Privacy Policy

At Where ("we", "us", or "our"), operated via the domain wrrr.app and the Where mobile application, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and mobile application (collectively, the "Service"). By using the Service, you agree to the collection and use of information in accordance with this policy.

We collect both information you provide directly and information collected automatically when you use the Service.

Information you provide:

• Account information: email address and display name used to create and manage your account. We do not store your password — authentication is handled securely by our authentication provider (Supabase).
• Profile data: username, bio, and avatar that you choose to add to your public profile
• Places and guides you save, create, and share within the Service
• Photos you upload for places or your profile picture

Information collected automatically:

• Approximate (coarse) device location, used to show nearby places and provide location-based suggestions. We only access your location with your permission and do not track your location in the background.
• Usage data: features used, interactions, and product engagement metrics (collected via PostHog)
• Device and technical information: device type, operating system, app version, browser type, and IP address
• Crash reports and performance data (collected via Sentry) to diagnose and fix issues
• Push notification tokens, if you enable notifications, to deliver updates about activity on your account

Information from third-party sign-in:

• If you sign in with Apple, Google, or Facebook, we receive your name and email address as provided by that service. We do not receive or store your password from these providers.

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:

• Contract performance: Processing necessary to provide the Service to you (account management, place saving, sharing features).
• Consent: Where you have given explicit consent, such as enabling location access, push notifications, or optional analytics. You may withdraw consent at any time.
• Legitimate interest: Processing necessary for our legitimate interests, such as improving the Service, ensuring security, and preventing fraud, provided these interests are not overridden by your rights.

We use the collected information to:

• Provide, operate, and maintain the Service
• Improve, personalize, and develop new features
• Send you updates, notifications, and service-related communications
• Detect, prevent, and address fraud, abuse, and technical issues
• Show nearby places and provide location-relevant suggestions

We do not sell, rent, or trade your personal data to third parties for their marketing purposes. We do not share your personal data with third parties for cross-context behavioral advertising. We only share data with the third-party service providers listed in Section 7, strictly to operate and improve the Service. We do not participate in data broker activities.

We use cookies and similar technologies to enhance your experience. We do not track you across other companies' apps or websites, and we do not use advertising identifiers.

• Essential Cookies: Required for authentication and basic functionality
• Analytics Cookies: Help us understand how you use Where (PostHog). You can opt out of analytics at any time in the app settings.

We use trusted third-party services to provide our platform. Each service processes data in accordance with their own privacy policies:

• Supabase: Database, authentication, and file storage infrastructure (processes account data, user content)
• Google Places API: Place data and search functionality via Google Places API (processes place search queries)
• Mapbox: Map rendering and display in the mobile app (may collect anonymous telemetry data)
• PostHog: Product analytics to understand feature usage (can be disabled by opting out in app settings)
• Sentry: Error tracking and crash reporting to improve app stability (collects crash data and device info)

Your data may be transferred to and processed in countries outside your country of residence, including the United States and countries within the European Union. Our service providers (Supabase, PostHog, Sentry, Mapbox, Google) may process data in various jurisdictions. Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) adopted by the European Commission or the service provider's compliance with recognized data protection frameworks.

We retain your personal data for as long as your account is active or as needed to provide the Service. You can delete your account directly from the app settings. Upon account deletion, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal obligations, dispute resolution, or enforcement of our agreements. Automatically collected data such as analytics and crash reports are retained for up to 12 months and then deleted or aggregated.

Under GDPR, CCPA, and similar data protection regulations, you have the following rights:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — correct any inaccurate or incomplete data
• Right to erasure — request deletion of your personal data
• Right to data portability — receive your data in a structured, machine-readable format
• Right to restrict processing — request that we limit how we use your data
• Right to opt out — disable analytics tracking in the app settings at any time
• Right to withdraw consent — withdraw any previously given consent without affecting prior processing

To exercise any of these rights, please contact us at team@wrrr.app. We will respond to your request within 30 days. You also have the right to lodge a complaint with your local data protection authority.

We implement industry-standard security measures to protect your data, including encryption in transit (TLS/SSL) and at rest, secure authentication via Supabase (with support for multi-factor authentication), row-level security policies on our database, and secure token storage on mobile devices. While we strive to protect your personal data, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

Our Service is not intended for children under 13 years of age (or 16 in the EEA). We do not knowingly collect personal information from children under these ages. If we become aware that we have collected personal data from a child below the applicable age, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at team@wrrr.app.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page, updating the "Last updated" date, and where appropriate, notifying you via email or in-app notification. We encourage you to review this page periodically.

If you have any questions about this Privacy Policy, wish to exercise your data rights, or want to file a complaint, please contact us:

Email: team@wrrr.app