Privacy Policy

Effective April 18, 2026

This Privacy Policy describes how Stomped collects, uses, and protects your information when you use the Stomped mobile and web applications (the "Service"). We have written it in plain English.

In summary: we collect only what is needed to operate and improve the Service, we store it under your account, and we do not sell your data, share it with advertisers, or use third-party analytics or tracking services. We do keep first-party usage analytics — stored in our own database, never shared — to understand how the app is used. You can export or delete your information at any time.

1. Who we are

The Service is operated by Stomped ("we," "us," "our"). For questions about this policy, contact us at privacy@stomped.app.

2. Information we collect

We collect the following categories of information:

• Account information — your email address and password. Passwords are stored only as cryptographic hashes; we never have access to the plaintext.
• Display name — an optional name you can set. It is visible to your friends. You can change or remove it at any time.
• Location data — while the Service is in use, we capture your device's GPS coordinates to render the map, record the areas you have walked, and identify the neighborhoods and cities you have visited. You can revoke location access at any time through your device's system settings.
• Place information — the names, regions, and boundaries of neighborhoods and cities you have visited. These are retrieved on your behalf from Mapbox based on your current location.
• Friend connections — the friendships you have established through the app, which allow you and your friends to view each other's progress.
• Diagnostic reports — when the Service encounters an error or performance issue, we record a short report. Reports are scrubbed of personal information on your device before being transmitted.
• Usage and device information — to understand how the Service is used and to improve it, we record coarse product events (for example: opening the app, granting or declining a permission, setting your profile, adding a friend, saving a tile, or receiving a milestone notification) together with basic device details (make, model, operating-system version, and app version) and a random per-installation identifier. These events never include your location, the specific tiles or places you have saved, your display name, your friends' identities, or any other personal content.

We do not collect your phone number, date of birth, physical address, or any information unrelated to the operation of the Service.

3. How we share information

Your information is shared only with the service providers required to operate the Service:

• Supabase hosts the database and authentication layer and synchronizes your data across your devices. Supabase's infrastructure is located in the United States.
• Mapbox provides map rendering, reverse geocoding, and road matching. When the Service identifies your current neighborhood or city, your coordinates are sent to Mapbox.
• Apple facilitates universal-link resolution when a friend-invite link is opened on iOS.

We do not use advertising networks, attribution platforms, data brokers, or third-party analytics services. The usage analytics described above are first-party — collected and stored only in our own database (hosted by Supabase), used solely to operate and improve the Service, and never shared. We do not sell your personal information.

4. Information visible to other users

Stomped is not a social network. Information is shared between users only in the following ways:

• Your friends can see your display name, if you have set one, and the percentage of each neighborhood and city you have explored. They cannot see your walking routes, individual map tiles, email address, or the specific locations you have visited.
• Aggregated community statistics are available when you tap a map tile — for example, the total number of users who have unlocked it. Individual users are never identified.

5. Data retention

• Account data and exploration history are retained for the life of your account. You may delete them at any time.
• Place-name cache data is deleted twenty-nine days after it is retrieved from Mapbox, in accordance with Mapbox's terms.
• Diagnostic reports are deleted fourteen days after they are created.
• Usage-analytics events are deleted three hundred sixty-five days after they are created.
• Friend-invite links expire fourteen days after creation, or immediately upon use.

6. Your rights and controls

Within the app's Settings screen you can:

• Export your data as a JSON file.
• Reset your exploration history while keeping your account active.
• Delete your account. This permanently removes all associated data and cannot be reversed.

You may also revoke location access, disable milestone notifications, or disable passive tile capture at any time.

To request access, export, or deletion by email, contact privacy@stomped.app from the address associated with your account. We will respond within thirty days.

California residents

If you are a California resident, you have the right to know what personal information we collect about you, to request its deletion, and to be free from discrimination for exercising these rights. We do not sell personal information.

7. Security

All communication between your device and our servers is protected by HTTPS. Passwords are stored as salted hashes. Database access is restricted at the row level, so each user can only read and write data associated with their own account.

If a security incident affects your information, we will notify you by email and take reasonable steps to address it promptly.

8. Children

The Service is intended for users aged thirteen and older. If you are a parent or guardian and believe a child has created an account without your consent, please contact us at privacy@stomped.app and we will remove the account.

9. International users

Our servers are located in the United States. If you use the Service from outside the United States, your information will be transferred to and processed in the United States. By using the Service, you consent to this transfer.

10. Changes to this policy

We may update this policy from time to time. When we do, we will update the effective date above, and for material changes we will provide notice within the app. Continued use of the Service after an update constitutes acceptance of the revised policy.

11. Contact

For questions about this policy or how we handle your information, contact us at privacy@stomped.app.