Privacy & data control
Privacy is the reason this product exists. Your data is valuable — and above all, it's yours. We wanted a platform to track our own journeys, but most trackers out there treat GPS data as a product to be monetised, packaged, or shared with partners. We needed something different — a tracker where your routes stay yours and nobody else profits from them. Where Is Tereza? is our answer.
The page below is the explicit version of how it works — what we collect, what stays under your control, and how to lock things down further if you want to go all the way.
You own your data. That's our statement.
We will never sell your data, and we will never misuse it in any way. Your GPS data exists for one reason only: so your dashboard can render meaningful analytics — distances, elevation profiles, transport modes, weekly patterns, personal records. That's it.
You — and only you — decide who sees it.
Keep your trips private, share a single live link with friends and family, or publish your route to the whole world. Nobody else makes that call. Just you.
Privacy zones
Blur your GPS coordinates around your home, workplace, or any other sensitive location. Pick the cloaking style that fits — from a soft snap-to-center to full route cloaking — and your real coordinates never leave the server.
Want the technical details? Each privacy mode is described with its full algorithm, math, and security properties in For Nerds: Privacy Zone Modes.
Privacy zones
Privacy zones let you hide GPS points from public view inside a defined area — your home, your workplace, anywhere you don't want the map to leak.
In the org admin → Privacy zones → define a circle around any point (radius from 100 m to 5 km). Choose a cloaking mode:
Snap to center Points inside the zone are replaced with the zone's centre. Followers see "she's home" but not which window.
Remove points Points inside the zone disappear entirely. The trip line skips the area — looks like you teleported across it.
Random offset (jitter) Each point is nudged by a small random vector. The general pattern stays, exact coordinates don't.
Coarsen (~1 km grid) Coordinates are snapped to a 1 km grid. Neighbourhood-level accuracy, no street-level detail.
Delayed release Points inside the zone are held back and published only after a delay (e.g. 24 h). Live followers can't pinpoint you in real time.
Route cloaking The entire trip segment touching the zone is hidden from public viewers. Only your admin dashboard sees the full truth.
The original points always remain in your private admin view; only the public-facing map is filtered. You can change your mind any time.
Per-trip visibility
Every trip has a visibility setting (Public / Unlisted / Private / Members) — see Trip management. Defaults to Unlisted so a brand-new trip never shows up before you're ready.
Who can see what
| Audience | Sees |
|---|---|
| Public visitors | Public trips, with privacy-zone filtering |
| URL holders | Unlisted trips, with privacy-zone filtering |
| Password holders | Private trips, with privacy-zone filtering |
| Org members | All trips, with privacy-zone filtering |
| Org owner / you | All trips, raw points, full control |
Privacy-zone filtering applies even to your own org members on the public map (so accidentally sharing a screenshot of your phone doesn't leak the home location). It does not apply in the admin — you can always see your own raw data.
Maximum privacy required?
If you want to use Where Is Tereza? as a personal logbook with zero exposure to anyone else, here's the recipe:
- Don't enable live sharing. Leave the live-tracking link disabled in admin → Live access. No public URL means nobody can pull your real-time position.
- Set every trip to Private. Default visibility is Unlisted, but Private goes further — even with the URL, viewers need a password.
- Don't share trip URLs. No matter how restrictive the visibility setting, if you don't share the link, nobody sees it.
- Skip the email-subscriber feature. No subscribers means no automatic notifications, no email lists, nothing leaves your account.
- Define privacy zones around every sensitive location — home, office, family addresses, school routes. Pick the strictest mode that fits (Remove or Cloak for the highest protection).
- Use your private subdomain only — don't advertise your tracker URL anywhere public.
- Pick the shortest data-retention window your plan allows. Fewer days online = a smaller window for any future incident.
The result: an account that only you can see, with a logbook that exists for you alone.
What we collect
- Your account: email, optional display name, sign-in timestamps and IP for security.
- Your GPS points: latitude, longitude, timestamp, optional altitude / speed / heading / accuracy. Whatever your device publishes is what we store.
- Your trip metadata: name, dates, description, photos with captions.
- Your subscribers' emails (if you use that feature).
We don't collect anything else. No third-party analytics scripts on authenticated pages. No cross-site tracking pixels.
Data retention
Each pricing plan defines a maximum number of days of GPS history we keep online. Points older than that are automatically deleted by a nightly cleanup job. The Nomad plan keeps essentially forever; the smaller plans keep 30–365 days depending on tier — see Pricing.
You can also manually delete a date range from the admin → Data management.
Exporting your data
From the admin you can export:
- All GPS points for any trip as JSON or CSV.
- Trip metadata as JSON.
- Photos as a zip.
There's no proprietary format — everything is plain GPS lat/lon plus timestamps.
Account deletion
You can delete your organization from the admin → Settings → Danger zone. Deletion removes all GPS data, trips, photos, and subscriber emails immediately. Backups are purged within 30 days.
Where we run
Hosting is in EU data centers. We don't share your GPS data with advertisers, insurers, or any third party. Marketing emails are sent through Resend; GPS routing is enriched by Mapbox (Map Matching API) and Open-Meteo (weather) — both receive only anonymized lat/lng without your account identity.
Third parties
| Service | What it sees | Why |
|---|---|---|
| Resend | Email addresses + email content | Magic-link + notifications |
| Mapbox | Anonymized lat/lng of trip routes | Snap routes to roads |
| Open-Meteo | Anonymized lat/lng + timestamp | Weather lookups |
| Stripe | Billing email, payment method | Subscription billing |
Any of these can be disabled (with reduced functionality) by emailing us; ask if you have specific compliance requirements.
Questions
For a privacy or data-handling question that this page doesn't answer, reach the team via the Contact support link in the footer (anything labelled "privacy question" routes to a human within 24h).
Need help? Contact support · Where Is Tereza?