Legal

Privacy Policy

Effective date: May 1, 2026  ·  Last updated: May 2026

This Privacy Policy explains how Historic Walk ("we," "us," or "our"), a Virginia-based company, collects, uses, and protects your information when you use the HistoricWalk platform at historicwalk.tours (the "Service"). This policy applies to both visitors who take tours and institutions that use our platform to create and publish tours.

1. Information We Collect

We collect information you provide directly and information generated automatically when you use the Service:

• Account information: name, email address, and profile photo, provided via Google Sign-In or email/password registration.
• Purchase information: transaction records processed through Stripe. We do not store credit card numbers — Stripe handles all payment processing.
• Tour activity: which stops you have completed, challenge answers, and photos you submit for observation challenges.
• Location data: GPS coordinates, collected only while you are actively on a GPS-guided tour and only with your explicit permission. We do not track your location in the background.
• Device data: browser type, operating system, and device identifiers used to deliver the app and diagnose issues.
• Usage data: pages viewed, buttons tapped, and time spent — used to improve the experience via aggregated analytics.
• Institution content (for tour creators): tour text, audio files, images, floor plans, and map coordinates uploaded by institution administrators to build tours on our platform.

2. How We Use Your Information

• To provide, operate, and maintain the Service.
• To process purchases and send purchase confirmations.
• To save your tour progress and badge achievements.
• To send proximity alerts when you are near a tour stop (only if you have enabled notifications).
• To respond to your support requests.
• To provide institution administrators with analytics about their tours (visitor counts, stop completion rates).
• To improve the Service through aggregated, anonymized analytics.
• To comply with legal obligations.

3. Third-Party Services We Use

We do not sell your personal information. We share information only as necessary to operate the Service with the following trusted providers:

• Supabase — database, authentication, and file storage. Stores your account data, tour progress, and uploaded media. See Supabase's Privacy Policy.
• Stripe — payment processing. See Stripe's Privacy Policy.
• Google — optional Sign-In provider. See Google's Privacy Policy.
• Mapbox — interactive maps within the app. Your approximate location may be sent to Mapbox to render map tiles when you are on a GPS tour. See Mapbox's Privacy Policy.
• PostHog — product analytics. We use PostHog to understand how visitors and administrators use the Service. Data is anonymized and aggregated where possible. See PostHog's Privacy Policy.
• Cloudflare — our hosting, CDN, and security provider. All traffic to historicwalk.tours passes through Cloudflare's network. See Cloudflare's Privacy Policy.
• Legal authorities — when required by law, court order, or to protect the rights and safety of our users or the public.

4. Cookies and Local Storage

We use browser local storage and session storage to save your settings, tour progress, offline audio and photo content, and one-time preference flags (such as whether you have been asked about location access). We do not use third-party advertising cookies. PostHog may set a first-party analytics cookie to recognize returning visitors; you may clear this via your browser settings.

5. Data Retention

We retain your account and tour progress data for as long as your account is active. Institution tour content is retained for the duration of the institution's active subscription. If you delete your account (or if your institution's subscription ends and you request deletion), we will delete your personal data within 30 days, except where retention is required by law (for example, transaction records may be retained for up to 7 years for tax purposes).

6. Your Rights (Virginia VCDPA)

If you are a Virginia resident, the Virginia Consumer Data Protection Act (VCDPA) provides you with the following rights:

• Access: request a copy of the personal data we hold about you.
• Correction: request that we correct inaccurate personal data.
• Deletion: request that we delete your personal data.
• Portability: receive your personal data in a portable, commonly used format.
• Opt out of sale or targeted advertising: we do not sell your data or use it for targeted advertising, so these rights are not applicable.

To exercise any of these rights, contact us at the address below. We will respond within 45 days as required by law. We may need to verify your identity before processing your request.

7. Children's Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us and we will delete it promptly.

8. Security

We use industry-standard measures — including HTTPS encryption, access controls, and row-level database security — to protect your data. No method of transmission over the Internet is 100% secure; we cannot guarantee absolute security but we take reasonable precautions and will notify affected users of any confirmed data breach as required by law.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated policy on this page with a revised effective date. For material changes, we will provide additional notice (such as an in-app notification or email). Continued use of the Service after changes are posted constitutes acceptance of the updated policy.

10. Contact Us

For privacy-related questions, data requests, or concerns, please contact us: