Legal

Privacy Policy

Effective Date: 2026-05-03 · Last Updated: 2026-05-03

This Privacy Policy describes how Shpots ("we", "us", or "our") collects, uses, and shares information when you use the Shpots mobile application ("the App").

TL;DR

• We don't sell your data. Ever.
• Your spots stay on your device unless you opt into cloud backup.
• Cloud backup encrypts data in transit and at rest.
• You can delete your account and wipe every byte we have stored, any time, from inside the App.
• We don't track you across other apps or websites.

1. Information we collect

1.1 Account information

When you sign in, we collect:

• A user identifier from your sign-in provider (Sign in with Apple or Google).
• Your email address (provided by the sign-in provider; you can choose to hide it via Sign in with Apple's private relay).
• A username you choose during onboarding.

1.2 Spot content (cloud backup users only)

If you enable cloud backup (a paid feature), we store on our servers:

• Spot metadata you create: title, latitude/longitude, address, notes, tags, "burnt level," elevation, timestamps.
• Photos and videos you attach to spots, plus generated thumbnails.
• Collection metadata: name, description, color, cover image.
• For collaborative collections: the membership list and the spots/media uploaded by you and other members.

If you do not enable cloud backup, all of this information stays on your device only. We never see it.

1.3 Subscription information

For users who subscribe to Shpots Plus, we store via our subscription provider (RevenueCat):

• Your purchase history (which plan, when purchased, when it renews).
• A pseudonymous user identifier linked to your Apple ID receipt.

We do not receive your full payment information. Apple processes your payment.

1.4 Device information

The App may send to our servers:

• A device-specific sync identifier so the App knows which device a change came from.
• Approximate technical info contained in standard HTTPS requests (IP address, app version, OS version) — used only for debugging and abuse prevention.

1.5 Information we do not collect

• We do not collect your contacts.
• We do not collect your precise location continuously. The App reads your location only when you actively use the "find me on the map" feature or when you choose to attach your current location to a new spot. Location data attached to a spot stays in your spot record (and on our servers only if you have cloud backup on).
• We do not embed advertising SDKs or analytics SDKs that profile your behavior across other apps.
• We do not use App Tracking Transparency (ATT) tracking. The App declares "Data Not Linked to You" and does not request the ATT permission.

2. How we use information

We use the information above to:

• Authenticate you and keep your account secure.
• Sync your spots, photos, and collections across your devices (cloud backup users only).
• Process subscription purchases and verify subscription status.
• Provide collaborative collections (showing other members the spots and media you contribute, when you join their collection).
• Generate temporary, time-limited share links when you choose to share a spot or collection.
• Diagnose bugs and prevent abuse (rate limiting, fraud detection).
• Comply with legal obligations.

3. How we share information

We do not sell, rent, or trade your personal information.

We share information only with:

• Service providers we use to operate the App. These providers process data on our behalf under contracts that limit their use of the data:
  • Supabase (database, authentication, real-time sync, edge functions).
  • Cloudflare R2 (storage of photos and videos for cloud backup users).
  • RevenueCat (subscription management).
  • Mapbox (map tile rendering — your map view requests and approximate location go through Mapbox).
  • MET Norway (weather and sun/moon data — when you view weather for a spot, the spot's coordinates are sent to MET Norway to fetch the forecast).
  • OpenStreetMap Nominatim (address geocoding — when you save a spot, its coordinates may be sent to fetch a human-readable address).
  • Apple and Google (sign-in providers).
• People you choose to share with. When you share a spot or collection via a link, the recipient (and anyone they forward the link to before it expires or is revoked) can see the content you shared. Live collaborative collections are visible to the members you invite.
• Legal requests. We may disclose information if required by law (subpoena, court order, lawful government request) or if we believe in good faith that disclosure is necessary to protect rights, safety, or to investigate fraud.
• Business transfers. If Shpots is acquired or merged, your information may transfer to the new owner. We will notify you of any such change.

4. Data retention

• Account data and cloud-backed content: retained as long as your account is active.
• Account deletion: when you delete your account from inside the App ("Nuke Account" in Settings), we hard-delete your account record, all cloud-backed spots, all media files, and your subscription record from our systems within 30 days. Some backups may persist for up to 90 days for disaster recovery, after which they are overwritten.
• Logs: technical request logs are retained for up to 30 days for debugging and abuse prevention, then deleted.
• Subscription records: Apple and RevenueCat retain purchase records per their own retention policies, which we cannot override (these are required for tax and audit purposes).
• Shared collection content after you leave: if you upload a spot or photo to a collaborative collection and then leave, the content stays in that collection (it now belongs to the collection). If you instead delete the spot before leaving, it is removed.

5. Your rights and choices

You can, at any time:

• See your data: every spot, photo, note, and tag you have saved is visible in the App.
• Delete a single spot, collection, or media file: in the App.
• Delete your account: Settings → "Nuke Account." This deletes your account and all cloud-backed data per Section 4.
• Manage your subscription: Settings → Manage Subscription, which opens the iOS Subscriptions screen.
• Disable cloud backup: Settings → toggle off. Your existing cloud data is deleted within 30 days.

If you are in a jurisdiction with statutory data rights (e.g. GDPR in the EU, CCPA in California), you also have the right to:

• Request a copy of the personal information we hold about you.
• Request correction of inaccurate data.
• Request deletion (covered by "Nuke Account" above).
• Object to or restrict certain processing.
• Lodge a complaint with your local data protection authority.

To exercise any of these rights, email support@shpots.live. We will respond within 30 days.

6. Children

The App is not directed to children under 13 (or under 16 in the EU/UK). We do not knowingly collect information from children under those ages. If you are a parent or guardian and believe your child has created an account, contact support@shpots.live and we will delete the account.

7. Security

We protect your information with:

• HTTPS for all data in transit.
• Encryption at rest for cloud-stored content.
• Row-level security policies that prevent users from accessing each other's data.
• Short-lived signed URLs for media uploads and downloads (1-hour expiry).
• No persistent storage of plaintext credentials (all auth via Apple/Google OAuth).

No system is perfectly secure. If you believe your account has been compromised, contact support@shpots.live immediately.

8. International transfers

Your data may be processed in the United States and other countries where our service providers operate. By using the App you consent to this transfer.

9. Third-party sign-in

If you sign in with Apple or Google, those providers have their own privacy policies governing the data they collect:

• Apple: https://www.apple.com/legal/privacy/
• Google: https://policies.google.com/privacy

10. Changes to this policy

We may update this policy from time to time. The "Last Updated" date at the top reflects the most recent change. Material changes will be communicated via in-app notice or email at least 30 days before they take effect.

11. Contact

Questions about this policy or your data:

Shpots
support@shpots.live

This document is a template. The author is responsible for reviewing it with legal counsel for the relevant jurisdiction.