delete it.
12. Push notifications
If you opt in, we send stop alerts during active journeys, service disruption warnings, and rare important service announcements. You can disable notifications at any time in your device or App settings.
13. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes we will update the "Last updated" date, notify you in the App or on the website, and where required by law obtain your renewed consent. Continued use after changes take effect constitutes acceptance.
14. Contact us
For any privacy-related question, request, or complaint:
- Email: privacy@mrtgo.sg
- DPO: dpo@mrtgo.sg
MRT Go is independent and not affiliated with SMRT Corporation Ltd, SBS Transit Ltd, or the Land Transport Authority of Singapore.