Privacy Policy for HereAbout

Who we are

HereAbout is an audio walking-tour app operated as a personal side project by Johanna Ott, based in the Netherlands. For the purposes of the EU General Data Protection Regulation (GDPR), Johanna Ott is the data controller.

Contact: support@hereabout.live

What this policy covers

This policy explains what personal data the HereAbout mobile app collects, why we collect it, how long we keep it, and what rights you have over it. It is written to be readable. If anything is unclear, email us and we will explain.

What the app does

HereAbout is a GPS-guided audio walking tour app. After signing up, you choose a city or tour, then explore on foot. Along the route and on each stop media in the form of e.g. audios and pictures are accessble to you.

If you're short on time, you can start exploring within a limited time window matched to your preferences. While walking, you can listen to background media; once you arrive at a stop, additional stop-specific media becomes available.

What we collect and why

Account data

When you create an account, we store your email address, a hashed password, and a display name you choose. This is handled by our backend provider, Supabase. We use this to let you sign in and keep your progress across devices.
Legal basis: contract (GDPR Art. 6(1)(b)). We cannot give you an account without it.

Location data

While a tour is active, the app reads your precise GPS position from your phone. The app uses it to detect when you reach a tour stop, so the right audio plays.

We do not store your GPS coordinates in our database. What we do store, in a table called user_location_visits, is the fact that you reached a specific stop on a specific tour at a specific time, and whether arrival was triggered automatically by GPS or marked manually by you. No latitude, no longitude, no movement trail.

When the app needs to calculate a walking route between stops, your origin and destination GPS coordinates are sent to Google Maps for that calculation. Google processes this under their own privacy practices (see "Who we share data with" below).
Legal basis: contract. The app does not work without it during a tour.

Tours you interact with

We store which tours you have access to (purchases, currently free during beta), ratings and written messages you submit about tours, and notes you make on tour stops (we store that you made a note and when, but not the note content itself, that stays on your device).
Legal basis: contract.

Wishlist

You can save cities to a wishlist for later. We store which cities you saved and when. Wishlist entries can also be created without an account, in which case there is no link to your identity.
Legal basis: contract (when signed in) or legitimate interest (when anonymous, Art. 6(1)(f)).

Feedback

If you submit feedback through the app, we store the message and link it to your account. Feedback can also be submitted anonymously, in which case it is not linked to anyone.
Legal basis: legitimate interest, improving the product.

Usage analytics

We record events such as which cities and tours you view, which stops you complete, which audio segments you finish, how you navigate the app, your tutorial views, UI interactions, profile changes, and session activity. These events are linked to your account, or saved without an account ID if you are not signed in. The specific tables we use are: events, user_audio_completions, user_city_views, user_listening_sessions, user_location_visits, user_navigation, user_notes (metadata only), user_profile_changes, user_sessions, user_tour_reorders, user_tour_views, user_tutorial_views, and user_ui_expansions.

We use this to understand how the app is used, find bugs, and improve the experience.
Legal basis: legitimate interest. You can object at any time by emailing us.

What we do NOT collect

• No camera, photos, microphone, contacts, calendar, or health data.
• No advertising identifiers.
• No tracking across other apps or websites.
• No third-party analytics SDKs. We do not use Mixpanel, Amplitude, Firebase, Sentry, PostHog, or similar services. All analytics go directly to our own database.
• No push notifications. The app does not send any.
• No payment data. During beta, all tours are free. When paid tours are introduced, this policy will be updated before that change goes live.

Who we share data with

We use the following service providers, who process data on our behalf:

Supabase

Backend hosting, authentication, database, and edge functions.

• Region: EU (Frankfurt, Germany, eu-central-1).
• Receives: account data, all data described above.
• Because Supabase processes data within the EU, no special transfer mechanism is required.

Google Maps Platform

Map tiles, map rendering, and walking-route calculations.

• Receives: approximate location for map tile rendering, and precise GPS origin/destination coordinates when calculating walking routes between tour stops.
• Google is a US-based provider. Data transfers to Google are governed by Standard Contractual Clauses (SCCs) approved by the European Commission as the legal basis for transfer outside the EU.
• Google processes data under its own privacy practices: policies.google.com/privacy

Apple TestFlight (during beta only)

Used to distribute beta builds. Apple receives basic crash logs and install metrics under Apple's own privacy terms. Once the app is publicly released, Apple's role becomes that of an app store distributor.

We do not sell your data. We do not share it with advertisers. We do not share it with anyone else.

How long we keep data

We keep your data for as long as your account exists. When you delete your account (Profile → Delete Account in the app), all of your data is removed automatically across every table in our database. We have tested this end-to-end and verified it works.

GPS coordinates are never stored in our database. They exist only in your phone's memory during an active tour, plus briefly in transit to Google Maps for routing calculations. Once the tour ends or the app closes, they are gone.

Anonymous feedback or wishlist entries (submitted without an account) are not linked to any identity. Because we cannot tell which anonymous entry is yours, we cannot delete a specific one on request. These entries are retained as aggregate, non-personal data.

Your rights under GDPR

You have the right to:

• Access the data we hold about you.
• Correct inaccurate data.
• Delete your account and all associated data. You can do this yourself at any time through Profile → Delete Account.
• Export your data in a machine-readable format. Email us and we will prepare this manually.
• Object to processing based on legitimate interest (analytics and feedback analysis). Email us and we will stop.
• Withdraw consent at any time where consent is the legal basis.
• Complain to a supervisory authority. In the Netherlands, this is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

To exercise any of these rights, email support@hereabout.live. We will respond within 30 days.

Security

Passwords are stored hashed, not in plain text. Data is transmitted over encrypted connections (HTTPS). Access to our backend is restricted. That said, no online service is 100% secure. If you become aware of a security issue, please email us and we will take it seriously.

Children

HereAbout is not directed at children under 16. In the Netherlands, the legal age for valid consent to data processing under GDPR is 16. We do not knowingly collect data from children under 16. Apple's content rating for the app refers to content suitability and is separate from this consent age. If you believe a child has provided us data, email us and we will delete it.

Changes to this policy

If we change this policy, we will update the "Last updated" date at the top. If the changes are significant, for example adding a new category of data collection or a new third-party service, we will notify you within the app before the change takes effect.

Contact

Johanna Ott
Netherlands
support@hereabout.live

For privacy complaints you cannot resolve with us, you can also contact:

Autoriteit Persoonsgegevens
autoriteitpersoonsgegevens.nl