Effective date: May 5, 2026 · Last updated: May 17, 2026
This Privacy Policy explains what personal data Sidequest collects, why we collect it, how we use it, who we share it with, and the rights you have under the EU/UK General Data Protection Regulation (GDPR) and similar laws. We've tried to write it in plain English while still being precise enough to satisfy regulators.
Sidequest is operated by Riley Palattao, doing business as Sidequest, based in the United States. For the purposes of GDPR, we are the data controller of the personal data described in this policy.
Privacy contact: riley@trysidequest.us
Email is the fastest way to reach us about anything related to your data, including all of the rights described in Section 5.
When you sign in with Apple or Google, we receive your name (or alias) and email address. You may choose to hide your email using Apple's private relay. We also generate an internal user ID that links the rest of your data to your account.
The app continuously tracks your location while you're using it (and in the background, with your permission) to reveal map tiles, generate personalized quests, track exploration sessions, and power location-based features. Location data is processed locally on your device and synced to your account across devices. We do not sell your location data.
Sidequest does not store the raw path of your walks. We do not record per-second GPS readings, paths, or routes. We record which map tiles you have uncovered, basic session statistics (distance, time), and the places you save.
Spots you save (name, coordinates, ratings, tags), photos you upload, comments and reactions you author, want-to-go lists, friend connections, and AI chat conversations.
Generated quest destinations, completion status, trip sessions, walking history, and aggregated exploration statistics (cities visited, tiles cleared, etc.).
App version, OS version, device model (no IDFA; see Section 8), feature usage events, crash reports, and performance diagnostics. We use this data to fix bugs and prioritize what to build next.
Whether you have an active premium subscription, plus subscription state managed by Apple via Superwall. Apple handles billing. We never see your payment details.
We process your personal data on the following bases:
Sidequest is built on top of several third-party services that process your personal data on our behalf, under data processing agreements that require them to protect your data and only use it as we instruct.
| Sub-processor | Purpose | Region |
|---|---|---|
| Google Firebase (Auth, Firestore, Cloud Storage, Cloud Functions, Hosting) | Authentication, primary database, file storage, server-side logic | US |
| Google Firebase Analytics | Product analytics (event-level) | US |
| Mixpanel | Product analytics (event-level, no IDFA, no cross-app tracking) | US |
| Apple (Sign in with Apple, Apple Push Notification service) | Authentication, push notifications | Global |
| Google (OAuth Sign in with Google) | Authentication | US |
| Superwall | Subscription management and paywall | US |
| Yelp Fusion API | Point-of-interest data lookups (we send queries; no user identifier sent) | US |
| Mapbox | Map tiles (we send tile requests; no user identifier sent) | US |
| Google Vertex AI (Gemini) | Powers the in-app AI chat ("Ask"). When you send a message we forward your text plus context about the place you're asking about (name, category, coordinates) and your account ID. Vertex AI does not use your messages to train its models. | US |
Public shared spots use coarse coordinates (rounded to roughly 100 meters), not precise coordinates.
Outside of these sub-processors, we do not sell, rent, or share your personal information with third parties for marketing purposes. We may also disclose data when required by law, in response to valid legal process, or to protect our rights or the safety of users.
If you live in the European Economic Area, the United Kingdom, or another region with similar laws, you have the following rights. Email riley@trysidequest.us to exercise any of them. We respond to verified requests within 30 days.
Account deletion removes all personal location data within 30 days, including public shared spots. Anonymous aggregate tile counts (no identity) remain.
| Data | On-device retention | Server retention |
|---|---|---|
| Raw GPS pings | In memory during walk; discarded at session end | Never stored |
| Polylines / path data | Never stored | Never stored |
| Tile clears | Until logout or account deletion | Until account deletion (30-day soft + purge) |
| Session summaries | Until logout or account deletion | Until account deletion |
| Saved spots, photos, comments | Until logout or account deletion | Until account deletion |
| Shared spots (coarse coordinates) | N/A | Until owner deletes or account deletion |
| Tile aggregates (anonymous counts) | N/A | Indefinite. No identity to delete. |
| Account deletion audit | N/A | Indefinite (GDPR compliance proof) |
| Data export jobs | N/A | 30 days, then auto-purged |
Location data on our servers is encrypted in transit (TLS) and at rest by Google Firebase infrastructure. We do not apply additional end-to-end encryption because we do not store the most sensitive form of location data (raw paths) at all. Anything we do store, we can read for the purpose of running the product (showing your map, friend features, AI place-questions).
Your data is stored and processed in the United States by our sub-processors. If you're in the EU/UK, this means your personal data is transferred outside your home jurisdiction. We rely on the Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for these transfers. Where applicable, we also rely on the EU-US Data Privacy Framework.
Sidequest does not use Apple's IDFA (Identifier for Advertisers). We do not show third-party ads in the app. We do not track your activity across other apps or websites. Because of this, you will not see Apple's "App Tracking Transparency" prompt. There is nothing to consent to.
The Mixpanel and Firebase Analytics SDKs we use are configured to operate without IDFA and only see in-app product events tied to your account UID (or a per-device anonymous ID before sign-in).
When you use the Ask feature on a specific place, we send the coordinates of that place to Google Vertex AI to answer your question. We do not send your current location, only the coordinates of the place you asked about. You can disable the Ask feature in Settings.
Your data is encrypted in transit (HTTPS) and at rest (Firebase storage encryption). Authentication uses industry-standard OAuth flows from Apple and Google. Server-side actions like account deletion run with admin privileges that are scoped to the operation in question and audited.
Sidequest is not directed to children under 13 in the United States, and is not directed to children below the applicable digital-consent age in countries that set a higher minimum under GDPR Art. 8 (between 13 and 16, depending on the member state). We do not knowingly collect, use, or disclose personal information from children below those thresholds. We do not market Sidequest to children, the App Store age rating reflects our adult audience, and the app's social, location, and AI features are designed for adults.
The first time you open Sidequest you are asked your age before any account is created. If you indicate an age below 13 (or below the applicable minimum in the EU/EEA), the app declines to create an account and records the decision locally so the gate cannot be retried by reinstalling the app. If you complete sign-up at or above the minimum age, we record only the resulting age tier (e.g. "adult", "16-17") on your account — not your exact age — so we can apply age-appropriate behavior and so future data-handling decisions don't require asking you again.
If you are a parent or guardian and believe your child has created an account on Sidequest, please email riley@trysidequest.us with the account email and we will delete the account and all associated personal information. We respond to verified COPPA deletion requests within 30 days. We do not require any formal complaint, court order, or proof of guardianship beyond a reasonable demonstration that the account belongs to a minor.
If an account is identified to us as belonging to a minor (whether through self-declaration, a parent's report, or other means), we disable the product-analytics SDKs described in Section 4 (Google Firebase Analytics, Mixpanel) for that account on the next launch and we do not forward that account's AI chat messages to Google Vertex AI. Location, spot, and social data continue to be necessary for the service to function and remain stored under the same protections described elsewhere in this policy until the account is deleted.
The minimum age at which a person can sign up for Sidequest depends on the privacy law of the country you're in. We apply the local minimum based on your device's region setting. We do not currently offer a verifiable parental consent (VPC) flow that would allow a child below the minimum age to use Sidequest with parental authorization. As of our last review:
If your country isn't listed, Sidequest defaults to 16 as a conservative baseline. Country-specific thresholds can change as privacy laws evolve; we update this list as part of routine compliance review.
The Sidequest iOS app does not use cookies. Our website (trysidequest.us, knowaspot.app) serves static pages with no analytics tags or advertising cookies.
We may update this policy from time to time. Material changes will be communicated through the app or by email at the address on your account. The "Last updated" date at the top of this page tracks every revision.
Privacy questions or requests: riley@trysidequest.us
General support: riley@trysidequest.us