Waypoint

Last updated June 2026

Privacy policy

This policy explains what we collect when you organize or join a Waypoint race, how long we keep it, and how to ask us to delete it. We built Waypoint for EU corporate team events — we aim to be clear and proportionate.

Request data deletion by email

Who we are

Waypoint runs Waypoint, a GPS challenge race you play in your browser on your phone — solo or with other teams.

Questions about privacy: mantas.marcinkus.bio@gmail.com.

What we collect

During a race we may process:

  • GPS location while the race is active — to show your position on the map and proximity hints (honor-based; we do not block submits by GPS alone).
  • Photos you submit as challenge evidence — compressed on your device before upload.
  • Team names and participant display names you enter in the lobby.
  • Organizer account email and authentication data when you create an Event or Corporate race.
  • Technical and usage events (e.g. funnel steps, challenge completions) via privacy-oriented analytics — participant identifiers are hashed where possible.

Why we use it

We process this data to run the race you joined or organized, generate place-aware challenges, take payment for paid tiers, improve the product, and comply with law.

Legal bases under GDPR: performance of the service (Art. 6(1)(b)), legitimate interests in operating and improving Waypoint (Art. 6(1)(f)), and consent where we ask for it explicitly (e.g. optional marketing — not required to play).

Who helps us process data

We use trusted subprocessors, each under appropriate data-processing terms:

  • Supabase — database, authentication, and file storage (EU-capable hosting).
  • Stripe — payment processing for Pro and Event unlocks.
  • OpenAI — server-side challenge text generation (Pro+ tiers); prompts may include place names near your play area, not your live GPS.
  • Mapbox — map tiles and geocoding in the app.
  • PostHog — product analytics (events mirrored from our database when configured).

How long we keep it

GPS traces tied to your session are kept only while relevant to an active or recently ended race, then removed or anonymized.

Challenge photos, names, and race results are kept so teams can view results, wrap-up, and Event/Corporate recaps. Photos are deleted automatically 90 days after a race ends (configurable via PHOTO_RETENTION_DAYS on our side).

Organizer account data is kept while your account is active and as required for billing and legal obligations.

Your rights

If you are in the EEA (including Lithuania), you may request access, correction, deletion, restriction, portability, or object to processing where applicable.

You may lodge a complaint with your local supervisory authority. In Lithuania: Valstybinė duomenų apsaugos inspekcija (VDAI), ada.lt.

Request deletion

Email mantas.marcinkus.bio@gmail.com with the subject "Data deletion request". Include your race link, join code, or race ID, and what you want removed (photos, names, GPS, or the full race record).

Organizers can also ask us to purge a specific race. We aim to respond within 30 days.

Security

Session tokens are server-side secrets not exposed to other teams. Photos and race data are stored in access-controlled infrastructure.

Changes

We may update this policy. The date at the top reflects the latest version. Material changes to Event/Corporate processing will be communicated to organizers where required.

← Back to home