1. Who we are (Data Controller)
The data controller responsible for your personal data is:
Inventist LLC
Apopka, Florida, United States
Email: contact@inventist.io
Inventist is a small independent publisher and is not required to appoint a Data Protection Officer under Article 37 of the GDPR. The contact above is the single point of contact for all privacy matters, including data-subject requests.
2. Architecture: local-only by design
Whereabouts is a native iOS app. The vast majority of what the app does happens on your device alone:
- Your game progress (daily scores, streak, completed rounds, settings, unlocked content) is stored locally using Apple's standard on-device storage. It is not transmitted to Inventist.
- The question pool (locations, coordinates, metadata) is bundled inside the app at the time of download. The app does not "phone home" to fetch it.
- The app makes no network requests for the purpose of identifying or tracking you. There is no account system, no login, no user ID assigned by us.
Because data does not leave your device, there is no central database we could be compelled to disclose, no data we could lose in a breach, and nothing for an attacker to steal from us.
3. The few data flows that do exist
3.1 Imagery from Wikimedia Commons
Some location imagery shown during gameplay is loaded directly from Wikimedia Commons (upload.wikimedia.org) — a free media repository operated by the Wikimedia Foundation. As with any HTTP request, your device's IP address and standard request headers are visible to Wikimedia's servers as part of fulfilling the request. No app-level personal data, identifier, score, location, or game state is sent to Wikimedia. We do not track which images you view.
Wikimedia's handling of HTTP request data is governed by the Wikimedia Foundation Privacy Policy.
3.2 Apple App Store and StoreKit (purchases)
The app is distributed through the Apple App Store. When you download or update Whereabouts, Apple may collect information about that transaction in accordance with Apple's Privacy Policy. We may receive aggregate, de-identified statistics from Apple via App Store Connect (totals, country of download, app version) — never information that identifies you.
If you choose to subscribe or make an in-app purchase, that transaction is processed entirely by Apple's StoreKit. Apple handles billing, payment methods, refunds, and subscription management. Inventist does not see, store, or have access to your payment card details, your Apple ID email, or your billing address. We receive only an opaque receipt token from Apple confirming the purchase is valid; that token lives on your device.
3.3 iCloud backup (your choice)
If you have iCloud Backup enabled on your iPhone, Apple may include the app's local data in your encrypted iCloud backup. This is governed by Apple's Privacy Policy; Inventist has no access to iCloud backups.
3.4 If you contact us by email
If you email us at contact@inventist.io (or use any in-app feature that opens your mail client to write to us), we receive your email address and the contents of your message. Replies are written by a human at Inventist — there is no automated reply, no chatbot, and no autoresponder. We use this only to reply, troubleshoot, or follow up. Your email is not added to any marketing list. We retain correspondence only as long as necessary to support you, and on request will delete it (see Section 6).
3.5 What we do NOT do
For the avoidance of doubt, Whereabouts:
- does not contain any third-party analytics, advertising, attribution, or crash-reporting SDKs;
- does not place cookies or use any web tracking on this website;
- does not sell, rent, or share any user information with third parties;
- does not perform automated decision-making or profiling under Article 22 of the GDPR;
- does not transfer personal data outside the EEA for processing by Inventist (data stays on your device).
4. Lawful basis for processing
To the limited extent we process personal data, our lawful bases under Article 6 of the GDPR are:
- Performance of a contract (Art. 6(1)(b)) — operating the app you've installed and providing in-app purchases via Apple.
- Legitimate interests (Art. 6(1)(f)) — replying to email you send us, defending against abuse, complying with App Store rules.
- Legal obligation (Art. 6(1)(c)) — responding to lawful requests from authorities, where applicable.
We do not rely on consent (Art. 6(1)(a)) because we don't collect data that requires it.
5. International transfers
Inventist is based in the United States. Email correspondence sent to us is processed in the U.S. via Apple's iCloud Mail infrastructure. We do not transfer game data — because we don't receive any. Apple's transfer mechanisms (including Standard Contractual Clauses where applicable) cover data Apple processes on our behalf.
6. Your rights under GDPR
If you are in the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with equivalent data-protection laws, you have the following rights regarding your personal data. Many of these are exercisable directly inside the app, without needing to contact us:
| Right | How to exercise it |
|---|---|
| Access (Art. 15) | Open the app → Settings → Export. This produces a complete copy of the data the app holds about you. |
| Rectification (Art. 16) | Edit any of your settings or display name directly in Settings inside the app. For corrections to email correspondence we hold, write to contact@inventist.io. |
| Erasure (Art. 17, "right to be forgotten") | Open the app → Settings → Reset to wipe all locally-stored data, or simply uninstall the app from your device. To delete email correspondence we hold, write to contact@inventist.io. |
| Restriction (Art. 18) | Email contact@inventist.io. |
| Data portability (Art. 20) | Open the app → Settings → Export. Export is provided in a machine-readable format (JSON). |
| Object (Art. 21) | Email contact@inventist.io. Because we do not perform direct marketing, profiling, or automated decision-making, this right has limited practical application but is fully respected. |
| Withdraw consent (Art. 7) | Not applicable — we do not rely on consent as a lawful basis. Uninstalling the app stops all on-device processing immediately. |
We will respond to any rights request within 30 days, free of charge. If your request is complex or you submit multiple requests, we may extend this by up to two further months and will tell you why.
7. Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority — typically the data protection authority of the EU/EEA member state where you live, work, or where the alleged infringement occurred. A directory of EU/EEA authorities is maintained by the European Data Protection Board. Residents of the United Kingdom can complain to the Information Commissioner's Office (ICO). Residents of Switzerland can complain to the FDPIC.
We would always prefer the chance to resolve a concern first — please write to contact@inventist.io — but it is your right to escalate at any time.
8. Retention
On-device data persists until you reset it inside the app or uninstall the app. Email correspondence is retained only as long as needed to support you (typically up to 24 months after our last exchange) and is deleted earlier on request.
9. Children's privacy
Whereabouts is suitable for users of all ages, including children. Because we do not collect personal information from any user, we do not knowingly collect personal information from children under 13 (or the equivalent minimum age in your jurisdiction). Our practices are designed to align with COPPA in the United States and GDPR-K in the EU.
10. Security
The strongest privacy measure we offer is not having your data in the first place. For the limited information we do hold (email correspondence), we rely on industry-standard infrastructure provided by Apple (iCloud Mail) and Cloudflare (web hosting), with appropriate access controls. No system is perfectly secure, and we will notify affected users and the relevant supervisory authority within 72 hours of becoming aware of any personal-data breach as required by Article 33.
11. Changes to this policy
If we make material changes to this policy we will update the "Last updated" date above and, for changes of substance, surface a notice on our website and inside the app at next launch. Older versions are available on request.
12. Contact for privacy and GDPR requests
For any privacy question, GDPR rights request, or complaint, write to:
Inventist LLC — Privacy
Email: contact@inventist.io
Postal: Apopka, Florida, United States
You will receive a reply from a human, typically within one business day.