Legal/Privacy Policy

Privacy Policy

What data we collect and how we use it.

Effective April 7, 2026

1. WHO WE ARE

Witness Technologies, Inc. operates the Witness mobile application and the website at thewitnessapp.com (collectively, "Witness," "the platform"). This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and what rights you have regarding your data.

If you have questions about this policy, contact us at privacy@thewitnessapp.com.

2. DATA WE COLLECT

2.1 Data You Provide Directly

  • Account information: email address and display name at registration; profile photo if you choose to upload one.
  • Report content: text, photos, videos, documents, and geographic location data attached to reports you submit.
  • Location data: GPS coordinates captured at the moment you choose to submit a report. We do not track your location continuously.
  • Social interactions: comments, corroborations, flags, and follows you submit.
  • Support communications: messages you send to our support or legal email addresses.
  • Marketplace data: if you opt into the content licensing marketplace, identity verification documents you provide.

2.2 Data Collected Automatically

  • Device information: device type, operating system version, and app version.
  • Session data: timestamps of logins, sessions, and key in-app actions. Used for trust scoring and abuse prevention.
  • IP address: captured at login and report submission for rate limiting and fraud detection. IP addresses are not stored long-term and are not associated with your public profile.
  • Crash reports and error logs: anonymized technical logs used to fix bugs.

2.3 Data from Third-Party Sign-In

If you sign in with Google or Apple, we receive your name and email address from those providers. We do not receive your password. Their privacy policies govern their own data handling. You should review them separately.

3. HOW WE USE YOUR DATA

We use your data only for the following purposes:

  • Creating and managing your account
  • Displaying your reports on the map and feed to other users
  • Calculating your trust score based on your activity and corroboration signals
  • Sending you push notifications about events you follow (only if you enable notifications)
  • Enforcing our Terms of Service and Content Policy, including abuse prevention and rate limiting
  • Improving the platform through aggregated, anonymized usage analytics
  • Facilitating content licensing transactions if you opt into the marketplace
  • Responding to legal requests where we are required to by law

We do not use your data to serve targeted advertising. We do not sell your personal data to any third party, including advertisers and data brokers.

4. LOCATION DATA

Location data is core to what Witness does. We handle it as follows:

  • Your GPS coordinates at the time of a report are stored in our database associated with that report.
  • Your exact GPS coordinates are never displayed publicly. Only a reverse-geocoded place name (for example, "Lower Manhattan, New York") is shown on your submitted reports.
  • You may choose to blur your reported location to city or region level before submitting.
  • We do not collect your location in the background. Location is only captured at the moment you initiate a report submission.
  • GPS coordinates are stored as part of the event record for verification and cross-referencing purposes.

5. HOW WE SHARE YOUR DATA

We share personal data only in the following circumstances:

5.1 With Service Providers

We use third-party vendors to operate the platform. These vendors process data on our behalf under data processing agreements and are not permitted to use your data for their own purposes:

  • Supabase (database infrastructure and authentication) -- supabase.com/privacy
  • Google Sign In (optional authentication) -- policies.google.com/privacy
  • Apple Sign In (optional authentication) -- apple.com/legal/privacy
  • Resend (transactional email delivery) -- resend.com/privacy
  • Vercel (website hosting) -- vercel.com/legal/privacy-policy
  • Expo / Expo Application Services (mobile app build and update infrastructure) -- expo.dev/privacy

5.2 With Marketplace Buyers

If you opt into the content licensing marketplace, your display name, trust score, and content may be shown to potential buyers. Your contact information is never shared directly with buyers; all transactions are facilitated through the Witness platform.

We may disclose your data if required by a valid legal order, subpoena, or government request. We will notify you of any such request unless prohibited by law. We will not voluntarily cooperate with data requests from governments that we have reason to believe are seeking data for the purpose of political persecution, surveillance of journalists, or suppression of lawful reporting. We publish a transparency report annually disclosing the number and nature of legal requests received.

5.4 In a Business Transfer

If Witness is acquired by or merged with another company, your data may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.

6. DATA RETENTION

  • Account data is retained for as long as your account is active.
  • If you delete your account, your personal information (name, email, profile photo) is anonymized or deleted within 30 days.
  • Reports you submitted may be retained in anonymized form to preserve the integrity of public event records, or deleted in full at your request.
  • To request full deletion of all data associated with your account, email privacy@thewitnessapp.com with the subject line "Full Data Deletion Request."
  • Backups may retain your data for up to 90 days after deletion from primary systems.

7. SECURITY

We take reasonable technical and organizational measures to protect your data, including:

  • Row-level security (RLS) on our database so each user can only access their own private data
  • All data in transit encrypted via HTTPS and TLS
  • Passwords are never stored in plaintext; authentication is handled by Supabase Auth
  • API keys are rotated immediately upon any suspected or confirmed exposure
  • Access to production data is restricted to authorized personnel only

No system is perfectly secure. We cannot guarantee absolute security, and you use the platform at your own risk. If you believe your account has been compromised, contact security@thewitnessapp.com immediately.

8. REPORTER SAFETY AND SENSITIVE USE

Witness is used in environments where reporting can be dangerous. We build safety into our data practices:

  • Exact GPS coordinates are never surfaced publicly
  • Pseudonymous and fully anonymous reporting modes are fully supported
  • If you activate duress mode, your recent activity may be obscured from public view
  • We do not build or permit the building of facial recognition tools on Witness data
  • We do not cooperate with authoritarian government data requests voluntarily and will seek to challenge compelled disclosure through legal process where feasible

9. CALIFORNIA RESIDENTS -- CCPA RIGHTS

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

  • The right to know what personal data we collect, use, disclose, and sell
  • The right to request deletion of your personal data
  • The right to opt out of the sale of personal data. We do not sell personal data.
  • The right to non-discrimination for exercising these rights

To exercise any of these rights, contact privacy@thewitnessapp.com. We will respond within 45 days.

10. EEA AND UK RESIDENTS -- GDPR RIGHTS

If you are located in the European Economic Area or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) or UK GDPR:

  • Right of access: request a copy of the personal data we hold about you
  • Right to rectification: request correction of inaccurate data
  • Right to erasure: request deletion of your personal data ("right to be forgotten")
  • Right to restriction: request that we limit how we process your data
  • Right to data portability: receive your data in a structured, machine-readable format
  • Right to object: object to processing based on legitimate interests
  • Right to lodge a complaint with your local supervisory authority

Our legal bases for processing your personal data are:

  • Contractual necessity: processing required to provide the Witness service to you
  • Legitimate interests: trust scoring, abuse prevention, platform security, and improving the service
  • Consent: location capture (you initiate each capture), marketing communications (opt-in only)

To exercise any GDPR rights, contact privacy@thewitnessapp.com. We will respond within 30 days.

11. CHILDREN

Witness is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has created an account, contact privacy@thewitnessapp.com immediately and we will delete the account.

12. CHANGES TO THIS POLICY

We will notify users of material changes to this Privacy Policy via in-app notification and email (where provided) at least 14 days before changes take effect. The "Last updated" date at the top of this policy reflects the most recent revision. Continued use of Witness after changes take effect constitutes acceptance of the revised policy.

13. CONTACT

All privacy inquiries: privacy@thewitnessapp.com

Data deletion requests: privacy@thewitnessapp.com (subject: "Full Data Deletion Request")

Security concerns: security@thewitnessapp.com

Questions about this document? legal@thewitnessapp.com