Privacy Policy for WTFog
Last updated: January 26, 2026
📋 Summary
WTFog is an app that tracks your movements to create a "fog map" experience.
Here are the most important things you should know:
- We track your location: The app uses GPS to record where you walk, run, bike, etc. - even when the app is in the background. This is necessary to create your map and calculate distance, speed, and unlock areas.
- Social features: You can share trips, messages, and achievements with friends and groups. You choose how much should be visible.
- Leaderboards: You can appear on leaderboards, but this is optional and can be turned off in settings.
- Your rights: You can download all your data, edit your profile, or permanently delete your account at any time.
- Third parties: We use Mapbox (maps), RevenueCat (subscriptions), Expo (notifications), Firebase (analytics and crash reporting), and Google AdMob (ads). All are GDPR-compliant.
- Analytics: We use Firebase Analytics to understand how the app is used and Firebase Crashlytics to identify and fix bugs.
- Advertising: Users may see rewarded video ads (e.g., to double XP after trips). You can control ad personalization through iOS App Tracking Transparency or the privacy settings form.
- Payment: Subscriptions are handled by Apple/Google. We don't store payment information.
- Deletion: When you delete your account, all your data is permanently removed.
1. Who is responsible for your personal data?
2. What personal data do we collect?
2.1 Profile Information
When you create an account with us, we collect:
- Name
- Email address
- Profile picture (optional)
- Bio/description (up to 500 characters, optional)
- Hometown/city (optional)
- Country and city (for leaderboards, optional)
2.2 Login Information
You can log in using the following methods:
- Google OAuth: Email, name, and Google user ID
- Apple Sign-In: Email, name, and Apple user ID (iOS only)
- Email and password: Password is stored encrypted
Important about location data:
WTFog collects and stores precise GPS location continuously while tracking is active. This includes:
- Exact GPS coordinates (latitude and longitude)
- Altitude/elevation
- Speed and direction
- Timestamps for each point
- Complete GPS route for all trips
Background location tracking: The app tracks your location even when minimized or the screen is locked. This is necessary to record your entire trip. You can stop tracking at any time by ending the session.
2.3 Trip Data and Activity
For each trip we store:
- Activity type (walking, running, cycling, skiing, hiking, etc.)
- Start time and end time
- Duration (active time and pause time)
- Total distance
- Average speed and max speed
- Elevation gain (ascent and descent)
- Complete GPS route (all position points)
- Title and description of the trip
- Photos (up to 3 for free users, 10 for Premium)
- Public/private status
- Unlocked map area (square meters)
2.4 Photos and Media
You can upload:
- Photos from trips
- Profile pictures
- Group pictures
- Photos in chat
All photos are stored on our servers and may be visible to other users depending on your privacy settings.
2.5 Statistics
We automatically calculate and store:
- Total distance, number of trips, and duration
- Activity-specific statistics (running, cycling, walking, etc.)
- Unlocked map area (square meters)
- Personal records
- XP (experience points) and level
- Badges and achievements
2.6 Social Data
If you use social features, we store:
- Friends: Friend requests, friend list, mutual friends
- Groups: Group membership, role (member/admin/owner), RSVP status for events
- Messages: Chat messages (direct and group), reactions, read status
- Blocked users: List of users you have blocked
- Leaderboards: Rankings on leaderboards (if enabled)
- Duels: Challenges sent/received, results, history
2.7 Payment and Subscription Information
For Premium users:
- Subscription status (active, expired, cancelled)
- Subscription type and period
- RevenueCat customer ID (link between user and subscription)
Note: We do NOT store payment card information. All payment processing is handled through Apple App Store or Google Play Store.
2.8 Device and Technical Information
- Device type (iOS/Android)
- Device model
- Operating system version
- App version
- Push notification tokens (to send notifications)
- Network status (online/offline)
2.9 Usage Data
- Login times and feature usage
- Interaction with notifications
- Features used in the app
2.10 Analytics and Advertising Data
To improve the app and show relevant ads, we collect:
Firebase Analytics:
- User ID (anonymized)
- App events (e.g., trip started, feature used)
- Screen views and navigation patterns
- Device information (type, OS version, app version)
- Premium status
Firebase Crashlytics:
- Crash reports and stack traces
- Error context and severity
- Device information (type, OS version, app version)
- User ID (to identify affected users)
Google AdMob (Advertising):
- Advertising ID: IDFA on iOS, GAID on Android (used for personalized ads)
- Ad interactions (impressions, clicks, video completions)
- Device information
Your control over advertising:
- iOS: You will be asked for permission through App Tracking Transparency (ATT) before we can use your advertising ID for personalized ads
- EU/GDPR users: A consent form will ask your preference for ad personalization
- Opt-out: You can change your ad preferences in Settings → Privacy → Ad Preferences
- All users: Ads are optional - you choose when to watch them (e.g., to double XP bonus after trips)
3. Why do we collect this information?
| Purpose |
Data Type |
| Deliver the app's core functionality (fog map, trip tracking) |
GPS data, trip data, profile |
| Manage user accounts |
Email, username, password |
| Social features (friends, groups, chat) |
Friends, messages, group data |
| Gamification (XP, badges, leaderboards) |
Statistics, achievements |
| Send push notifications |
Push tokens, device info |
| Leaderboards (global, group, published routes) |
Statistics, username, location data |
| Real-time location sharing in groups |
GPS position |
| Premium subscription |
Subscription status, RevenueCat ID |
| Security and abuse handling |
Reports, warnings, bans |
| Improve the app and troubleshooting |
Usage data, technical info |
4. Who do we share data with?
4.1 Third-party Services (Data Processors)
Mapbox (Mapping)
- What is shared: GPS coordinates for map display, map tile requests
- Purpose: Display maps, offline map data, geocoding (place names)
- Privacy policy: mapbox.com/legal/privacy
RevenueCat (Subscription Management)
- What is shared: User ID, subscription status, purchase events
- Purpose: Manage Premium subscriptions across iOS and Android
- Payment processing: Apple App Store / Google Play Store (not RevenueCat directly)
- Privacy policy: revenuecat.com/privacy
Expo Push Notifications
- What is shared: Push tokens, user ID, notification content
- Purpose: Send notifications about messages, duels, achievements, etc.
- Privacy policy: expo.dev/privacy
Google Sign-In (OAuth Authentication)
- What is shared: Email, name, profile picture from your Google account
- Purpose: Login with Google account
- Privacy policy: policies.google.com/privacy
Apple Sign-In (iOS only)
- What is shared: Email and name from Apple ID (optional)
- Purpose: Login with Apple ID
- Privacy policy: apple.com/legal/privacy
Firebase Analytics (Google)
- What is shared: User ID (anonymized), app events, screen views, feature usage, device information
- Purpose: Understand how users use the app, identify popular features, improve user experience
- User control: Analytics are disabled in development mode; data is anonymized
- Privacy policy: firebase.google.com/support/privacy
Firebase Crashlytics (Google)
- What is shared: Crash reports, stack traces, error context, device information
- Purpose: Identify and fix bugs and crashes to improve app stability
- User control: Crash reporting is disabled in development mode
- Privacy policy: firebase.google.com/support/privacy
Google AdMob (Advertising)
- What is shared: Advertising ID (IDFA on iOS, GAID on Android), ad interactions, device information
- Purpose: Show optional rewarded video advertisements (e.g., to double XP bonus after trips)
- User control:
- iOS: App Tracking Transparency (ATT) permission required for personalized ads
- EU/GDPR: UMP consent form for ad personalization preference
- Opt-out available in Settings → Privacy → Ad Preferences
- Privacy policy: policies.google.com/privacy
4.2 Sharing with Other Users
Depending on your privacy settings, the following information may be visible to other users:
Publicly visible (all users):
- Username and profile picture
- Public trips (if you publish them)
- Leaderboard rankings (if you participate)
Visible to friends (if enabled):
- Statistics and achievements
- Recent activities
- Personal records
- Online status
Visible to group members (if enabled):
- Real-time location during trips (only if you enable location sharing)
- Group statistics and leaderboards
- Event participation (RSVP status)
You are in control: In the app under Settings → Privacy, you can control exactly what should be visible.
5. How do we protect your data?
Security Measures
- Encryption: All communication between the app and our servers is encrypted with HTTPS/TLS
- Password encryption: Passwords are stored encrypted
- OAuth2: Secure authentication with Google and Apple
- Row-Level Security (RLS): Database policies ensure users only have access to their own data
- Access control: API keys and tokens with limited access
- Content moderation: System for reporting and handling inappropriate content
Where is data stored?
- Database: EU (GDPR-compliant location)
- Locally on device: Last known position, settings, cache (encrypted)
6. How long do we retain data?
| Data Type |
Retention Period |
| Profile, trips, statistics |
Until you delete your account or the data manually |
| Messages |
Until you delete the message or account |
| Deleted messages |
Content is hidden, but structure is kept for chat history |
| Quarantined content (reported) |
30 days, then automatically deleted |
| Push notification tokens |
Deactivated after 90 days without use |
| Real-time location sharing (groups) |
30 minutes after the session ends |
| Session data (JWT tokens) |
Automatic expiry (Supabase standard) |
| Admin logs (moderation) |
Retained indefinitely for accountability |
Inactive accounts: We currently do not automatically delete inactive accounts. We may implement automatic deletion after 2-3 years of inactivity with advance notice to you.
7. Your Rights (GDPR)
Under GDPR, you have the following rights:
7.1 Right of Access (Art. 15)
You have the right to know what personal data we have about you. In the app you can see:
- Profile information (under Settings → Profile)
- Trip history and statistics
- Message history
- Privacy settings
For a complete overview of all data we have about you, use the "Download my data" feature in the app (Settings → Privacy).
7.2 Right to Data Portability (Art. 20)
You can download all your data in a machine-readable format (JSON/CSV):
- Go to Settings → Privacy
- Tap "Download my data"
- Data includes: profile, trips, GPS points, messages, friends, statistics, achievements
7.3 Right to Rectification (Art. 16)
You can edit at any time:
- Profile information: Username, name, bio, profile picture, hometown (Settings → Profile)
- Trips: Edit title, description, or delete the entire trip
- Messages: Delete messages you have sent
7.4 Right to Erasure ("Right to be Forgotten", Art. 17)
You can permanently delete your account:
- Go to Settings → Privacy → Delete account
- Confirm deletion (two-step confirmation)
- What is deleted: ALL your data (profile, GPS data, trips, messages, friends, statistics, photos, subscription links)
- What is retained: Anonymized leaderboard entries, admin logs (for accountability with no link to you)
Note: Deletion is permanent and cannot be reversed!
7.5 Right to Restrict Processing (Art. 18)
You can restrict our use of your data by:
- Disabling location tracking
- Turning off real-time location sharing with groups
- Turning off participation in leaderboards
- Turning off notifications
- Setting your profile to private
7.6 Right to Object (Art. 21)
You can object to certain types of data processing:
- Marketing: Turn off in Settings → Notifications
- Leaderboards: Disable participation in Privacy settings
- Sharing with others: Control visibility in Privacy settings
7.7 Withdraw Consent (Art. 7(3))
You can withdraw consent at any time for:
- Push notifications (disable per category)
- Leaderboards (turn off in settings)
- Real-time location sharing (turn off for each group)
- Marketing emails
7.8 Right to Complain
If you believe we are not complying with privacy legislation, you have the right to complain to the supervisory authority:
8. Children and Privacy
WTFog is designed for users over 13 years old. We do not knowingly collect personal data from children under 13 years old.
If we discover that we have collected data from children under 13 years old without parental consent, we will delete this information immediately.
9. Changes to the Privacy Policy
We may update this privacy policy from time to time to reflect changes in:
- App functionality
- Legal requirements
- Our data processing practices
Notification of changes: For significant changes, we will notify you via:
- Email to your registered address
- Notification in the app
- Update of the "Last updated" date at the top of this document
We encourage you to review this policy regularly.
10. Cookies and Tracking Technologies
The WTFog app does not use cookies in the traditional sense (browser cookies), but uses the following local storage:
- Session storage: To keep you logged in (JWT tokens)
- Local cache: For faster loading of maps and data
- Settings: Your preferences and privacy choices
- Last position: For faster map initialization
All local storage is necessary for the app to function and is stored only on your device.
Analytics and Crash Reporting: WTFog uses Firebase Analytics to understand how users interact with the app and Firebase Crashlytics to identify and fix bugs. This data helps us improve the app experience. Analytics data is anonymized and aggregated. See section 2.10 and 4.1 for details.
Advertising: Users may optionally watch rewarded video advertisements through Google AdMob (e.g., to double XP bonus after trips). We comply with App Tracking Transparency (ATT) on iOS and GDPR consent requirements in the EU. You can manage your ad preferences in the app settings.
11. International Data Transfers
Your personal data is primarily stored in the EU.
Some of our data processors (Mapbox, RevenueCat, Expo) may process data outside the EU/EEA. In such cases, we ensure appropriate protection through:
- Standard Contractual Clauses (SCC) approved by the EU Commission
- Data Processing Agreements (DPA) with all third parties
- GDPR compliance from all vendors
12. Automated Decision-Making and Profiling
WTFog does not use automated decisions that have legal consequences for you or significantly affect you.
We use automated systems for:
- Calculation of statistics: Distance, speed, XP, level (based on trip data)
- Leaderboards: Automatic ranking based on achievements
- Content moderation: Automatic quarantine of reported content (can be appealed)
These systems do not affect your rights or access to the service.
13. Data Processors and Third Parties - Complete List
| Service |
Purpose |
Data Type |
Location |
| Database |
Authentication, storage |
All user data |
EU |
| Mapbox |
Maps and geocoding |
GPS coordinates |
USA (GDPR-compliant) |
| RevenueCat |
Subscription management |
User ID, subscription status |
USA (GDPR-compliant) |
| Expo |
Push notifications |
Push tokens, notification content |
USA |
| Google |
OAuth login |
Email, name |
Global (GDPR-compliant) |
| Apple |
OAuth login (iOS) |
Email, name |
Global (GDPR-compliant) |
| Apple App Store |
Payment processing (iOS) |
Purchase information |
Global |
| Google Play Store |
Payment processing (Android) |
Purchase information |
Global |
| Firebase Analytics |
Analytics |
User events, device info |
USA (GDPR-compliant) |
| Firebase Crashlytics |
Crash reporting |
Crash data, device info |
USA (GDPR-compliant) |
| Google AdMob |
Advertising |
Advertising ID, ad interactions |
USA (GDPR-compliant) |
14. Contact Us
If you have questions about this privacy policy, how we process your data, or wish to exercise your rights, you can contact us: