Legal

Privacy Policy

Effective: April 26, 2026  ·  Last updated: April 26, 2026

The short version

VeraMap is a family location-sharing app built on end-to-end encryption. Your phone encrypts your location before it leaves your device. We never receive your coordinates in a form we can read — and we never will, because the encryption keys live only on the phones in your loop.

We do hold a small amount of plaintext data we need to make the service work: your account email, hashed password, the names of your loops, who's in them, your phone's battery percentage (so we can warn your loop before you go dark), and ordinary technical logs. That's it. The full list is below.

We do not sell, rent, or trade your personal information. We do not run an ad business. We do not have a side business in location data. Our only revenue is the subscription fee for VeraMap Plus. That alignment is the whole product.

Who we are

VeraMap is a product of Streamline Web Studios LLC ("Streamline," "VeraMap," "we," "us," or "our"). Streamline is the controller of personal data described in this policy. References to "the service" mean the VeraMap mobile applications (iOS and Android), the VeraMap website at veramap.app, our APIs, and any related software or services we provide.

If you have questions about this policy or how your information is handled, see the Contact us section.

What we collect (and what we cannot)

VeraMap is built so that the most sensitive data — your real-time location and your saved places — never reaches us in a readable form. The list below describes everything we receive, store, and process.

What we cannot see

Encrypted on your device — we hold ciphertext only

Location coordinates, location history, the addresses and coordinates of saved places, and any messages attached to those places are encrypted on your device using XSalsa20-Poly1305 (the same primitive used by Signal). The encryption keys are generated on, and never leave, the phones in your loop. Our servers receive and store an opaque ciphertext blob that we cannot decrypt under any circumstances — including a government request.

Account information you provide

  • Email address. Used to sign in, send security alerts, and recover access.
  • Password. Stored only as a salted hash (bcrypt). We cannot read your password.
  • Display name and (optional) avatar image. Visible to other members of your loops.
  • Public encryption keys. Your device's public Curve25519 key, used by other members to wrap loop keys for you. The corresponding private key never leaves your device's secure enclave.

Loop and membership metadata (plaintext)

  • The names you give your loops (e.g., "Family," "Carpool").
  • Loop membership: which accounts belong to which loops, and each member's role.
  • Invitation tokens and their expiry, until they are accepted, declined, or revoked.

Operational signals (plaintext, by design)

A small set of fields is intentionally kept in plaintext because the service needs to act on them in real time:

FieldWhy it's plaintext
Battery percentage So we can fire a low-battery alert to your loop before your phone goes dark.
"Critical battery" flag So a final beacon at 5%/2%/1% can reach your loop even if the encrypted update doesn't.
Last-seen timestamp So we can mark a member offline and notify their loop after a sustained gap.
Push notification token To deliver push notifications via Apple (APNs) and Google (FCM).
Geofence event signature (Ed25519) So arrival/departure alerts are tamper-evident; the geofence label remains encrypted.

Device and technical information

  • Device model, OS version, and app version (for compatibility and bug triage).
  • IP address (used transiently for connection routing and abuse prevention; not used to derive your location).
  • Crash reports and diagnostic logs you choose to share.

Subscription and billing

VeraMap Plus is sold through Apple's App Store and Google Play. Your payment details (card number, billing address) are handled by Apple or Google and are never sent to us. We receive only a subscription receipt and entitlement status (active, lapsed, refunded).

What we never collect

  • Your contacts list.
  • Your photos, microphone, or camera (unless you explicitly upload an avatar).
  • Your browsing or app-usage history.
  • Advertising identifiers (IDFA / AAID) — we do not run ads and we do not allow third-party ad SDKs.

How we use information

We use the information described above only to:

  • Provide the service — authenticate your account, route encrypted location to your loops, deliver push notifications.
  • Operate fairly — prevent abuse, enforce our Terms of Service, and protect users.
  • Communicate with you — send security alerts, transactional notices, and (with consent) product updates.
  • Improve the service — fix bugs from diagnostic data and study aggregate, non-identifying usage.
  • Comply with the law where we are legally required to do so.

We do not use your information for advertising, profiling for targeted ads, or sale to third parties. We do not train AI models on your personal information.

When we share information

We share personal information only in these limited cases:

  • With other members of your loops — by design. They see your display name, avatar, encrypted location (which their device can decrypt), battery, and online state.
  • With service providers who run infrastructure on our behalf, under written contracts that require them to protect your data and use it only for our purposes (see Service providers).
  • For legal reasons — to comply with a valid subpoena, court order, or other lawful request, but only to the extent legally required. Because of how the service is built, even a subpoena cannot compel us to produce location data we cannot read.
  • In a corporate transaction — if Streamline Web Studios LLC is involved in a merger, acquisition, financing, or sale of assets, your information may transfer to the successor entity, subject to this policy. We will notify you in advance of any change of controller.

We do not sell or rent personal information, and we do not share it for cross-context behavioral advertising.

Service providers (sub-processors)

We rely on a small set of vendors to operate the service. Each is bound by contractual data-protection terms.

ProviderPurposeRegion
Google Cloud Platform Application hosting (Cloud Run), database (Cloud SQL), cache (Memorystore) United States
Cloudflare, Inc. Domain registration, DNS, edge networking Global
Mapbox, Inc. Map tiles and rendering (no personal data is sent to Mapbox beyond standard tile requests) United States
Apple Inc. (APNs) and Google LLC (FCM) Delivering push notifications to your device Global
Apple App Store and Google Play Subscription billing and entitlement management Global
Email delivery provider Transactional email (account verification, security alerts) United States / EU

We update this list when sub-processors change. If you'd like the current operational list, contact us at the address in Section 17.

International transfers

Streamline Web Studios LLC is based in the United States, and our primary infrastructure is hosted in the United States. If you use VeraMap from outside the United States, your information will be transferred to and processed in the United States and other countries where our service providers operate.

For transfers from the United Kingdom, the EEA, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable) with our sub-processors. Where a recipient is certified under the EU–US Data Privacy Framework, the UK Extension, or the Swiss–US Data Privacy Framework, we may also rely on those mechanisms. You can request a copy of the relevant transfer mechanism by emailing us.

Retention

We keep information only as long as we need it for the purposes set out in this policy.

  • Account data — for as long as your account is active. When you delete your account, we delete your account record, encryption keys, loop memberships, and ciphertext blobs within 30 days, except where we are legally required to retain a record longer.
  • Encrypted location updates — retained while the loop is active, then rotated according to our infrastructure schedule. Because we cannot read this data, retention does not expose you in any meaningful sense.
  • Diagnostic logs — typically 30 days, longer where needed to investigate an incident.
  • Billing records — kept as long as required by tax and accounting law (typically 7 years in the United States).

Security

Security is the architecture of this product, not a feature bolted on. We use end-to-end encryption (NaCl / TweetNaCl: Curve25519 + XSalsa20-Poly1305), TLS for all network traffic, encryption-at-rest for our databases, hardware-isolated key storage on devices, signed geofence events, and standard production controls (least-privilege access, dependency scanning, audit logging).

No system is ever perfectly secure. If we ever experience a breach affecting your personal information, we'll notify you and the relevant regulators within the timeframes required by law (including 72 hours under the GDPR where the breach is likely to result in a risk to your rights and freedoms). If you believe you've found a security issue, please email security@veramap.app.

Your privacy rights

Depending on where you live, you have rights over your personal information. Most are available to everyone who uses VeraMap, regardless of jurisdiction:

  • Access — request a copy of the personal information we hold about you.
  • Correction — ask us to correct inaccurate or incomplete information.
  • Deletion — ask us to delete your account and personal information.
  • Portability — receive a portable copy of information you provided to us.
  • Objection / restriction — object to certain processing or ask us to restrict it.
  • Withdraw consent — for any processing that relies on your consent.
  • Complaint — lodge a complaint with your local data protection authority (see UK & EU section).

To exercise any of these rights, email privacy@veramap.app or delete your account directly in the app's settings. We will not discriminate against you for exercising a privacy right.

California (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), gives you rights regarding your personal information.

Categories of personal information

In the past 12 months, we have collected the categories of personal information described in Section 2, including: identifiers (email, account ID), commercial information (subscription status), internet activity (limited to the service), geolocation data (encrypted; we cannot decrypt it), and inferences (none that we use for profiling).

Sale and sharing

We do not sell personal information for money or other valuable consideration, and we do not share personal information for cross-context behavioral advertising. We have not done so in the past 12 months. We do not sell or share personal information of minors under 16.

Sensitive personal information

Precise geolocation is treated by California law as "sensitive personal information." We process it only as necessary to provide the service you've asked for, and only in encrypted form that we cannot read. We do not use sensitive personal information for any purpose that would entitle you to limit its use under the CPRA.

Your California rights

  • Right to know what we collect, use, disclose, and (if applicable) sell or share.
  • Right to delete personal information.
  • Right to correct inaccurate personal information.
  • Right to opt out of sale or sharing (we do not sell or share — you have nothing to opt out of).
  • Right to limit the use of sensitive personal information.
  • Right to non-discrimination for exercising your rights.

To exercise these rights, email privacy@veramap.app. We will verify your request using information we already have about your account. You may use an authorized agent; the agent must provide written permission and we will verify your identity directly.

UK & EU (GDPR / UK GDPR)

For users in the United Kingdom, the European Economic Area, and Switzerland, the controller of your personal information is Streamline Web Studios LLC. Our legal bases for processing are described in Section 4.

You have the right to:

  • access, rectify, erase, restrict, object to, and port your personal data;
  • withdraw consent at any time where we rely on consent;
  • not be subject to decisions based solely on automated processing that produce legal or similarly significant effects (we do not make such decisions);
  • lodge a complaint with the supervisory authority in your country of residence — for example, the UK ICO, CNIL (France), BfDI (Germany), or your national equivalent.

We do not currently appoint an Article 27 EU representative or UK representative because our processing is limited and we do not target advertising at users in the EU or UK. If that changes, we'll update this policy.

Children & families

VeraMap is, by design, used by families — including children. We take this seriously and we treat data from children with extra care.

United States (COPPA)

We do not knowingly collect personal information directly from children under 13 without verifiable parental consent. A parent or legal guardian must create the family's loop, and parents are responsible for inviting and supervising minor children who participate in the loop. If you believe we have collected information from a child under 13 without proper consent, contact privacy@veramap.app and we will delete it.

EU & UK (GDPR Article 8)

In the EU and UK, the age at which a child can consent to information-society services on their own ranges from 13 to 16 depending on member state. Where a child is below the relevant age, a parent or legal guardian must consent to their participation. We rely on the inviting parent's consent within the loop invitation flow.

What we do for everyone

Regardless of age, location data is end-to-end encrypted and visible only to the loop members the family chooses. We never advertise to anyone, profile anyone, or sell anyone's data — there is no special "kids mode" because the standard mode is already as private as we can make it.

Cookies & website analytics

The mobile apps do not use cookies or third-party advertising SDKs.

On the veramap.app website, we use only the cookies and storage that are strictly necessary to make the site work (for example, to remember theme preference). We do not run third-party advertising trackers, do not embed Facebook pixels, and do not set cross-site identifiers. If we ever add privacy-respecting analytics, we'll list the provider here and offer an opt-out where required.

Do Not Track and Global Privacy Control

We honor the Global Privacy Control (GPC) signal where applicable. Because we do not sell or share personal information for cross-context behavioral advertising, a GPC signal does not change much in practice — but we treat it as a valid opt-out request for any future processing that would require one.

Changes to this policy

We'll update this policy when our practices change. The "Last updated" date at the top reflects the most recent revision. For material changes — those that affect what we collect, how we use it, or your rights — we'll provide reasonable advance notice through the app, by email, or both before the change takes effect.

Contact us

For questions, requests, or complaints about this policy or your information, contact us at any of the below.

VeraMap (a product of Streamline Web Studios LLC)

Privacy: privacy@veramap.app

Security: security@veramap.app

General legal: legal@veramap.app

Postal mail: Streamline Web Studios LLC, attn: Privacy, [mailing address available on request].

Get VeraMap Free

Download for the device you carry. End-to-end encrypted by design — free forever for the essential thing.

Download on the App Store
Soon
Get it on Google Play
Soon

Launching to the App Store and Google Play in the next few weeks. We'll flip these links the moment they're live.

VeraMap

Free forever · No data selling. Ever. · iOS & Android