Privacy Policy

Effective date: May 19, 2026

Walksy (“we,” “us,” “our”) respects your privacy. This Privacy Policy explains what information we collect, why we collect it, and the choices you have. This policy applies to the Walksy app and related services.

Data Controller

• Controller: Anne Müller (sole proprietor)
• Address: Kollwitzstr. 76, 10435 Berlin, Germany
• Contact for privacy matters: privacy@walksy.world

TL;DR — Walksy Privacy Promise

• We track your location to clear the fog. No GPS = no game.
• We use your email to save progress so you don't lose your streaks.
• We don't sell your data to creepy third parties.

What we don't do

• We don't run ads or include any ad SDKs
• We don't sell, rent, or license your data
• We don't use behavioral analytics or tracking pixels
• We don't share your walk history with anyone outside what's listed in “Sharing and disclosure” below

What we collect

Precise location data

• GPS coordinates to reveal the map and measure walking distance
• Route history, map progress, and fog‑clearing data

Account data (OAuth)

• Name, email, and profile photo from Google sign‑in
• Authentication identifiers needed to keep your account secure

Device information

• IP address, device type, and operating system version
• App version, diagnostics, crashes, and performance logs

Background location disclosure (important)

Walksy collects location data to enable the “Fog of War” map‑clearing feature even when the app is closed or not in use. You can disable background location at any time in your device settings, but core gameplay will be limited without it.

How we use information

• Provide the core gameplay experience and features
• Sync progress across devices
• Improve performance, stability, and reliability
• Prevent abuse and secure the platform
• Communicate with you about updates and support

Sharing and disclosure

We do not sell your personal information. We share data only with providers necessary to operate the app:

• Google Sign‑In — receives email and authentication identifier when you sign in
• RevenueCat — processes subscription and in‑app purchase data
• OpenStreetMap — receives map tile requests (the area you're currently viewing)
• Open‑Meteo — receives approximate location to return current weather
• Firebase Crashlytics (Google) — receives crash logs, device info, and diagnostic data
• MongoDB Atlas — managed database hosting; stores your account data and walk history on our behalf
• Railway — application hosting provider that runs our backend services and processes requests on our behalf

Legal basis for processing

• Location data: consent (Art. 6(1)(a) GDPR) — required for the core fog‑of‑war gameplay
• Account data (email, name, profile photo): contract performance (Art. 6(1)(b))
• Crash and diagnostic data: legitimate interest (Art. 6(1)(f)) — improving app stability and reliability
• Payment data: contract performance (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) for tax/accounting records

International data transfers

Several of our processors — including RevenueCat, Firebase Crashlytics (Google), MongoDB Atlas, and Railway — are operated by US‑based companies, and personal data may be processed or stored outside the European Economic Area. Transfers of personal data to these processors occur under Standard Contractual Clauses (SCCs) as approved by the European Commission, or equivalent valid transfer mechanisms.

Your rights under GDPR

If you are in the European Economic Area, you have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16)
• Right to erasure / “right to be forgotten” (Art. 17)
• Right to restriction of processing (Art. 18)
• Right to data portability (Art. 20)
• Right to object (Art. 21)
• Right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal
• Right to lodge a complaint with a supervisory authority — for users in Berlin, that's the Berliner Beauftragte für Datenschutz und Informationsfreiheit

You can exercise any of these rights by emailing privacy@walksy.world.

Your choices

• Disable location permissions in your device settings
• Request account deletion at walksy.world/delete-account
• Contact us with privacy questions at privacy@walksy.world

Data retention

• Active account: data retained while your account is active
• After account deletion: personal data and walk history removed within 30 days
• Encrypted backups may retain deleted data for up to 30 additional days before being fully purged
• Limited data may be retained longer to comply with legal obligations (e.g. tax records, fraud prevention)

To request deletion, visit walksy.world/delete-account.

Security

• All data encrypted in transit using TLS
• Data encrypted at rest via our infrastructure providers' default encryption (MongoDB Atlas for the database, Railway for application hosting)
• Access to user data restricted to the two founders
• No third‑party data processors have access to walk history beyond the ones listed in “Sharing and disclosure”

No method of transmission or storage is 100% secure, but we work to protect your information.

Children's privacy

Walksy is not intended for users under 16 in the European Union, or under 13 in the United States, in line with applicable law. We do not knowingly collect personal data from these users.

Changes to this policy

We may update this policy from time to time. We'll post the latest version on this page and update the effective date.

Contact

If you have questions, email us at privacy@walksy.world.