Walking Explorers, Inc. ("Walking Explorers," "we," "us," or "our") respects your privacy. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and the choices you have. It applies to walkingexplorers.com, the Walking Explorers beta web app, and any related services (collectively, the "Service").
By using the Service, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.
Table of Contents
1. Information we collect
1.1 Information you provide
- Email address — collected when you join the waitlist, request a feature, or correspond with support. Email is not required to use most of the beta.
- Invite codes — single-use beta access codes you redeem to create a session.
- Photos — images you choose to upload from a walk (e.g., a noteworthy spot or a check-in photo). You decide when to capture and upload.
- Feedback and content — any text, feedback, or notes you submit through the Service.
1.2 Information we collect automatically
- GPS coordinates — collected only when you explicitly trigger a location capture (e.g., tap "use my location" or upload a photo with location attached). We do not run continuous background location tracking.
- Device and browser information — IP address, user-agent string, viewport size, and language settings, used for compatibility and security.
- Session cookie — a short, HMAC-signed cookie (`we_session`) issued after you redeem an invite code. It is HTTP-only and used only for authentication.
- Usage and event data — pages viewed, buttons clicked, errors encountered, captured via PostHog analytics in aggregate.
1.3 What we do not collect
- We do not collect government IDs, payment card numbers (until paid plans launch), social security numbers, biometric identifiers, or precise health data.
- We do not buy personal data from data brokers.
- We do not sell or rent personal information to third parties.
2. How we use information
We use the information we collect to:
- Operate, maintain, and improve the Service (route discovery, photo capture, walk history).
- Authenticate users via signed session cookies and rate-limit abusive traffic.
- Debug crashes and performance issues using device and event logs.
- Aggregate anonymous analytics to understand which neighborhoods and routes users find valuable.
- Communicate with you about beta updates, security notices, and (only if you opt in) product news.
- Enforce our Terms of Service and protect the rights, safety, and property of Walking Explorers and our users.
- Comply with legal obligations.
We do not resell or license your personal data to third parties for their own marketing.
3. Legal bases for processing (EEA / UK users)
If you are in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data under the following GDPR legal bases:
- Contract (Art. 6(1)(b)) — to provide the Service you signed up for.
- Legitimate interests (Art. 6(1)(f)) — to secure the Service, prevent fraud, and improve features.
- Consent (Art. 6(1)(a)) — for optional analytics cookies and marketing emails. You may withdraw consent at any time.
- Legal obligation (Art. 6(1)(c)) — to comply with applicable law.
4. When and how we share information
We share personal information only in these limited cases:
- With service providers (see Section 5) who process data on our behalf under written contracts.
- For legal reasons — to comply with subpoenas, court orders, or other lawful requests; to enforce our Terms; or to protect the rights, safety, or property of Walking Explorers, our users, or the public.
- In a corporate transaction — if Walking Explorers is involved in a merger, acquisition, financing, or sale of assets, personal data may be transferred as part of that transaction. We will notify you and your data will remain subject to this Privacy Policy unless you agree otherwise.
- With your consent — for any other sharing not described in this Policy.
5. Third-party processors
We use the following sub-processors. Each is bound by a data processing agreement.
| Processor | Purpose | Data handled | Location |
|---|---|---|---|
| Vercel, Inc. | Web hosting, serverless functions | Request logs, IP, content served | USA |
| Upstash, Inc. | Key-value database (Vercel KV) | Session records, invite codes, walk metadata | USA |
| Vercel Blob | Photo storage | User-uploaded photos | USA |
| PostHog Inc. | Product analytics | Anonymized event data, IP (truncated) | USA / EU |
| Google LLC (Fonts) | Web fonts CDN — being migrated to self-hosted | IP, user-agent | Global |
6. Cookies and tracking
We use a small number of cookies and similar technologies:
- `we_session` — strictly necessary. HMAC-signed, HTTP-only cookie that authenticates beta users. Without it, the app cannot function.
- `we_admin` — strictly necessary. Issued only to administrators of Walking Explorers.
- PostHog analytics — first-party cookie used to measure feature usage. You can opt out via your browser's "Do Not Track" signal or by emailing us at the address below. We do not use third-party advertising cookies.
Most browsers let you refuse or delete cookies through settings. Disabling strictly-necessary cookies will break login and core app functionality.
7. Data retention
- Account data — retained indefinitely while your account is active.
- Photos and walk history — retained while your account is active. Deleted on request within 30 days.
- Session cookies — expire automatically after 30 days of inactivity.
- Server access logs — retained for up to 90 days for security and debugging.
- Backups — encrypted backups may persist for up to 35 days after deletion of live data, then permanently overwritten.
You can request deletion at any time by emailing privacy@walkingexplorers.com. We will complete deletion within 30 days, except where we are legally required to retain certain data.
8. Data security
We use reasonable technical and organizational measures designed to protect your information, including:
- HTTPS / TLS encryption for all traffic.
- HMAC-signed, HTTP-only session cookies.
- Rate limiting on authentication endpoints.
- Audit logs of administrative actions.
- Principle-of-least-privilege access for staff (currently a sole founder + reviewed contractors).
- Encrypted storage at rest with our hosting and KV providers.
No system is perfectly secure. If we become aware of a security breach affecting your personal information, we will notify you and applicable regulators as required by law.
9. Your rights
9.1 EEA / UK rights (GDPR Articles 15-22)
If you are in the EEA, UK, or Switzerland you have the right to:
- Access — request a copy of the personal data we hold about you (Art. 15).
- Rectification — request correction of inaccurate data (Art. 16).
- Erasure — request deletion of your data ("right to be forgotten") (Art. 17).
- Restriction — request that we limit how we process your data (Art. 18).
- Portability — receive your data in a structured, commonly used format (Art. 20).
- Object — object to processing based on legitimate interests (Art. 21).
- Withdraw consent — at any time, where processing is based on consent.
- Lodge a complaint — with your local data protection authority.
9.2 California rights (CCPA / CPRA)
California residents have the right to:
- Know what personal information we collect, use, disclose, and (if applicable) sell.
- Request deletion of personal information.
- Correct inaccurate personal information.
- Opt out of "sale" or "sharing" of personal information — we do not sell or share personal information as those terms are defined.
- Limit use of sensitive personal information.
- Be free from discrimination for exercising these rights.
9.3 How to exercise your rights
Email privacy@walkingexplorers.com with the subject line "Privacy Request." We may need to verify your identity before fulfilling the request. We aim to respond within 30 days (45 days for CCPA requests with a possible 45-day extension as permitted by law).
10. Children
The Service is not directed to children under 13 and we do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact privacy@walkingexplorers.com and we will delete it promptly. The Service is intended for users 13 and older; users between 13 and 18 must have permission from a parent or legal guardian.
11. International data transfers
Walking Explorers is incorporated in the State of Delaware, USA. Personal data is primarily processed on servers located in the United States. If you access the Service from outside the U.S., your information will be transferred to and processed in the United States. Where required, we rely on Standard Contractual Clauses or other lawful transfer mechanisms.
12. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated via the Service or by email at least 30 days before they take effect. The "Last updated" date at the top reflects the most recent revision. Continued use of the Service after the effective date constitutes acceptance of the revised policy.
13. Contact us
For privacy questions, requests, or complaints:
- Email: privacy@walkingexplorers.com
- Mail: Walking Explorers, Inc. (Delaware, USA — mailing address provided on request)
This Privacy Policy is governed by the laws of the State of Delaware, USA, without regard to its conflict-of-law principles.