Privacy Policy

Effective: March 28, 2026

1. Information We Collect

Account Information

When you register, we collect:

• Email address and username (required for all accounts).
• Display name and avatar (optional, editable in your profile).
• Password hash — we never store your password in plain text.

OAuth Data

If you sign in with Google or GitHub, we receive your name, email, and profile picture from the provider. We store a provider identifier to link your account — we do not store your OAuth access tokens long-term.

Location Data

When you create a post, we collect the GPS coordinates from your device. These coordinates are stored with the post and are visible on the public map. We also use your approximate location to enforce the 1 km proximity restriction for posting.

Location data is only collected when you actively create a post or grant location permission. We do not track your location in the background.

Content

Posts, comments, votes, and uploaded images are stored for the duration of the post's lifetime (up to 7 days). Once a post expires, all associated content is permanently deleted.

2. How We Use Your Information

• Providing the service: Displaying posts on the map, rendering profiles, computing karma scores.
• Authentication: Verifying your identity via JWT tokens and OAuth sessions.
• Location enforcement: Validating proximity when you create a post.
• Moderation: Enabling moderators and administrators to review and remove content that violates our terms.

3. Cookies & Tokens

GeoPost uses JWT (JSON Web Tokens) for authentication rather than traditional cookies.

• Access tokens are short-lived (15 minutes) and stored in memory.
• Refresh tokens are stored server-side in Redis and rotate on each use. They expire after 30 days of inactivity.
• Session cookies are used by NextAuth.js to maintain your logged-in state in the browser.

4. Data Storage & Security

• User data and posts are stored in a PostgreSQL database with PostGIS for geographic queries.
• Refresh tokens are stored in Redis with automatic expiration.
• Uploaded images are stored on the server filesystem and served over HTTPS.
• Passwords are hashed with bcrypt before storage.

5. Data Retention

• Posts: Automatically deleted after expiry (24 hours to 7 days depending on engagement). A background worker checks for expired posts every 5 minutes.
• Account data: Retained as long as your account is active.
• Refresh tokens: Automatically expire after 30 days.

6. Third-Party Services

We integrate with the following third-party services:

• Google OAuth — for sign-in. Subject to Google's Privacy Policy.
• GitHub OAuth — for sign-in. Subject to GitHub's Privacy Statement.
• OpenFreeMap — for map tiles. No user data is shared with this service.

7. Your Rights

You may:

• Update your display name and avatar from your profile settings.
• Delete your own posts at any time.
• Request account deletion by contacting us.

8. Children's Privacy

GeoPost is not intended for users under the age of 13. We do not knowingly collect personal information from children.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Changes take effect when posted. Continued use of GeoPost constitutes acceptance.

10. Contact

Privacy questions? Reach out at [email protected].