Privacy Policy
Effective July 7, 2026 · Version 2026-07-07
WhereWere is a peer-to-peer location-timestamping service. Location is the most sensitive data we handle, so this policy explains in plain terms exactly what we collect, who processes it, how long we keep it, and the rights you have. If anything here is unclear, contact us at privacy@wherewere.com.
1. Who we are
"WhereWere", "we", "us" is the operator of wherewere.com and the data controller for the personal data described below. For business/organization accounts, the organization is the controller of its members' work-related records and we act as its processor for those records.
2. What we collect
We collect only what the product needs to function:
- Account & identity. You sign in with Google — we do not create or store a password. From Google we receive your email address, display name, and profile photo. We also store your chosen theme, timezone, notification preferences, and (if applicable) organization role.
- Location data.When you tap "Clock Me Here", we store the GPS latitude and longitude your device reports (at full precision), a server-controlled timestamp, and an optional note or photo. To show a human-readable place name we send rounded coordinates (~111 m) to OpenStreetMap's geocoder. If you use the residency, compliance, custody-exchange, property-inspection, or geofence features, we also store the specific addresses/coordinates you provide (e.g. your home location) and related details you enter.
- Content & photos. Notes you write and photos you attach to a stamp (stored in encrypted object storage and served via short-lived signed links). Photos are re-encoded in your browser before upload, which removes embedded EXIF metadata.
- Your trusted circle & witnesses. The contacts you add, the witness confirmations exchanged between you and them, and the email addresses of people you invite who are not yet users.
- Billing. If you subscribe, Stripe processes your payment; we store a Stripe customer identifier and your subscription status. We never see or store your full card details.
- Device & technical. A push-notification token (if you enable push), and standard server/request logs. For organization audit trails we record the IP address of privileged administrative actions.
3. How we use it & our legal bases
- To provide the service — create, store, and display your tamper-evident location records and share them with the people you choose (performance of our contract with you).
- To notify your circle and deliver reminders you enable (contract / your consent).
- To process payments and prevent abuse and fraud (contract / legitimate interests).
- To keep the service secure and debug errors (legitimate interests).
- To retain evidentiary records that others rely on, and to meet legal obligations (legal obligation / legitimate interests — see §7 Legal hold).
We do not sell your personal data, we do not use it for advertising, and we do not run third-party ad or tracking cookies.
4. Cookies & similar technologies
We use a small number of first-party cookies and browser storage:
- Strictly necessary (authentication). Supabase session cookies (
sb-*) keep you signed in; a short-lived cookie carries your acceptance of these terms through the sign-up flow. The site cannot function without these, so they are set without a consent banner. - Functional. A
themecookie remembers light/dark mode. Your browser also stores small functional values locally (e.g. sidebar and onboarding state) that never leave your device. - Analytics. We use Vercel Web Analytics, which measures aggregate page views without cookies and without tracking you across sites.
We do not use advertising, marketing, or cross-site tracking cookies.
5. Who processes your data (sub-processors)
We share data only with the service providers needed to run WhereWere. Each is bound by contract to protect it and use it only on our instructions. These providers are primarily in the United States.
| Provider | What it processes |
|---|---|
| Supabase | Authentication, database, and photo storage (all app data) |
| Sign-in (your email, name, avatar) | |
| Firebase Cloud Messaging | Push notifications (device token + message text) |
| Stripe | Payments & subscriptions |
| Resend | Transactional email delivery |
| Upstash (Redis) | Rate-limiting & short-term caching (identifiers, not stamp content) |
| OpenStreetMap / Nominatim | Reverse-geocoding rounded (~111 m) coordinates to a place name |
| Vercel | Hosting, request logs, cookieless analytics |
| Sentry (optional) | Error diagnostics, with personal data (coordinates, emails, tokens) scrubbed before sending |
6. Sharing you choose to do
The point of WhereWere is to share proof with people you trust — so some sharing is driven by you: adding a witness reveals a stamp to that person; creating a share link (/s/…) lets anyone with the link view that one record until it expires or you revoke it; opting a stamp into the public nearby map shows an approximate (~111 m), time-limited location; and joining an organization lets its owners/admins see the work stamps you make for that organization. You control each of these, and share links are revocable.
7. Retention & legal hold
- Immutability. By design, a locked stamp or witness confirmation cannot be edited or deleted — it is a tamper-evident mutual record both parties rely on. You may archive your own un-witnessed stamps.
- Free-tier history. On the free plan, your stamp history is visible for 30 days; paid plans retain longer history.
- Account deletion & legal hold. You can delete your account at any time from Settings. If you have no witnessed records, we permanently delete your account and data. If you do have witnessed records — stamps someone else corroborated, or stamps of theirs you witnessed — those records have evidentiary value to the other party, so we place them under a legal hold: we delete your un-witnessed stamps and your contact details (your email, avatar, and push token are removed), permanently close and lock your account, but retain the witnessed records and the name attached to them so the record remains provable in a dispute or audit. This retention is necessary for the establishment, exercise, or defense of legal claims.
8. Your rights
Depending on where you live, you may have the right to access, correct, export, or delete your personal data, to object to or restrict certain processing, and to withdraw consent. You can access and export much of your data in-app, and delete your account from Settings (subject to the legal hold in §7). To exercise any other right, email privacy@wherewere.com. You may also complain to your local data-protection authority.
9. Security
Data is encrypted in transit. Access is enforced at the database with row-level security so users can only reach their own records and the records shared with them. Each stamp carries a SHA-256 hash chained to your previous stamp, making tampering detectable. Photos are served through short-lived signed links. No system is perfectly secure, but we design access to fail closed.
10. International transfers & children
Our providers are primarily in the United States; using WhereWere involves transferring your data there under appropriate safeguards. WhereWere is not directed to children and is not intended for anyone under 16 (or the minimum age in your country). Do not create an account or stamp a location for a child without the necessary consent and legal right.
11. Changes
If we make material changes we will update the version and effective date above and, where appropriate, ask you to re-accept. Continued use after an update means you accept the revised policy.
Questions or requests: privacy@wherewere.com.