⚠ WORKING DRAFT — NOT LAWYER-REVIEWED

Dated 2026-04-23. This document is a starting skeleton for legal review, not a binding contract. Placeholders marked [TODO: ...] must be completed before alpha public launch.

Privacy Policy

Effective date: 2026-04-23. Last updated: 2026-04-23.

Wayfindr is a web app for planning walks, runs, and rides in Great Britain. This policy explains what personal data we collect, why we process it, who we share it with, and what rights you have under the UK GDPR and the Data Protection Act 2018.

1. Data controller

The data controller is [TODO: entity name, registered address].

Privacy contact: [TODO: privacy@...].

2. Data we collect

Account data

Your email address and password, collected via Supabase email + password authentication, and basic account metadata (sign-up date, last sign-in).

Route data

Routes you plan and save: start, finish, waypoints, AI-generated route geometry, distance, estimated duration, and activity type (walk / run / cycle).

Audit data

For safety and quality improvement we log each route proposal: the conversational prompt you sent, the AI model used, the provider used, and timing metrics. Entries are stored inpublic.audit_logunder row-level security.

Device and network data

IP address, user-agent, and basic usage analytics (via Vercel Web Analytics — aggregate, cookieless by default).

Location data

When you grant browser permission, we use a coarse geolocation to centre the map or suggest nearby start points. During the "nav" mode we use precise real-time GPS to track your position against the route. Live-session GPS is held in memory for the duration of the session and is not persisted server-side beyond what is needed to render the session to you.

3. Legal basis (UK GDPR)

  • Contract performance — creating your account, authenticating you, saving the routes you ask us to save.
  • Legitimate interests — maintaining an audit trail of AI proposals for safety investigation and model quality improvement; debugging errors; basic analytics.
  • Consent — precise device geolocation (browser permission); marketing emails, if and when offered.
  • Legal obligation — responding to lawful requests and investigating safety incidents.

4. Third-party processors

We share personal data with the following processors so they can deliver the Service on our behalf:

  • Mapbox (US) — map tiles, Mapbox GL JS, Directions, Geocoding ([TODO: verify link] https://www.mapbox.com/legal/privacy).
  • Google Places (New) (US) — geocoding of named places ([TODO: verify link] https://policies.google.com/privacy).
  • Openrouteservice / HeiGIT (Germany, EU) — pedestrian and cyclist path routing ([TODO: verify link] https://openrouteservice.org/privacy-policy/).
  • OpenRouter (US) — AI model request gateway ([TODO: verify link] https://openrouter.ai/privacy).
  • Anthropic (via OpenRouter) — Claude Haiku 4.5 and Claude Sonnet 4.6 model inference ([TODO: verify link] https://www.anthropic.com/legal/privacy).
  • Supabase (EU region) — account and saved-route storage with row-level security ([TODO: verify link] https://supabase.com/privacy).
  • Vercel (US / EU edge) — hosting and Web Analytics ([TODO: verify link] https://vercel.com/legal/privacy-policy).
  • Sentry (US) — application error monitoring ([TODO: verify link] https://sentry.io/privacy/).

5. International transfers

Some processors are outside the UK and EEA (primarily in the US). Where we transfer personal data internationally we rely on the UK International Data Transfer Agreement, the EU Standard Contractual Clauses with the UK Addendum, or an applicable adequacy decision. [TODO: confirm mechanism per processor].

6. Retention

Unless a longer period is required by law, we intend to retain data as follows. [TODO: decide per category.]

  • Accounts — suggested 24 months of inactivity, then deletion or anonymisation.
  • Saved routes — until you delete them or your account.
  • Audit log (public.audit_log) — suggested 90 days.
  • Analytics — suggested 13 months.
  • Error monitoring (Sentry) — suggested 30–90 days, per Sentry retention settings.

7. Your rights

Under UK GDPR you have the right to:

  • Access a copy of your personal data.
  • Rectify inaccurate data.
  • Erase your data ("right to be forgotten").
  • Restrict processing.
  • Port your data to another service.
  • Object to processing based on legitimate interests.
  • Withdraw consent at any time where we rely on consent.
  • Complain to the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, email [TODO: contact email]. We will respond within one month.

8. Cookies

We use a first-party session cookie for Supabase authentication, and an analytics cookie from Vercel Web Analytics. We do not set third-party advertising cookies.

9. Children

Wayfindr is not directed at children under 16. We do not knowingly collect personal data from under-16s. If you believe a child has given us personal data, email [TODO: contact email] and we will delete it.

10. Changes to this policy

We may update this policy. Material changes will be announced in the Service or by email. The "Last updated" date at the top of this page always reflects the current version.

11. Effective date and last updated

Effective date: 2026-04-23.

Last updated: 2026-04-23.