I built Nearly after a commercial kids smartwatch degraded to cell tower accuracy and started mixing my kid’s location with other devices. The manufacturer couldn’t fix it, turned out to be a white-label device with a premium price tag.
As a developer with experience in background location tracking, I started with something simple - an Android service pushing location over MQTT to my Home Assistant server. It worked, but I kept wanting more: configurable schedules, smarter intervals, notifications. One feature at a time, it became a proper app with proper backend.
- Child mode shares location, Parent mode views it with history
- Configurable active tracking schedule per day
- Smart location rules - automatically pause or resume tracking by zone, with notifications
- SOS and low battery alerts from the child device
Privacy:
- No ads
- No third-party location services or tracking APIs
- Location data is never sold or shared
- Tracking is always visible on the child’s device - not designed for covert use
- Active tracking limited to hours and days that Parent configures
- Local network pairing - no remote account-based trust chains
Right now only available thru Google Play, there’s also a Premium tier that unlocks tracking more than one device, co-parent sharing, and faster update intervals.
I’d like to use something like this to keep track of my old parents. That’s another use case such apps can serve. It’s not just kids that need monitoring.
Not open source at the moment - it’s a solo project and opening it up isn’t on the roadmap right now. Happy to answer any specific questions about how it works under the hood though.
The matter or rather a concern here then becomes trust for the privacy and security of the app/service especially when it comes to sensitive info like location and live location at that.
How can you ensure us that everything is as bullet proof as it can be under the hood?
Fair concern. The app uses the same security practices I apply across my client projects professionally - encrypted transport, no location data stored beyond your configured history window, no third-party SDKs that phone home, no device fingerprinting, and pairing requires physical proximity on the same local network so there’s no remote attack surface for the pairing flow. I’m a solo dev so I can’t offer a third-party audit, but I’m happy to answer any specific questions about how a particular part works.
Android requires a persistent notification for any app running a background service - it cannot be dismissed. That’s an OS-level requirement, not something I enforce myself, so it can’t be bypassed by the app.
I would love to see E2EE here. What is not encrypted here?
Are you even technically able to view anyone’s location or location history?
I understand the predicaments as a solo dev, but I’d love to be able to download, install, and pay independently and not through Google. Please look into making this possible. I understand it may not be easy, but I also know it’s not extremely difficult either.
Are you sure the dependencies you rely upon do not have any vulnerabilities in the way you use them that makes it impossible for the app data to be breached in any way?
Again, my concerns here are for the privacy and security. I am no expert but using a closed sourced app for the use case is a hard pill to swallow if it’s not vetted by more than just you as the dev.
1 & 2. Transport is encrypted via HTTPS/TLS. Device pairing happens over the local network and is end-to-end encrypted. I have experience implementing high-grade data protection in other projects - but here the server fundamentally needs to know the location to do its job: nudging devices Android might have put into doze mode and evaluating geofence rules server-side. Full E2EE would break that. To be transparent - as the server operator I can query the database, so location data is visible to me at the infrastructure level. That’s a real architectural constraint, not a convenience trade-off.
3. Fair request - a direct APK download is something I can add. It’s not complicated, I just used the Play Store as it automatically selects .aab per users device architecture which also reduces install/update size.
4. I can’t guarantee zero vulnerabilities in dependencies - nobody can honestly. I use latest stable sdk/libraries and keep an eye if any gets reported.
5. Legitimate concern and I won’t argue against it. Closed source requires trust by definition. I can only be transparent about how it works when asked, which I’m happy to do.
Is that still the case? I thought there is a permission for this these days. I mean assuming you don’t use that might be a mitigation but people could disable the notification permissions right?
This is a cool project. Privacy-minded location sharing is a topic I see discussed somewhat often - there arent (yet) many strong options
How is location data made accessible when the tracked device is out of range for your HA LAN? Without a remote, centralized server, there must be a VPN tunnel directly to the HA server, right? Is that a separate service your users will need to configure?
Thanks - worth clarifying: Nearly has a proper backend so users don’t set up anything themselves. Devices discover each other on the same local network for pairing, but after that sharing and viewing works from anywhere.
Also regarding Home Assistant, I’m almost done with support to forward location to your own HA instance. That opens up the full automation side of things.
What can you tell us about your cloud server? Is data stored & processed with zero-knowledge? How do I know my data is private & secure?
How can I be sure that my data will remain private, against the possibility of a cyber breach, corporate buyout, or growing financial incentive to sell my data?
Is location data accessible to Nearly whatsoever? If the government issued a subpoena for location data on one of Nearly’s users, does Nearly have the capability to comply?
The server : a dedicated root server I rent and operate exclusively - no shared cloud platform, no other tenants, no platform-level access to the data.
Not zero-knowledge : I can query the database for the app’s functionality to work, but as I said earlier, I have no reason to and no business model that would ever create one.
A breach : I can’t promise it’s impossible, nobody honestly can.
Selling data : there’s no ad business, no analytics pipeline, and no intention to ever build one.
Nearly is a solo indie project with no investors and no company to buy out, I will never sell it, never run ads and never share data with third parties. Period.
On a subpoena - if one were legally enforceable in my jurisdiction, I’d have the technical capability to comply, the data exists on the server. I won’t claim otherwise. What I can say is there’s no proactive data sharing with any authority, and I’d exhaust every legal option before complying with anything questionable.
The subscription in Nearly exists purely to cover infrastructure costs for users who want more devices, more history, faster updates. That means hitting the server more. It’s not a data play, it’s a usage model.
For context - the apps most people already use for this have millions of users, run ads + charge subscriptions and on top of that sell the location data to third parties. People use them anyway. I’m not asking for blind trust, but the bar isn’t that high.
I dunno man. There are end to end encrypted alternatives (https://mygrid.app/ and https://paralino.com/) to what you offer. I don’t think anyone should be trusted with location data of family members so neither should you.
