Cerqa is a location-sharing app. We built it with a clear principle: your location data belongs to you. It is shared only when you choose to share it, only with the people you choose, and it is never sold or used for advertising.
Who We Are
Cerqa is operated by Cerqa LLC. This policy applies to the Cerqa mobile app (iOS and Android) and the website at cerqa.app. When we say "we", "us", or "our", we mean Cerqa LLC. When we say "you", we mean anyone who uses Cerqa.
If you have questions about this policy, contact us at privacy@cerqa.net.
Information We Collect
Account information. When you create an account, we collect your email address, first and last name, username, and optionally your phone number. This information is stored securely in our database (AWS DynamoDB via AWS Amplify/Cognito).
Profile photo. If you upload a profile photo, it is stored in a private AWS S3 bucket and only accessible to users who can see your profile. Photos are retained until you replace them or delete your account.
Location data. During an active location sharing session, we collect your GPS coordinates (latitude and longitude), speed, bearing (direction of travel), and GPS accuracy. We also transmit navigation data such as estimated distance and time remaining to your destination if you have started turn-by-turn navigation. This data is transmitted in real time to the people you have chosen to share with. It is not stored persistently on our servers — when a session ends, your live location is no longer transmitted or retained.
Messages and chat. Messages you send through Cerqa are stored on our servers (AWS DynamoDB) so they can be delivered and retrieved across devices. Messages include the text content, sender identity, timestamps, and read receipts. Message content is encrypted at rest using AES-256 before being written to the database; the encryption key is stored separately in AWS Secrets Manager and is not embedded in the application. Images sent in chat are stored in a private AWS S3 bucket. Messages are retained until you delete them or delete your account.
Notifications. In-app notifications (such as connection requests and location sharing invitations) are stored on our servers (AWS DynamoDB) so they can be retrieved in your inbox. The title and message content of these notifications are encrypted at rest using AES-256, with the encryption key managed via AWS Secrets Manager.
Device contacts. If you grant contacts permission, Cerqa reads your device contact list locally on your device to help you find friends who are already on Cerqa. Your contact list is not uploaded to our servers. Only when you explicitly add someone as a connection does a record of that relationship get stored on our servers.
Push notification token. We collect a push notification token (provided by Firebase Cloud Messaging on Android, or APNs on iOS) along with a device identifier and platform type (iOS or Android) to send you notifications. This is stored on our servers and linked to your account.
Voice input. If you use voice search, your voice is processed on-device using your device's built-in speech recognition. We do not receive or store your voice audio.
Background Location
Cerqa accesses your location in the background only during an active location sharing session — meaning you have explicitly tapped "Start sharing" in the app. Background location access is used solely to keep your live position updated for the contacts or group you chose to share with.
On Android: A persistent foreground service runs while sharing is active, and a notification is displayed at all times. You can stop sharing at any time by tapping "Stop Sharing" in the notification.
On iOS: The app uses the iOS background location mode to maintain location updates when you switch apps or lock your screen during an active session. The blue location indicator in your status bar will be visible while this is active.
Background location access stops immediately when your session ends, when the session timer expires, or when you force-quit the app. For a full explanation of our background location practices, see cerqa.app/background_location_disclosure.
How We Use Your Information
- To operate the app — authenticating your account, enabling location sharing sessions, delivering messages, and sending notifications.
- To help you find people you know — matching phone numbers from your device contact list against existing Cerqa users (processed locally, not uploaded).
- To deliver push notifications — location sharing requests, chat messages, connection invites, and arrival confirmations.
- To allow real-time location sharing with the contacts or groups you choose.
- To improve reliability and fix bugs through Firebase crash reporting and analytics.
We do not use your data for advertising, and we do not build advertising profiles from your location or usage data.
Sharing and Third Parties
We do not sell your personal data. We share your information only in the following circumstances:
- With people you choose. When you share your location or send a message, that data is shared with the specific contacts or group members you selected.
- With service providers. We use third-party services to operate the app. Each processes data only as necessary to provide its service.
- For legal reasons. We may disclose information if required by law, court order, or to protect the safety of our users or the public.
| Service | Purpose | Privacy Policy |
|---|---|---|
| AWS Amplify / Cognito | Account authentication and user management | aws.amazon.com/privacy |
| AWS AppSync / DynamoDB / S3 | Database storage for messages, profiles, and media | aws.amazon.com/privacy |
| AWS Secrets Manager | Secure storage of the AES-256 encryption key used to encrypt message and notification content | aws.amazon.com/privacy |
| Ably | Real-time transmission of location data and chat messages | ably.com/privacy |
| Mapbox | Maps display and turn-by-turn navigation | mapbox.com/legal/privacy |
| Google Places | Location search and place autocomplete | policies.google.com/privacy |
| Firebase (Google) | Push notifications (FCM), crash reporting, and app analytics | policies.google.com/privacy |
Data Retention
- Account data is retained until you delete your account.
- Live location data is not stored persistently. It is transmitted in real time during active sessions only.
- Messages are retained until you delete them individually or delete your account.
- Photos and media stored in S3 are retained until you replace them or delete your account.
- Push notification tokens are retained while your account is active and removed when you delete your account or revoke notification permission.
When you delete your account, we delete your profile, contacts, messages, and associated data from our servers. Some data may be retained in backups for a short period before being purged.
Your Rights and Choices
Location permission. You can revoke location access at any time in your device settings. The app will continue to work for messaging and other features that do not require location.
Contacts permission. You can revoke contacts access at any time. Revoking it does not affect connections you have already made.
Notification permission. You can disable push notifications in your device settings. You will still receive in-app notifications when the app is open.
Access and correction. You can view and edit your profile information within the app at any time.
Account deletion. You can delete your account from the Profile screen within the app. This permanently removes your account and associated data from our systems.
GDPR and CCPA. If you are in the European Economic Area, UK, or California, you have additional rights including the right to access, correct, or delete your personal data, and to object to certain processing. Contact us at privacy@cerqa.net to exercise these rights.
Security
All data is transmitted over TLS (HTTPS). Account authentication is managed by AWS Cognito. Media files are stored in private S3 buckets and accessible only via short-lived signed URLs. We do not store passwords — authentication credentials are managed by AWS Cognito.
Chat message content and in-app notification data (title and message fields) are encrypted at rest using AES-256 (CBC mode) before being stored in DynamoDB. The encryption key is managed via AWS Secrets Manager and is not stored in the application's source code or binary.
No method of transmission or storage is 100% secure. If you believe your account has been compromised, contact us immediately at privacy@cerqa.net.
Children's Privacy
Cerqa is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has created an account, please contact us at privacy@cerqa.net and we will delete the account promptly.
Changes to This Policy
We may update this policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will notify you in the app or by email. Continued use of Cerqa after changes are posted constitutes acceptance of the updated policy.
Contact
If you have questions, concerns, or requests related to this Privacy Policy, contact us at:
Cerqa, LLC
privacy@cerqa.net