Privacy Policy

WildMap is a hunting-focused mapping application operated by WILDMAP, a registered partnership of Daniel Burke and Ian Zbiegniewski (we, us, our). Development and administrative support is provided to the partnership by Northset Advisory Pty Ltd, a related entity. This policy explains how we collect, hold, use, and disclose your personal information, and is structured around the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). WildMap handles location data, account credentials, and hunting field records — categories that warrant a careful explanation of how your information is treated.

By using WildMap you acknowledge this policy. If you do not agree with how we handle your information, please do not use the app.

---

1. Open and transparent management (APP 1)

The WILDMAP partnership is committed to managing personal information in an open and transparent way. This policy is published at wildmap.com.au/privacy.html and is bundled with the iOS and Android apps. Material changes will be reflected by updating the "Effective date" at the top, and significant changes will be surfaced in-app on next launch.

If you have questions about how WildMap handles your information, you can contact us at privacy@wildmap.com.au at any time.

2. Information we collect (APP 3 and APP 5)

WildMap only collects information necessary to deliver its mapping, navigation, and field-recording functionality. Where we collect information, we do so directly from you through your use of the app.

2.1 Account information

• Email address — required to create an account and to recover access if you forget your password.
• Password — submitted by you during sign-up or sign-in. WildMap never stores your password in plaintext. Authentication is handled by Supabase, which stores only a salted hash; the plaintext password is never written to our database or logs.
• Session tokens — short-lived JWT access tokens and longer-lived refresh tokens are issued by Supabase to keep you signed in across app launches. These are stored securely on your device.
• Third-party sign-in tokens — if you choose Apple Sign-In or Google Sign-In, an opaque identity token is exchanged with Supabase. We do not receive your Apple or Google password, and we receive only the email address you authorise the provider to share.

2.2 Location information (sensitive in this context)

WildMap is a location-driven app. We treat location data as sensitive because, in a hunting context, it can reveal harvest sites, access routes, and time-stamped patterns of use. Specifically we may collect:

• Precise GPS coordinates while the app is in use — to display your position on the map and provide navigation.
• Background location while a track recording is active — only when you explicitly start a recording. Background recording stops when you stop the track or sign out.
• Coordinates attached to user-created records — waypoints, planned routes, GPS tracks, harvest log entries (shot logs), field notes, and any photos you choose to geotag carry the coordinates you set or capture.

We do not run location tracking when the app is closed unless you have started a track recording. We do not share your live location with other users.

2.2.1 Background location (Android)

When you tap Track Record to start a GPS track, WildMap collects your device's precise location in the background — that is, even when the app is not in the foreground or the screen is locked. This is required so the app can record a continuous track while your phone is in your pocket during a hunt.

• Purpose: background location is collected solely to record the active GPS track you started, and for no other purpose.
• Local-first: the track is written to your device first. If you are signed in, it then synchronises to our cloud (Supabase) under your account; if you are not signed in, the track stays on your device.
• Visible while active: while a recording is running, Android shows a persistent notification in your notification shade. Tapping Stop in the app, or swiping the notification's stop action, ends background collection and removes the notification.
• You are in control: you can revoke the background-location permission at any time from Settings → Apps → WildMap → Permissions → Location, and you can stop a recording at any time from within the app.

On iOS, equivalent behaviour is governed by the iOS location-while-using and always-allow permission flow described to you by the system at the point of permission request.

2.3 User-generated content

• Waypoints, tracks, planned routes, saved offline map areas, drawn polygons, field notes, and harvest log entries.
• Photos you capture or attach (including any embedded EXIF metadata such as time and GPS coordinates, which we do not strip).
• Free-text fields including notes, names, species, and observations that you choose to record.

2.4 Device and diagnostic information

• App version, operating system version, and device model.
• Crash reports and error diagnostics, where enabled by your device's operating system.
• Basic request logs (IP address, timestamp, endpoint) at our hosting and authentication providers, used for security and abuse prevention.

2.5 Camera and photo library access

WildMap asks for camera and photo library permission only when you choose to attach photos to a record or save an exported map image. Permission can be revoked at any time in your device settings.

3. How we use your information (APP 6)

We use information for the primary purpose for which it was collected — to operate WildMap. Specifically:

• Rendering maps, overlays, and your current position.
• Recording and replaying GPS tracks.
• Storing and syncing your waypoints, tracks, harvest logs, field notes, photos, and saved offline areas across your devices.
• Authenticating you and maintaining your session.
• Diagnosing crashes, performance issues, and abuse.
• Communicating with you about service-critical issues (e.g. security incidents, account changes).

If we ever introduce contextual sponsorship (for example, a sponsored item shown on a relevant map screen), it will be served from our own systems based on the screen you are viewing — not by sharing your personal information, location history, or hunting records with an advertising network. Any such change will be disclosed in an updated version of this policy before it takes effect.

4. Local-first storage and cloud sync

WildMap is designed local-first. Your records live on your device in IndexedDB so the app remains fully usable offline. When you are signed in, records are also synchronised to our cloud (Supabase) so they are available on your other devices.

• If you do not sign in, your data stays on your device only. It is not transmitted to our servers.
• If you sign in, new and modified records are pushed to Supabase under your account. Row-level security ensures only your account can read or write your records.
• Tile cache — offline map tiles you download are stored in IndexedDB on your device. The download itself is fetched from Mapbox; we do not store your map tile cache in our cloud.

4.1 Soft-delete lifecycle

When you delete a record (waypoint, track, harvest log, field note, etc.), it is initially marked as deleted (soft-deleted) so that the deletion can be propagated to your other devices. Soft-deleted records are purged from our cloud no later than 30 days after deletion. After purge, we retain only minimal anonymised information necessary for backup integrity, which itself rotates out within 90 days. If you want immediate hard-deletion, contact privacy@wildmap.com.au.

5. Disclosure to third parties (APP 6)

We disclose personal information only to the service providers listed below, and only to the extent necessary for them to deliver the service we have engaged them for. Each provider operates under its own privacy policy and contractual obligations to us.

• Supabase, Inc. (United States) — authentication, database (waypoints, tracks, harvest logs, field notes, account profile), and realtime sync. supabase.com/privacy
• Cloudinary Ltd (United States / Israel / EU) — storage and CDN delivery of photos you attach to records. cloudinary.com/privacy
• Mapbox, Inc. (United States) — map tile rendering, geocoding, and search. Tile and search requests include the map area and query you are looking at. mapbox.com/legal/privacy
• OpenWeather Ltd (United Kingdom / EU) — weather and wind forecasts displayed in the app. Requests include the coordinates you query. openweather.co.uk/privacy-policy
• Vercel Inc. (United States) — hosting of the web app and static assets. Standard request logs apply. vercel.com/legal/privacy-policy
• Apple Inc. and Google LLC — to the extent you install WildMap via the App Store or Google Play, account and crash diagnostics may pass through these platforms under their own policies.

6. Cross-border disclosure (APP 8)

Several of our service providers are based outside Australia, primarily in the United States and the European Union / United Kingdom. By using WildMap, you acknowledge that your personal information — including account email, location data, hunting records, and photos — will be transferred to and processed in those jurisdictions.

Before engaging an overseas provider, we take reasonable steps to confirm they handle personal information in a manner consistent with the Australian Privacy Principles. However, you should be aware that overseas privacy laws may differ from Australian law and that, in some cases, the OAIC may not be able to enforce APP obligations against an overseas recipient.

7. Security of your information (APP 11)

• Encryption in transit — all communication with our cloud providers uses TLS 1.2 or higher.
• Encryption at rest — Supabase and Cloudinary encrypt stored data at rest using industry-standard encryption.
• Row-level security — Supabase row-level security policies ensure each user can only access their own records.
• Password hashing — passwords are hashed with bcrypt by Supabase. We never see and never store your plaintext password.
• Local data — data stored in IndexedDB inherits the security of your device. We strongly recommend using a device passcode or biometric lock.
• Least privilege — only a small number of authorised personnel of the partnership have access to production systems, and only when necessary for support or incident response.

No system is perfectly secure. Despite our safeguards, we cannot guarantee that unauthorised access will never occur. If we become aware of an eligible data breach, we will respond as described in Section 10.

8. Hunting records and law enforcement

Hunting records (waypoints, tracks, harvest logs, photos) can be sensitive. We treat them as your information and we do not volunteer them to third parties.

We will not disclose your records to government agencies, regulators, or other third parties unless one of the following applies:

• You have given consent.
• We are compelled by a valid Australian warrant, court order, subpoena, or similarly binding legal instrument issued by a body with jurisdiction over us.
• Disclosure is required or specifically authorised by Australian law (for example, under a permitted general situation in section 16A of the Privacy Act).
• Disclosure is necessary to protect life or to investigate suspected unlawful activity directed at WildMap or its users.

Where we receive such a request, we review it for validity and scope, and we limit disclosure to the minimum information actually required. Where it is lawful and practical to do so, we will notify you before disclosure so you have an opportunity to respond.

WildMap is intended only for lawful hunting activity in compliance with relevant state and federal law. Using the app does not authorise any activity that would otherwise be unlawful, and recording such activity in the app may itself constitute evidence.

9. Your rights (APP 12 and APP 13)

You have the following rights with respect to your personal information:

• Access and update — you can view and edit your account email, waypoints, tracks, harvest logs, and field notes from within the app at any time.
• Delete individual records — any record you create can be deleted from within the app. Deletions are propagated through the soft-delete lifecycle described in Section 4.1.
• Delete your account — you can permanently delete your account and all cloud-synced data from Settings → Account → Delete Account. This action is irreversible. If you can no longer access the app, follow the steps at wildmap.com.au/delete-account or email privacy@wildmap.com.au to request deletion. Local data on your device may be cleared by uninstalling the app.
• Request a copy — you can request a portable export of the personal information we hold about you by emailing privacy@wildmap.com.au.
• Correct inaccuracies — if any information we hold about you is inaccurate, you can correct it in-app or ask us to correct it.
• Make a complaint — see Section 11.

10. Notifiable data breaches

WildMap is subject to the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth). If we become aware of an eligible data breach — that is, unauthorised access, disclosure, or loss of personal information likely to result in serious harm — we will:

• Promptly assess the suspected breach.
• If confirmed, notify affected individuals as soon as practicable, with information on the nature of the breach and recommended steps you can take.
• Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable.

More information about the NDB scheme is available at oaic.gov.au.

11. Complaints and contact

If you have a privacy concern, complaint, or request, please contact us first so we have an opportunity to resolve it:

Email: privacy@wildmap.com.au
Entity: WILDMAP (ABN 40 386 582 970), a registered partnership of Daniel Burke and Ian Zbiegniewski
Postal address: available on request via the email above

We aim to acknowledge complaints within 7 days and to resolve them within 30 days. If you are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner at oaic.gov.au.

12. Children's privacy

WildMap is rated 9+ on the App Store and Everyone/G on Google Play. We do not knowingly collect personal information from children under 13. If we learn we have collected such information without verified parental consent, we will delete it promptly. Parents or guardians who believe a child under 13 has provided personal information to WildMap should contact privacy@wildmap.com.au.

13. Changes to this policy

We may update this policy from time to time. The "Effective date" at the top reflects the latest version. Material changes will be surfaced in-app on next launch, and where they materially affect how we use information you have already provided, we will seek your renewed acknowledgement.