Legal
Privacy Policy
Effective date: March 25, 2026 · Last updated: April 12, 2026
1. Introduction
WYPNT ("we", "us", or "our") operates the WYPNT mobile application and supporting backend services (collectively, the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, and the rights you have regarding your information.
By creating an account or using the Service, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.
For questions or concerns, contact us at [email protected].
2. Information We Collect
2.1 Information You Provide Directly
When you register or use the Service, you may provide:
Account & Identity: email address, full name, username (permanent once set), password (stored as a hash), profile photo, date of birth, nationality, and a short bio.
Motorcycle & Garage Data: bike details (name, brand, model, year, plate number, purchase date, story), bike photos, modification records (name, category, description, photos), and bike status.
User-Generated Content: posts (text and images), comments, route reviews (rating and text), route waypoints and metadata (name, description, region, coordinates, distance).
2.2 Information Collected Automatically
When you use the Service, we automatically collect:
Session Data: IP address (hashed using SHA-256 with a salt — the raw IP is never stored), user agent (browser/device type), and last-active timestamps collected server-side with each authenticated request. IP addresses are collected solely for fraud and abuse prevention and are not stored in any form that can identify you individually.
Device Information: app version and device type collected via Expo Application Services (EAS) during builds and over-the-air updates.
The mobile app does not use cookies. No cross-app or cross-site tracking is performed.
2.3 Information from Third-Party Sign-In Providers
If you sign in with Google, Apple, or Facebook, we receive your name, email address, and profile photo from those providers. OAuth identity tokens are exchanged for a session token and are not stored on your device beyond that exchange. We do not receive your password from these providers.
3. How We Use Your Information
We use the information we collect to:
• Provide, operate, and improve the Service — account management, route display, navigation features, and the rider passport system. • Authenticate and secure your account — verifying identity, issuing session tokens, and detecting suspicious activity. • Enable social features — displaying your posts, profile, follower counts, and route reviews to other riders as governed by your privacy settings. • Send push notifications — for social activity (likes, comments, follows) and route updates, when you have opted in. Certain safety-critical notifications may be non-optional while your account is active. • Comply with legal obligations and enforce our Terms & Conditions.
5. Lawful Basis for Processing
We process your personal data on the following legal grounds under the General Data Protection Regulation (GDPR) and the Philippine Data Privacy Act (Republic Act 10173):
| Data Type | Lawful Basis |
|---|---|
| Email, name, password | Contractual necessity |
| Profile photo, bio | User consent |
| GPS coordinates, route history | Contractual necessity (expedition feature) |
| Device push token | User consent (notification opt-in) |
| OAuth tokens | Contractual necessity (login) |
| IP address (hashed) | Legitimate interest (fraud prevention) |
| Analytics events | Legitimate interest (product improvement) |
6. Data Storage and Security
Server-side data is stored on secured infrastructure with encryption in transit (HTTPS/TLS) and encryption at rest. We implement standard security practices including access controls, authentication, and monitoring.
On your device: • Your session token is stored in the device's secure keychain via expo-secure-store. • Route data is cached locally in a SQLite database (wypnt.db) and automatically evicted after 24 hours. • App settings and UI preferences are stored in AsyncStorage on your device only and are not transmitted to our servers beyond what is needed to sync your preferences.
No security measure is perfect. If you discover a security vulnerability, please report it to [email protected].
7. Data Retention and Deletion
Account Deletion: You may delete your account at any time from the Settings screen. A 7-day grace period applies, during which you may cancel the deletion. After the grace period, deletion is permanent and covers: • All database records (profile, posts, comments, likes, routes, bikes, modifications, follower relationships) — hard-deleted via cascade • All photos and files stored in Cloudflare R2 file storage • All active session tokens, immediately invalidated via a Redis blacklist
Session Tokens: Cleared from your device when you sign out, or automatically invalidated upon a 401 authentication error.
Cached Route Data: Auto-evicted from your device after 24 hours.
Server Logs and Backups: Database backups are automatically pruned after 30 days. When you delete your account, data is removed from the live database immediately and fully purged from backups within 30 days.
8. Your Rights
Under the GDPR (for users in the EU/EEA) and the Philippine Data Privacy Act (RA 10173), you have the following rights:
• Right to Access: View your data directly within the app (profile, settings, passport). For a full export, use Settings → Export My Data. • Right to Portability: Download all your personal data in JSON format via Settings → Export My Data (rate-limited to once per 24 hours). This right is provided under GDPR Article 20 and RA 10173 Section 18. • Right to Deletion: Delete your account and all associated data from Settings → Delete Account. A 7-day grace period applies; deletion is then permanent and covers database records, stored files, and session tokens. • Right to Rectification: Update your profile, posts, and settings at any time within the app. • Right to Object: Disable non-essential push notifications in Settings > Notifications. Opt out of analytics data collection via the analytics opt-out toggle in Settings. • Right to Control Visibility: Set your profile to private or require approval for followers in Settings > Privacy.
To exercise rights that are not available in-app, contact us at [email protected].
9. Children's Privacy
The Service is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us at [email protected] and we will delete that information.
Users in certain jurisdictions (e.g., the European Union) must be at least 16 years old to consent to data processing, or have parental consent.
10. International Data Transfers
The Service is operated from the Philippines. Your data may be transferred to and stored on servers located in other countries where our cloud infrastructure and service providers operate. By using the Service, you consent to this transfer.
We take reasonable steps to ensure that your data is treated securely and in accordance with this Privacy Policy, regardless of where it is processed.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice in the app or sending an email to your registered address. The "Last Updated" date at the top of this page reflects the most recent revision.
Continued use of the Service after changes take effect constitutes your acceptance of the updated policy.
13. Contact Information
For privacy-related questions, requests, or complaints, contact us at:
Email: [email protected] Platform: WYPNT mobile app — Settings > Help & Support