Privacy Policy

Privacy Policy

Last updated: May 25, 2026

LoreAtlas stores which places you've visited — not where you've been.

LoreAtlas (“we,” “us,” “our”) is an independent project currently operated by Stefanie L. Cosman as a sole proprietor doing business as LoreAtlas in Los Angeles, California. We plan to transition to a California LLC. This policy explains what information we collect, how we use it, and your choices regarding your data.

LoreAtlas is designed to keep as much of your data on your device as we possibly can. That's not just policy — it's product design. We don't track your continuous location. We don't sell your data. We don't use third-party advertising networks. Full stop.

Contact: privacy@getloreatlas.com · LoreAtlas · Los Angeles, CA 90020

1. What LoreAtlas Does

LoreAtlas is a GPS-powered city discovery app and editorial field guide to heritage sites, architecture, food history, hidden stories, and the things Los Angeles tries to forget. You can use LoreAtlas through our website (loreatlas.app) or our native Android app. An iOS app is in development.

The App uses your device's location to show you nearby sites, send proximity notifications when you walk past somewhere worth knowing about, and track which places you've discovered. It also supports walking routes, content packs, and a Field Agent subscription for premium content.

The simple version: we keep as much of your data on your device as we can. We store which places you've discovered — not where you've been.

2. Information You Provide

Account Information. If you create an account, we collect your email address and a password. Account creation is handled by Supabase, our authentication provider. We do not store your password in plaintext — it is encrypted and managed by Supabase.

Email Signup. If you join our Field Dispatches email list (separate from creating an account), we collect your email address. This is processed by HubSpot, our email and CRM provider. You can unsubscribe at any time.

Content Interests. During onboarding, you may select content interest categories (such as Architecture, Film & Hollywood, Food & Drink, Haunted & Dark, and others). These preferences are stored locally on your device.

Feedback and Corrections. If you contact us to report a correction, submit feedback, or request support, we collect the information you choose to share with us.

3. Information Collected Automatically

Foreground Location. When you enable GPS and the App is open, we access your device's location to show you nearby sites, display your position on the map, calculate distances, and determine when you are within proximity of a site to mark it as “visited.” This processing happens on your device in real time. We do not transmit your precise GPS coordinates to our servers under normal operation.

Background Location. If you enable Background Alerts on the Android app, we access your device's location while the App is closed or backgrounded so we can fire a notification when you walk near a heritage site. Background location is used only for proximity-triggered notifications. We do not log it, store it, or transmit it to our servers. You can disable Background Alerts at any time in the App or in your device settings.

Visited Places. When you discover a site (by opening it within GPS range or marking it manually), the App records that site's ID as “visited.” Your visited list is stored locally on your device. If you are signed into an account, your visited history may sync to our servers (via Supabase) to preserve your progress across devices. In that case we store only site IDs and timestamps — not GPS coordinates, not paths, not location history.

Notification Interactions. When you tap a proximity notification, the App opens the corresponding site. We do not separately log notification taps to our servers, but our analytics tools may record that a site was opened (without recording your location).

Purchase & Subscription Information. When you purchase a content pack or subscribe to Field Agent, the transaction is processed by Stripe (web) or by Apple or Google's in-app purchase systems (mobile). These providers collect your payment information directly — we never see or store your full card details. We receive confirmation of which product you purchased, when, and (for subscriptions) the renewal status. Subscriptions auto-renew unless cancelled. See Section 8 for full subscription terms.

Device and Usage Information. When you use the App, we may automatically collect basic technical information such as device type, operating system, browser type, app version, screen size, and general usage events to operate and improve the App. This data may include anonymized device identifiers but is not used to track your precise location or identity.

Analytics. See Section 5 for the full list of analytics services we use and what each one collects.

Local Storage. The App uses your browser's localStorage (and native app local storage) to remember preferences, content unlock status, visited site history, route progress, onboarding flags, and session data. This data is stored locally on your device. We do not use tracking cookies for advertising purposes.

4. Notifications & Background Processing

If you enable notifications, LoreAtlas will send you proximity alerts when you are physically near a heritage site documented in the App. These notifications are generated locally on your device — we don't send push notifications from our servers, and we don't maintain a list of who is near which site.

What Background Location Is For. On Android, the App requests permission to use your location in the background solely to trigger proximity notifications when the App is not in the foreground. We do not collect or use background location for any other purpose — no advertising, no analytics, no profile building, no sharing with third parties.

How to Disable. You can disable Background Alerts at any time in the App's alert panel (tap the bell icon) or in your device's Settings > Apps > LoreAtlas > Permissions. Disabling Background Alerts does not affect foreground use of the App.

Haptic Feedback. The App uses your device's vibration system (via Capacitor Haptics on Android) to provide a “heartbeat” pulse as you approach a site. This is on-device only and transmits nothing.

5. Third-Party Services

We use the following third-party services to operate the App. Each has its own privacy policy governing its data practices.

  • Supabase (Authentication & User Data). Handles account creation, login, password management, and storage of your visited sites and purchase records. Stores your email and encrypted password. supabase.com/privacy
  • Stripe (Payments). Processes content pack purchases and Field Agent subscriptions on the web. Stripe collects and stores payment information directly — we never see your full card details. Stripe may retain transaction records as required by financial regulations. stripe.com/privacy
  • Apple App Store & Google Play (Mobile In-App Purchases). When the iOS and Android apps process subscriptions or purchases through their respective stores, Apple and Google handle the transaction. They collect payment information and account data per their own privacy policies. apple.com/legal/privacy · policies.google.com/privacy
  • HubSpot (Email & CRM). Manages our Field Dispatches email list. If you sign up for emails, HubSpot may track email opens and clicks. HubSpot may also receive your form submission data and use cookies for tracking. legal.hubspot.com/privacy-policy
  • Vercel (Hosting & Analytics). Hosts the App and our website. Vercel may collect basic server logs including IP addresses and timestamps. We also use Vercel Analytics for first-party page-view analytics that do not use third-party cookies. vercel.com/legal/privacy-policy
  • PostHog (Product Analytics). We use PostHog to record anonymous, aggregated product events — for example, which site is being viewed, which content pack is being filtered, when a checkout begins. PostHog data helps us understand which features people use. We do not configure session replay or record screen interactions. PostHog data does not use third-party cookies. posthog.com/privacy
  • Google Analytics (May Be Used). We may use Google Analytics for general web and app usage analytics. When active, Google Analytics may collect device identifiers, browser type, general location (city/region, not GPS), and usage events. Google Analytics may use cookies. policies.google.com/privacy
  • Meta Pixel (May Be Used). We may use Meta Pixel to measure the performance of ads on Facebook and Instagram and to retarget visitors. When active, the Meta Pixel may record page visits, link clicks, and conversion events. Meta Pixel uses cookies. You can opt out via Meta's ad settings. facebook.com/privacy/policy
  • Capacitor (Native App Wrapper). The Android (and forthcoming iOS) app is built using Capacitor, an open-source native bridge. Capacitor itself does not collect data or transmit it to third parties. capacitorjs.com
  • Leaflet & OpenStreetMap (Maps). Map tiles are served by OpenStreetMap. Tile requests may include your general viewport area but not your precise GPS coordinates or device identifier. wiki.osmfoundation.org/wiki/Privacy_Policy

6. How We Use Your Information

We use the information we collect to operate the App, provide its core features (nearby discovery, visited tracking, walking routes, content unlocking, notifications), process purchases and subscriptions, send Field Dispatches emails if you signed up, respond to feedback and support requests, improve the App based on anonymized usage patterns, and protect against fraud and abuse.

We process your data based on the contract you enter when you use the App, based on your consent (such as enabling location services, notifications, or signing up for emails), and based on our legitimate interest in operating and improving the product. You can withdraw consent at any time.

What we don't do:

  • We don't sell your personal information to third parties.
  • We don't share your location data with advertisers.
  • We don't track your continuous GPS location or movement patterns.
  • We don't build advertising profiles based on your individual behavior.
  • We don't use third-party advertising networks within the App.
  • We don't use your data for purposes unrelated to the App.

7. Data Storage, Retention & Security

Local Data. Most of your App data — preferences, visited sites, unlock status, content interests, route progress — is stored locally on your device. It remains on your device until you clear it or uninstall the App.

Account Data. If you create an account, your email and encrypted password are stored by Supabase on its secure servers. We retain account data as long as your account is active and for a reasonable period after for backups, financial recordkeeping, and legal compliance. When you request account deletion, we will remove your data from our active systems within 30 days, with residual data removed from backups within 90 days, except where retention is required by law (for example, financial transaction records that must be kept for tax and regulatory purposes).

Email Data. If you subscribe to Field Dispatches, your email address is stored by HubSpot. It is retained until you unsubscribe or request deletion.

Purchase & Subscription Data. Records of your content pack purchases and subscription status are retained as long as your account is active, and for a reasonable period after for tax, accounting, and customer support purposes. Stripe, Apple, and Google may independently retain transaction records as required by financial regulations.

Security. We use industry-standard security practices appropriate for the type of data we handle, including HTTPS encryption in transit, encrypted password storage via Supabase, and access controls. However, no method of electronic transmission or storage is 100% secure. If we become aware of a security incident affecting your data, we will notify you in accordance with applicable law.

8. Subscription Auto-Renewal

The Field Agent subscription auto-renews until cancelled. Here are the terms in plain language:

  • Billing. Your payment method is charged at the start of each subscription period (monthly or annual).
  • Renewal. Your subscription will automatically renew at the end of each period at the then-current price unless you cancel at least 24 hours before the renewal date.
  • Cancellation. You can cancel anytime through your account settings (web), through your Apple ID subscriptions (iOS), or through Google Play subscriptions (Android). Cancellation takes effect at the end of the current billing period — you keep your Field Agent benefits until then.
  • Refunds. Refunds are generally not provided for partial billing periods. Refund requests can be sent to support@getloreatlas.com and we'll review them in good faith. App Store and Play Store purchases are subject to those platforms' refund policies.
  • Price changes. If we change subscription pricing, we will notify you in advance and your continued subscription after the change constitutes acceptance.

9. Your Choices and Rights

Location Access. You can enable or disable GPS at any time in the App or in your device's settings. The App works without GPS — you can browse all content manually. You can separately disable Background Alerts while keeping foreground GPS on, or vice versa.

Notifications. You can disable notifications at any time in the App's alert panel or in your device settings. This disables proximity alerts. Foreground use of the App is unaffected.

Visited History. Your visited site history is stored on your device (and in your account if you're signed in). You can clear it by clearing your local storage or by deleting your account.

Email Communications. You can unsubscribe from Field Dispatches at any time by clicking the unsubscribe link in any email, or by emailing privacy@getloreatlas.com.

Subscription Cancellation. See Section 8.

Account & Data Deletion. You can request deletion of your account and all associated data by emailing privacy@getloreatlas.com with the subject line “Delete my account.” We will confirm and process your request within 30 days.

Data Export. You can request a copy of your personal data by emailing privacy@getloreatlas.com. We will provide your data in a commonly used format within 30 days.

Do Not Track. The App does not respond to “Do Not Track” browser signals because we do not engage in cross-site tracking. We do honor the Global Privacy Control (GPC) signal where applicable.

10. Children's Privacy

LoreAtlas is rated 16+ and is not directed at children. We do not knowingly collect personal information from anyone under the age of 16. The App contains content involving historical violence, organized crime, supernatural / occult themes, and adult-context subject matter that is not appropriate for younger users.

If you believe a child under 16 has provided us personal information, please contact privacy@getloreatlas.com and we will promptly remove the data.

11. United States Only

LoreAtlas is currently intended for users located in the United States. The App's content covers Los Angeles and surrounding California areas, and we don't actively market the App outside the US.

We do not currently offer the level of data-protection compliance required for users in the European Union, United Kingdom, or other jurisdictions with comprehensive data-protection laws (such as the GDPR, UK GDPR, LGPD, PIPEDA, or similar). If you are accessing the App from outside the United States, you do so at your own discretion and are responsible for compliance with your local laws.

We do not knowingly process personal data of EU or UK residents. If you believe we have collected your data and you reside outside the United States, please contact privacy@getloreatlas.com and we will delete it.

12. California Residents (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

  • Right to Know. You can request a summary of the categories and specific pieces of personal information we have collected about you, the sources, the purposes for which it is used, and the categories of third parties with whom it is shared. The categories we collect include: identifiers (email address), commercial information (purchase and subscription history), internet or other electronic network activity (general usage data), and geolocation data (limited to visited site IDs, not continuous location).
  • Right to Delete. You can request deletion of your personal information, subject to certain exceptions (such as transaction records required by law).
  • Right to Correct. You can request correction of inaccurate personal information.
  • Right to Opt Out of Sale or Sharing. We do not sell or share personal information for cross-context behavioral advertising. There is nothing to opt out of, but you have the right to make this request.
  • Right to Limit Use of Sensitive Personal Information. We do not use sensitive personal information for purposes that would trigger this right under CPRA.
  • Right to Non-Discrimination. We will not discriminate against you for exercising your privacy rights.

To exercise these rights, email privacy@getloreatlas.com. We may need to verify your identity before fulfilling your request. We will respond within 45 days, with one possible 45-day extension if needed.

Authorized Agents. You may designate an authorized agent to make a request on your behalf. We will require written authorization and identity verification.

13. App Store & Play Store Disclosures

When you download or use LoreAtlas via Apple's App Store or Google Play, Apple and Google may collect data about you and your use of the App according to their own privacy policies. Examples include device identifiers, in-app purchase records, crash reports, and account information.

Information about the data LoreAtlas collects is also disclosed in our App Store Privacy Nutrition Label (iOS) and Google Play Data Safety section (Android). The disclosures in those listings are derived from this Privacy Policy and should be consistent with it.

14. Changes to This Policy

We may update this Privacy Policy from time to time as the App evolves, as new analytics or features are added, or as regulations change. When we make changes, we will update the “Last Updated” date at the top. For material changes — anything that meaningfully affects how we collect, use, or share your data — we will notify you via email (if you have an account) or through a clear notice in the App.

Your continued use of LoreAtlas after a change becomes effective constitutes acceptance of the updated policy.

15. Contact

For any privacy question, data request, correction, or concern:

Email: privacy@getloreatlas.com

General support: support@getloreatlas.com

Mail: LoreAtlas · c/o Stefanie L. Cosman · Los Angeles, CA 90020

LoreAtlas is currently operated by Stefanie L. Cosman as a sole proprietor doing business as LoreAtlas. We plan to transition to a California LLC; once formed, this policy and contact information will be updated to reflect the LLC as operator. This change does not affect your rights under this policy.