Privacy Policy
The short version
- We store your email, username, handle, avatar, zipcode, and a one-way hash of your phone number.
- Check-in GPS points are stored (100m-verified). We don’t track you while you browse the map.
- Contact matching hashes your contacts on your device with a secret pepper. Raw phone numbers never leave your phone.
- Third parties: Supabase, Mapbox, Google Places. No ads. No analytics.
- You can delete your account from inside the app.
Data we collect
| What | Why | Where it’s stored |
|---|---|---|
| Sign-in and account recovery | Supabase (encrypted at rest) | |
| Username, handle, avatar, zipcode | Profile and contact-matching | Supabase |
| Hashed phone number | Contact-matching only — never used to contact you | Supabase (one-way hash with secret pepper) |
| Spots you add | Put places on the map for you and others | Supabase (data) + Supabase Storage (photos) |
| Visits | Log that you actually went there | Supabase — lat/lng at check-in, optional photo, optional caption, optional thumbs |
| Friendships | Show you friends’ visits and spots | Supabase |
| Hashed contact digests | Server-side matching — then discarded | Supabase (ephemeral; see below) |
Contact matching, in detail
When you choose to find friends from your contacts, SideQuestr reads your address book on your device only. For each phone number, we normalize it and compute a SHA-256 hash, mixed with a client-side pepper (a secret constant compiled into the app). Only those hashes are sent to our server.
The server then compares those hashes against the hashes of SideQuestr users’ phone numbers and returns a list of matched profile IDs. We never receive or store raw contact phone numbers. We never send SMS, email, or any other communication to people in your contacts.
The hashed digests you send during a contact sync are used for that match request and not retained long-term.
Location permission
SideQuestr uses your location in “When In Use” mode only — never in the background. Location powers two things: centering the map on you, and verifying that you’re within 100m of a spot when you check in. Only the lat/lng at the moment you confirm a check-in is stored. We don’t keep a trail of where you’ve been while the app was open.
Third parties
- Supabase — auth, database, file storage, and server-side functions.
- Mapbox — map tiles. Your IP address may reach Mapbox as part of normal tile requests.
- Google Places — used to fetch photos for some Google-sourced spots.
- Apple — Sign in with Apple and the App Store.
- Google — Sign in with Google (if you choose that option).
What we do not do
- No push notifications.
- No third-party analytics or ad SDKs.
- No advertising.
- No selling or renting of your data.
- No cross-site tracking.
Children
SideQuestr is for users aged 13 and over. If you believe a child under 13 has created an account, email us at sidequestr.support@gmail.com and we’ll remove it.
Your rights
You can access, export, or delete your data at any time.
- Delete account: In the app, go to Settings → Account → Delete Account.
- Export or access: Email sidequestr.support@gmail.com and we’ll help.
Retention
Your data lives in Supabase while your account is active. When you delete your account, your profile, spots, visits, photos, and hashed contact data are removed, aside from a brief tail in our provider’s backups that ages out on its normal schedule.
Changes
If we update this policy we’ll bump the date at the top of the page. Material changes will be called out in-app.
Questions about privacy?
Privacy questions, data requests, or anything else: sidequestr.support@gmail.com.
Replies usually within a day or two. For account deletion requests, please include the email on your account.