Legal · Privacy policy

Privacy
policy

A plain-English description of what LightGPX collects, why, where it goes, and how to remove it. We built this app because we wanted a geotagging tool that didn't watch us; the same rule applies to you.

Effective 13 May 2026 Version 1.1

The one-minute summary

LightGPX records your location while you shoot so your photos can be placed on a map later, and syncs every point to your other devices through your private account. That is the whole app. Here is what that involves, in one paragraph:

  • Your GPS track is stored on your device and on your private cloud account. The cloud account is what lets your Mac see a trip you recorded on iPhone.
  • We never sell, rent, or share your location or account data. We do not run ads.
  • We do not embed analytics SDKs, ad SDKs, or any identifier-for-advertisers logic.
  • We use Sign in with Apple or Google only to tie your data to your account. We do not get your contacts or any profile data beyond the account identifier and email.
  • You can delete your account from inside the app, which makes all of your server-side data permanently inaccessible.

Who we are

LightGPX ("the app", "we") is a product operated by Valentino Zegna, an individual developer. For data-protection purposes, we are the data controller.

Contact
privacy@lightgpx.com

What we collect

Exactly four categories of data:

  1. Location data — your trip, track, point, and clock-sync records.
  2. Account data — an account identifier and email address from Sign in with Apple or Google.
  3. Diagnostics — anonymous crash reports and technical error logs.
  4. Device metadata — a per-install device UUID (generated by the app, stored in your Keychain) and the app version, used only to distinguish devices on a single account.

We do not collect: photos, photo EXIF, contacts, calendars, microphone audio, the names of other apps you use, your IP address beyond what is necessary to service an HTTPS request, your precise advertising identifier, fingerprints, voiceprints, or any biometric.

Location data

Location data is why the app exists. This section is the one to read.

What a point looks like

Each point is a row with a timestamp (ISO 8601 UTC), latitude, longitude, altitude (if available), horizontal and vertical accuracy, speed, and course. Points are grouped into tracks and trips. A trip may carry an optional user-provided name (e.g. "Session — May 2026"). Clock-sync marks (one short row per camera offset captured) are also recorded so multi-device geotagging can anchor.

Where it lives

All tracking is written first to a local GRDB database on your device, inside your app's private container. That local copy is the source of truth and the app never needs the network to record, export, or read a trip.

What goes to the cloud

Once you have signed in, the app continuously syncs your trips, tracks, points, and clock-sync marks to our Supabase project over TLS. Rows are scoped to your user ID with database-level row-level security, so even our own queries can only read your data when executed in your authenticated session. Sync is bidirectional: a trip recorded on iPhone shows up on your signed-in Mac, typically within about a second and a half, via Supabase Realtime push.

If the network is unreachable, recording continues locally and the queue drains to the cloud the next time you have signal.

What we do with it

We sync it across your devices and back it up so you can restore it after a phone loss. That is the only purpose. We do not aggregate it, analyse it, run models on it, derive heat maps, enrich it with third-party places databases, or share any part of it with any partner, broker, or advertiser. There is no "anonymised" location product; we do not operate one.

Live Activity & Lock Screen

While recording, a Live Activity shows the elapsed time, point count, and distance on your Lock Screen and Dynamic Island. That data is rendered on your device; it is not sent to our servers for rendering.

Account data

Creating an account is required to use the app, so that every row in our database is owned by someone and nothing is addressable by anyone else. You sign in with Apple or Google; we use Supabase Auth to complete the OAuth handshake.

What we receive from the identity provider:

  • A stable identifier for you (an Apple Relay ID or Google subject ID)
  • An email address — either your real one or Apple's private relay address, at your choice

What we do not receive: your name, photo, contacts, friends list, calendars, or social graph.

We store the identifier and email in our user_profiles table. The email is used only to send account-critical mail (e.g. deletion confirmations) and to let you recover access if something goes wrong. We do not send newsletters.

Diagnostics & crash reports

The app sends crash reports and unrecoverable-error traces to Sentry. These include:

  • The crash stack trace
  • Device model, iOS or macOS version, app version and build
  • An anonymous installation identifier

These do not include: your email, your account identifier, OAuth tokens, track IDs, or any latitude/longitude. Sentry is configured to scrub PII before the payload leaves the device.

You can opt out of diagnostics in Settings → About → Send diagnostics. When off, no crash reports leave the device.

Third parties

We use the minimum number of third-party services required to run the app. Each one is listed here with what it receives and why.

VendorPurposeData sharedRegion
AppleSign in with Apple, App Store delivery, Push for Live ActivityOAuth handshake, crash reports if Apple Diagnostics is onApple-operated
GoogleSign in with GoogleOAuth handshake onlyUS
SupabaseAuth and backend database for cross-device sync and backupAccount identifier, email, trip / track / point / clock-sync rowsEU (Frankfurt)
CloudflareMarketing website hosting and DNSHTTP request metadata only (no app data)Global edge
SentryCrash and error diagnosticsStack trace, device model, app versionEU

We do not use: Google Analytics, Firebase Analytics, Firebase Crashlytics, Meta SDK, TikTok SDK, Mixpanel, Amplitude, Segment, or any attribution or ad-measurement SDK.

Retention & deletion

On your device

Your local database stays on your device until you delete the app, at which point the operating system removes the app container and its contents.

On our servers

Synced trip, track, point, and clock-sync rows are retained for as long as your account exists. Data created in your account is yours. You can delete individual trips from the app at any time; deletions propagate to our database as tombstones (a deleted_at timestamp), which makes the rows unreadable via any query path, including ours, and ensures the deletion reaches every other device on your account.

Account deletion

You can delete your account from Settings → Account → Delete account. On confirmation, a server-side Edge Function runs in a single transaction:

  1. Sets deleted_at on your user_profiles row, which causes all row-level security policies to refuse access to any data owned by you.
  2. Hard-deletes your identity row from the authentication table, so the same Apple/Google identity cannot sign back in as you.

The practical effect is that your data becomes permanently inaccessible — to you, to us, and to any future employee or attacker. We retain the rows for operational and audit reasons; they are unreadable. You may, by writing to us, request a hard delete of the underlying rows; we will comply within 30 days.

Your rights

If you are in the European Economic Area, the United Kingdom, Switzerland, California, or another jurisdiction with comparable legislation, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion (as above, and the residual hard delete on request)
  • Object to processing and request restriction
  • Port your data in a machine-readable format (GPX export from the app satisfies this for tracks)
  • Lodge a complaint with your local supervisory authority

The simplest path for any of the above is email. We reply to every message.

Children

LightGPX is not directed to children under 13. We do not knowingly collect data from them. If you believe a minor has created an account, email us and we will delete it.

Changes

If we change anything material on this page, we will update the effective date at the top and, where we have your email, send you a note describing what changed and why. Changes that are clarifications — not expansions — may ship silently; the version line tracks those.

Contact

Questions, requests, corrections, or complaints go to privacy@lightgpx.com. A real person reads every message.


Valentino Zegna
LightGPX