HistoryAround — Privacy Policy

Last updated: May 31, 2026 (slimmed Subscriptions section — billing, cancellation, refunds, and fair-use limits now live in the new Terms of Service; usage counter wording aligned with current limits)

What We Collect

• Device ID (Android ID) — A persistent, anonymous device identifier. It has no link to your name, email, or any account. Sent to our server with every request to enforce usage limits, verify subscription status, and for anonymous analytics (route, response time, app version, error codes, and named in-app events). When you are signed in with Google (see below), your scan quota and cloud backup are keyed to your Google account instead of the device ID, but the device ID is still sent for technical analytics, rate-limiting, and to keep your Free-tier lifetime counter tied to the device.
• Google Account Identifier, Email, and Name (optional) — If you choose to sign in with Google — required to subscribe to Premium, optional otherwise — we receive your Google Account's stable identifier (the OpenID Connect "sub" claim, a numeric value), your email address, and your display name from Google's OpenID Connect identity service (via the standard openid, email, and profile scopes). We use the identifier to associate your Premium subscription and Cloud Sync backup with your account so they follow you across devices. We use the email address to (a) display your account in the Settings screen so you can verify which Google account you're signed in with, (b) contact you for support if you reach out, and (c) verify your identity when you request account deletion through the web fallback. We use the name only to display a friendly greeting in the app and in our internal admin/support dashboards when investigating issues you report. We do not receive your profile photo, contacts, gender, age, friends list, or any other Google profile data. Sign-in is processed via Google's official OAuth 2.0 / OpenID Connect endpoints; your Google password is never seen by HistoryAround. You can sign out at any time from Settings (the cloud backup is preserved on our servers and resumes when you sign back in), or permanently delete your account and cloud backup using "Delete account" in Settings.
• Location for Nearby Discovery — When you scan for nearby places, either by tapping "Scan Now" or through automatic background scanning, your device's location is sent to our server. From there it is forwarded to OpenStreetMap and Wikimedia (Wikipedia/Wikidata) to find nearby historical points of interest, and to Google Places only to fetch photos for places that have a Google photo reference. Your precise coordinates are not stored, logged, or tracked on our servers — they are used only to fulfill the in-flight scan request and are then discarded.
• Background Location — When you start an Explore session, the app may continue scanning in the background as you move. This requires the "Allow all the time" location permission on Android, which you grant yourself in your device settings — the app only checks the permission and never requests it at runtime. You can stop background scanning at any time by tapping "Stop" in the app. As with foreground scanning, precise coordinates are never stored on our servers.
• Approximate Location for Analytics (Country and City) — When your device makes any request to our server, our infrastructure provider (Cloudflare) derives your approximate country and city from your IP address at the network edge. We store this country/city alongside your anonymous device ID in our analytics database so we can understand the geographic distribution of our users and improve the service for regions with weaker historical-data coverage (for example, where OpenStreetMap and Wikidata are sparse). This is separate from the precise GPS location described above — it never includes coordinates, street-level data, or any other granular location information. It is associated only with your anonymous device ID, never your name, email, or account. Retained for up to 90 days, then automatically purged.
• Crash and Error Reports — When the app encounters an unexpected error (a JavaScript exception, a render crash, etc.), a short technical description is sent to our server: the error message, a truncated stack trace (up to 8 frames / 500 characters), and the name of the screen where the error occurred. Before sending, the report is automatically scrubbed to remove anything that looks like a coordinate, URL, or long identifier. These reports contain no personal data, no precise location, and no user content — they are used solely to diagnose and fix bugs. Associated with your anonymous device ID and retained for up to 90 days.
• Diagnostic Technical Logs — In addition to analytics events, our server records short-term diagnostic logs for each request (request ID, route, response status, duration, error category, app version, approximate country). These persist for up to 7 days and are used to investigate operational issues and bug reports. They contain no precise location, no place names, and no user content — only technical metadata about the request itself.
• Device Integrity Attestation — On Android release builds, every discovery request includes a Google Play Integrity token. Google generates this token on-device to confirm the request is coming from a genuine, unmodified copy of HistoryAround running on a real Android device. The token contains no personal data and is verified server-side, then discarded. See Google's Play Integrity documentation for details.
• Usage Counter — A small per-account counter stored on our server with your device ID. For free users this counts lifetime scans and lens regenerations so we can enforce the free allowance. For Premium subscribers this counts per UTC calendar month and resets at the start of each month. The counter contains only two integers; no scan content, no location, no timestamps. Current limit values are described in our Terms of Service.
• Cloud Sync Data (optional) — Cloud Sync is off by default. When you enable it in Settings, you are asked for explicit consent. Once enabled, your discovery cards, saved places, collections, and session history are uploaded to our server and associated with your device ID only. You can disable Cloud Sync or permanently delete your cloud data at any time from Settings ("Clear All Data").

Notifications

The app sends local notifications (never remote/push) to inform you of new discoveries during a scan. Notification content is generated on-device. No notification tokens or data are sent to any server.

What We Do NOT Collect

• Phone number, address, profile photo, contacts, age, gender, or any personal account info beyond the email address and display name described above (only collected when you voluntarily sign in with Google)
• IMEI, advertising ID, or any device identifier other than Android ID
• Browsing history or social-media data
• Persistent precise location history — your GPS coordinates are never stored on our servers, even during background scanning. (Approximate country/city derived from your IP is stored for analytics — see the Approximate Location for Analytics bullet above.)

Third-Party Services

• OpenStreetMap (Overpass API) — receives your approximate location to look up historic points of interest nearby. Subject to the OpenStreetMap Foundation Privacy Policy.
• Wikimedia (Wikipedia & Wikidata) — receives place identifiers and may receive your approximate location to enrich discovery cards with encyclopedic context. Subject to the Wikimedia Foundation Privacy Policy.
• Google Places Photos API — receives a place identifier (not your raw location) to return a photo for places that have a Google photo reference. Subject to Google's Privacy Policy.
• Google Gemini API — receives place names and context to generate discovery descriptions. No precise location data is sent. Subject to Google's Privacy Policy.
• Google Play Integrity API — performs on-device attestation that the app is genuine and unmodified, returning a signed token we verify server-side. Subject to Google's Privacy Policy.
• Google Maps SDK for Android — renders the in-app map. When you view the map, your device contacts Google directly to download map tiles for the visible area. Google receives your IP address and the map viewport coordinates needed to serve those tiles. HistoryAround does not pass your precise GPS location or device ID to the Maps SDK. Subject to Google's Privacy Policy.
• Google Sign-In (OAuth 2.0 / OpenID Connect) — used only if you choose to sign in. Google receives a request from the app to authenticate you and returns an identity token containing your account's stable identifier and verified email address. No password or other account credentials pass through HistoryAround. Subject to Google's Privacy Policy.
• RevenueCat — manages subscriptions via your Google Play or App Store account. When you are signed in with Google, your Google sub identifier is used as the RevenueCat App User ID so your subscription follows your Google account rather than your device. Subject to RevenueCat's Privacy Policy.
• Cloudflare — hosts our server infrastructure, stores cloud-synced data (if enabled), and derives your approximate country/city from your IP address at the network edge for analytics. Subject to Cloudflare's Privacy Policy.
• Expo (EAS Update) — delivers over-the-air JavaScript updates to the app. When the app launches, it queries Expo's update service to check for newer versions. The request includes technical metadata (platform, app runtime version, release channel, current update identifier) and your IP address — but no personal data, location, or app-usage information. Subject to Expo's Privacy Policy.

Permissions

• Foreground Location — Required to find places near you when you tap "Scan Now."
• Background Location — Optional. Enables continuous scanning as you move with an active Explore session. On Android, background scanning runs as a foreground service that displays a persistent notification while a session is active, so you are always aware when the app is using your location. You can stop the session at any time, or revoke the permission entirely in your device settings.
• Notifications — Optional. Used for local notifications about new discoveries. No remote push notifications are sent.

Data Storage

By default, all your discovery cards, saved places, and session history are stored locally on your device. Your device ID and usage counters are always stored on our server regardless of Cloud Sync.

If you enable Cloud Sync, your data is uploaded to our secure server hosted on Cloudflare, associated with your anonymous device ID only. You can disable Cloud Sync at any time, and you can permanently delete your cloud data using "Clear All Data" in Settings or by contacting us.

We may access cloud-synced data for troubleshooting, customer support, and service improvement purposes. This data is never shared with third parties or used for advertising.

App Updates

HistoryAround uses Expo's update service to deliver bug fixes and improvements without requiring a Play Store update. Each time you launch the app, it makes a single technical request to Expo's update server (u.expo.dev) to check whether a newer JavaScript bundle is available. This request contains only technical metadata about your installed version — it does not include your location, your discoveries, or any personal data. If a new bundle is available, it is downloaded in the background and applied the next time you open the app.

Subscriptions

If you subscribe to HistoryAround Premium, your subscription is managed through Google Play and RevenueCat. We receive a subscriber identifier to verify your subscription status — we do not receive or store your payment details. Billing, cancellation, refunds, and fair-use limits are described in our Terms of Service.

Children

HistoryAround is not directed at children under 13. We do not knowingly collect information from children.

GDPR & Your Rights

We collect your Android ID, an anonymous device identifier that cannot be used to identify you personally. This identifier persists across app reinstalls but has no link to your name, email, or any personal account.

Under GDPR and similar privacy laws, you have the right to:

• Access — Request a copy of your data by contacting us with your device ID.
• Deletion — Use "Clear All Data" in Settings to permanently delete both local and cloud data. If you are signed in with Google, use "Delete account" in Settings → Account to permanently remove your account, cloud backup, and account-to-device link records from our servers. If you no longer have access to the app, you can request deletion via the web fallback at historyapp-proxy.historyaround.workers.dev/account/delete.
• Withdraw consent — Disable Cloud Sync at any time in Settings, or sign out from Settings → Account (signing out preserves your cloud backup so you can sign back in later — it does not delete data). Your cloud data will remain stored until you explicitly delete it.

What gets deleted

When you use "Clear All Data" or "Delete account", or request deletion via the web fallback, the following is permanently removed from both your device and our servers:

• Discovery cards and session history
• Saved places and collections
• Cloud backup data
• Your Google account identifier (sub), email address, and display name (when signed in)
• Account-to-device link records (audit trail of which device IDs linked to which Google account)
• Your subscription record on our subscription provider (RevenueCat) — note that your Google Play subscription itself is not automatically cancelled by account deletion; you must cancel it yourself in Google Play if you do not want to be billed again

The following is retained:

• Usage counters (two integers per device ID — lifetime totals for free users, monthly totals for Premium subscribers) — retained alongside the device ID until deletion is requested
• Anonymous analytics logs (route, response time, app version, error codes, approximate country/city derived from IP, and named in-app events such as "scan started" or "card opened") — retained for up to 90 days, then automatically purged. These contain no personal data and no precise location.
• Crash and error reports (scrubbed error message + truncated stack + screen name) — retained for up to 90 days, then automatically purged.
• Diagnostic technical logs (request IDs, timings, error categories) — retained for up to 7 days, then automatically purged.

For any data-related requests, contact us at the email below with your device ID (found in Settings).

Changes

We may update this policy from time to time. The latest version is always available at this URL.

Contact

Questions? Reach us at erenozataa@gmail.com.