# XCoord — Privacy Policy _Effective: 2026-05-08_ XCoord (the "App") is a real-time location-sharing tool for small groups. This policy describes what the App collects and how that data is handled. ## What we collect The App stores or transmits **only** the following data: | Data | Where it lives | When it's collected | | --- | --- | --- | | Device-generated UUID (`deviceId`) | On your device + on our server | When you first launch the App | | Display name you choose | On your device + on our server | When you set or change it | | Your geographic position (lat/lng + accuracy/speed/heading) | **End-to-end encrypted** with the group invite code; on our server only as opaque ciphertext | When you are signed into a group | | Group membership (which deviceIds belong to which groupId) | On our server | When you create or join a group | | Group invite-code hash (SHA-256 with a domain prefix) | On our server | When you create or join a group | We **do not** collect: - Your real name, email address, phone number, or contacts. - Device identifiers tied to your Apple ID / Google account (no IDFA / AAID is read by the App itself). - Crash logs or analytics events. The App ships without any analytics SDK. ## End-to-end encryption of locations When you create or join a group you supply a 10-character invite code. The App locally derives: - A **server-visible identifier** = SHA-256(`"imhere.code:" + code`) - A **per-group AES-256-GCM key** = SHA-256(`"imhere.aes:" + code`) Only the identifier is sent to the server. Your latitude/longitude is encrypted with the key on your device before transit; the server stores and forwards the ciphertext to other group members but **cannot decrypt** it because the key never leaves devices that hold the invite code. ## Retention - A group is created with a Time-To-Live of 1–15 days. When the TTL expires, the server automatically deletes the group, its membership table, and all position records. - Leaving a group (or being removed by the creator) deletes your position record for that group from the server immediately. - Uninstalling the App deletes all locally stored data including the device UUID and the per-group invite code (your end-to-end key). ## Permissions | Permission | Why | | --- | --- | | Location (when in use + always) | To share your position with the group. "Always" lets sharing continue when the App is in the background. | | Notifications | (Android only) Required for the persistent foreground-service notification that keeps background location alive. | | Camera | Used only to scan a group invite QR code. Triggered on demand at scan time. | You can revoke any permission from the system Settings, or from the in-App Permissions screen. ## Third parties - **Google AdMob** is used to show banner and rewarded ads. AdMob may collect data per its own policies; on iOS we serve non-personalized ads unless you opt in via the system "Ask App not to Track" / ATT prompt. See . - **OpenStreetMap** is used for map tiles. Tile requests carry a generic user-agent and your current viewport; OSM's tile usage policy applies. We do not sell your data, share it with brokers, or use it for advertising beyond what AdMob does to display contextual or (with consent) personalized ads. ## Children XCoord is not directed at children under 13. Do not use the App if you are under the age threshold for digital consent in your jurisdiction. ## Contact For questions or to request data removal, contact: walterhsu110@gmail.com ## Changes to this policy We may update this policy. Material changes will be reflected by an updated "Effective" date and (where possible) an in-App notice on next launch.