Privacy Policy

Last updated: Wednesday, April 1, 2026

LocationNotes is a location-based notes service. This policy explains what data the service stores, how public and private note visibility works, how team collaboration changes data exposure, and how LocationNotes handles public pages, language-specific content, account security, exports, and deletion.

In this policy, a private profile page, private team page, or a trackable page that is only Visible Once Accessed means the page route itself is restricted. It does not automatically mean the related user name, team name, or trackable name is confidential in every other product context.

What we collect

Account data such as email address, user name, password hash for local accounts, and linked Google or Facebook sign-in identifiers.
Profile settings such as profile blurb, page visibility, saved time zone, and the account user name used in the public profile URL.
Note data such as title, body, coordinates, visibility, deletion state, timestamps, sync mutation identifiers, ownership, and team association.
Category data such as name, hierarchy position, ownership, deletion state, and content language.
Team data such as team name, team slug, description, team page visibility, join policy, active membership records, membership status, and admin status.
Team invite and join records, including invite links, direct invites, join requests, approvals, denials, revocations, and who performed the action.
Trackable data such as public code, secret-code hashable values stored for lookup, QR payload, visibility setting, group relationship, activation owner, team scope, default metadata behavior, saved journey stops, note-scope grants created during attachment, and trackable comments.
Image data such as image GUIDs, parent-item associations, created timestamps, original dimensions, moderation outcome, and the stored resized-file locations used for delivery.
Short-lived browser session data that remembers a currently active trackable after a secret code or QR scan is used on that device.
Security data needed to protect accounts, including sign-in failures, lockout state, email-change tokens, password-reset tokens, and linked-provider records.

Precise location data

Notes can be anchored to exact map coordinates, so LocationNotes handles precise geolocation. Treat location data as sensitive information. A note stays device-local, private, team-private, or public only according to the visibility and sync choices made by the user and the team context associated with that note.

Anonymous Android users may create private local notes that stay only on the device until they later sign in and sync.
Private personal notes are visible only to their owner.
Private team notes are visible to the note owner and current active members of the associated team.
Public notes can appear on public maps, public profile pages, public team pages, public note pages, and search results.

Language, time zone, and presentation data

LocationNotes records the content language used when profiles, team blurbs, notes, categories, trackables, and trackable groups are saved. Public team directories and the published note map/list on public profile or team pages default to the visitor's current website language, while public trackable and trackable-group browse pages stay multilingual so journey and logistics data remain complete. Public search and other explicit all-language browsing can widen note discovery further, but the underlying user-generated content keeps the language in which it was saved.

If a signed-in user saves a preferred time zone, LocationNotes uses that time zone when rendering times on signed-in pages. Otherwise, the site falls back to the browser-detected time zone when available. The browser-detected time zone is stored in a cookie so the website can show times more accurately for signed-out visitors.

Content saved in Klingon may be rendered in Klingon font on supported public and signed-in pages. The page shell can still follow the visitor's current website language even when the user-generated note or category text remains in the original saved language.

Public pages, public search, and indexing

LocationNotes can expose public content on profile pages at /Profile/{user-name}, team pages at /{culture}/team/{team-name}, note pages at /{culture}/Note/{noteId}, and the public team directory at /{culture}/teams/public. Public note pages can exist under multiple localized page shells, such as English, Spanish, and Klingon route variants, while still showing the user-generated note content in its recorded language.

Public pages may be indexed by search engines and included in LocationNotes sitemaps. Non-public profile pages, non-public team pages, private notes, and private categories are not intentionally exposed on those public pages.

Page privacy is page-level access control, not a promise that every related label is hidden everywhere. User names, team names, and trackable names may still appear where the product is allowed to reference them, such as public group listings, public trackable pages, note-attached trackables, journey summaries, exports, moderation tools, and team-management surfaces.

Public search at /en-US/search defaults to the visitor's current language. Signed-in users can also search their own private notes and their teams' private notes through the website filters. Signed-out users do not get those private-result scopes.

Those public browse pages do not translate authored content. They choose which items to list by current route language unless the visitor deliberately changes the website language or uses an explicit all-language search flow.

How we use data

To authenticate users and allow linked sign-in providers.
To store, sync, search, and display notes and categories across the website and Android app.
To generate, validate, and route trackable public codes, secret codes, and scan-only QR payloads.
To remember an active trackable session on the current browser after a valid secret-code or QR lookup, so the user can continue the logging flow without repeatedly re-entering that code.
To attach trackables to notes, grant note-required access scopes, build journey stops and maps, and decide which currently visible notes can be shown from that stop coordinate.
To screen uploaded images for unsafe content, store resized image variants, and enforce parent-page access rules before image bytes are returned.
To enforce visibility rules for private notes, public notes, profile pages, team pages, note pages, and search results.
To support team membership, invite links, join requests, approvals, admin moderation, and exports.
To send password-reset and email-change confirmation messages when a user requests them.
To generate personal and team JSON export files for authorized users.
To process account deletion and Facebook data-deletion requests.

Maps, third-party services, and browser requests

LocationNotes uses third-party services when necessary to render live maps, complete external sign-in, deliver email, and, when the current visit allows it, load optional Google Analytics in the browser. Signed-in users can also save an Experience and privacy mode plus a preferred map source, and request-time privacy rules can still force the stricter hosted-maps path for a given visit. For the deeper operational explanation, review What is a 3rd Party?.

When third-party maps are allowed, a live map can request resources from Google Maps Platform or OpenStreetMap based on the current preferred map source. If the preferred provider is unavailable, LocationNotes can fall back to the other allowed provider. If browser-side third-party calls are blocked because the user chose No 3rd Parties or a consent-required visit has not granted consent, LocationNotes falls back to same-origin hosted map tiles at /maps/tiles/{z}/{x}/{y}.png so the browser stays on LocationNotes-owned URLs. Any outside map provider that is actually used can see the request metadata needed to serve the map, such as IP address, browser headers, request time, and the requested map area or place lookup. The provider does not automatically receive your private note body or internal permissions just because a map is shown.

If you use Google Identity or Facebook Login sign-in, the provider sees the sign-in request and LocationNotes receives the provider identifier and approved profile data needed to create or link the account. Google Analytics is also used for sanitized page-view data and limited workflow events instead of raw note text, secret codes, exact coordinates, names, or email addresses, but only when the site is configured for analytics and the current visit still allows browser-side analytics. If the visit is in a consent-required region without consent or the effective experience mode is No 3rd Parties, LocationNotes keeps browser analytics essential-only and does not load the Google Analytics tag.

Transactional email is delivered through Mailgun so account-security and support follow-up messages can reach the recipient. Text-message delivery is also planned through Twilio Messaging when that feature is enabled, which will require phone numbers, message content, and delivery-status metadata to be processed by Twilio.

Images and upload moderation

LocationNotes can attach images to profile pages, notes, team pages, trackables, and trackable groups. Image visibility follows the parent item exactly instead of using a separate public/private permission system.

If a visitor can open the connected parent page, that visitor can open the related image files too.
If the parent item is not accessible, direct image reads return no gallery items or no image bytes.
The service does not retain the original upload as a downloadable website file after processing. Only resized JPEG variants are stored for delivery.
Uploads are screened before save, but image reporting remains available later when a picture is unsafe, misleading, offensive, or attached to the wrong parent item.

Trackables, secret codes, and browser sessions

Trackables can be system-issued or user-supplied identifiers that connect physical items to location-note history. Each trackable can have a public code, a short secret code, and a long scan-only QR payload. Secret codes and QR payloads are treated as sensitive access credentials.

Public codes are intended for public routing and public lookup.
Short secret codes and private scan URLs are intended for possession-based flows and active logging.
LocationNotes shows the short secret code and private scan URL only once, during creation. After that reveal, those values are not shown again on normal pages or normal API reads.
If you scan a valid private QR or enter a valid secret code, the website may store a remembered active-trackable session on that browser so you can continue the workflow before signing in.
That remembered browser session is separate from account authentication and can be deactivated from the trackable flow.
Trackable journey stops snapshot the coordinate that was recorded at the time of the stop. If a linked note later moves or is deleted, the stored trackable path can still preserve that earlier location history.
Current note access still follows the note's own visibility and required access scope, and journey reads can surface whatever notes are currently visible at the same coordinate without turning the stop into a permanent note owner.
A non-public owner page does not automatically hide the trackable name, owner label, or team label from every trackable-related surface. Those labels can still appear on allowed trackable references even when the linked page itself is private.

Trackable ownership, groups, and comments

Trackables can be activated to an individual user or to a team. Trackables may also belong to one trackable group at a time. A group can supply fallback item title and description values until an item is individually activated and personalized.

Unactivated trackables cannot be used to place new map activity and cannot accept comments.
When a trackable is activated to a team, team admins can manage it and the activating member keeps control while they remain on that team.
Trackable-group membership can be removed and later reassigned, but only one group can control a trackable at a time.
Trackable-page comments are separate from note-page comments and belong to the trackable itself.
Anonymous trackable comments and direct map reports are allowed only when this browser already has active access to that exact trackable or the caller resends its short secret code or private scan access on the write request.
Anonymous trackable comments and direct reports can be deleted by the trackable owner or current team admins, but the anonymous poster cannot later edit or self-remove them through the product.
Authorized user and team exports include trackable journey stops, including whether a stop was anonymous or note-backed.

Linked providers and security email

When you use Google or Facebook sign-in, LocationNotes stores the provider linkage needed to recognize your account on later sign-ins. LocationNotes also sends security email when you request a password reset or an email-address change. Those messages are transactional account-security messages rather than marketing mail.

What we do not do

We do not sell personal information.
We do not intentionally publish a private note unless a user or authorized team action changes that note's visibility.
We do not intentionally expose non-public profile pages or non-public team pages to anonymous public browsing.
We do not treat a non-public page setting as a guarantee that the related user name, team name, or trackable name will be hidden from every permitted listing or association context.
We do not require a public team page in order for a team to exist.

User-provided external links

External-link rules, verification, adult-content screening, exit-page behavior, trackable-group defaults, exports, and deletion are documented on the What is an External Link? page.

For request and response examples, including externalLinkUrl, externalLinkDescription, externalLinkAppendPublicTrackableCode, defaultExternalLinkUrl, defaultExternalLinkDescription, defaultExternalLinkAppendPublicTrackableCode, useGroupDefaultExternalLink, and the verify endpoint, see the API documentation.

Your choices

You can manage your profile settings, page visibility, linked providers, password, recovery email, saved Experience and privacy mode, preferred map source, and time zone from the account pages. You can also request exports or permanent deletion through the website.

Latest and Greatest is the recommended default. No 3rd Parties avoids browser-side third parties and keeps hosted maps only. Google Maps first and OpenStreetMap first are preferences rather than promises, so LocationNotes can fall back to the other allowed provider or to hosted maps when the stricter privacy rule applies.

Signed-out or otherwise unresolved visits can still be routed through the visit-level privacy prompt, but once you are signed in the saved account settings win for that page load and the prompt no longer becomes the long-term source of truth.

What is GDPR? goes deeper on the visit-level prompt, the signed-out testing path, and why signed-in account settings take over after login. What is Import and Export? covers the restore-friendly ZIP, additive import rules, team JSON handoff, and image re-screening path.

Account exports can be downloaded as readable JSON or as portable ZIP packages. The export keeps the full manifest, including settings that a later additive import may intentionally leave untouched on the target account. That matching import flow is designed to add missing records, skip identical matches, and report conflicting existing data instead of overwriting it automatically.

Children and minimum age

LocationNotes is not directed to children. You must be at least 16 years old to create a new account, and older if your local law requires a higher minimum age for self-consent to online services. If you believe a child created an account in violation of this rule, contact us so we can review and act on that report.

Retention and deletion

Synced personal data is retained while the account exists unless it is deleted earlier through the product. Deleting an account removes the personal account and synced personal data, but it does not automatically remove all shared or team-owned content that other people still rely on.

Deleting live content also does not guarantee that every operational log, backup set, or database transaction record disappears at that same instant. Short-term server logs, security logs, database logs, and backups can persist until their normal rotation, overwrite, or retention window ends.

LocationNotes does not automatically disclose user data to outside requesters. When a valid warrant, subpoena, court order, judgment, or similar lawful demand requires disclosure, the request is reviewed and the response is limited to the records the law requires and the system actually stores. A valid legal hold can delay normal deletion while that review is active.

If a team still exists, team-owned notes remain available to that team subject to its visibility and admin controls.
If a trackable still has non-deleted activity from other people or a team, that trackable can remain in the system even after one contributor deletes their account.
Where the product rules allow, LocationNotes removes the deleted user's personal non-team trackable activity without automatically erasing unrelated shared trackable history.
If a trackable is team-owned, that team remains the controlling scope while the team exists.
If a team is deleted, team memberships and team-only categories are deleted at that time.
If a team is later deleted and the original creator still exists, those team notes convert back to personal notes and keep their prior public or private visibility.
If the original creator no longer exists when the team is deleted, ownerless team notes are deleted at that time.

Contact

Email: michael.kappel@locationnotes.com

Phone: (630)362-7576

Mailing address: 1331 S. 51st Ave, Cicero, IL 60804