Privacy Policy for HexStep

Last updated: April 14, 2026

The short version

Your location data is stored on your device — cloud sync is optional and opt-in
We collect your email only if you choose to sign in for cloud sync
We do not use advertising SDKs or third-party analytics tools in the app
We do not sell your data or share it for advertising or analytics purposes
You can export or delete all your data at any time from within the app

This Privacy Policy describes how HexStep ("the App", "we", "us", or "our") handles information when you use the HexStep mobile application. HexStep is developed by James Huh ("the Developer").

We built HexStep with a privacy-first approach. The App is designed to function primarily on your device. Cloud sync is entirely optional and requires you to sign in.

1. Information We Collect

Location Data

HexStep collects GPS location data (latitude, longitude, and timestamps) through Apple's Core Location services. This data is used solely to determine which hexagonal grid cells you have visited. The App collects location data while open and, with your permission, while running in the background. Tracking stops when the App is fully closed or when you revoke location permissions.

Derived Data

From your GPS coordinates, the App derives:

H3 hexagonal grid cell identifiers (resolution 8, approximately 0.74 km² per cell)
Reverse-geocoded place names via Apple's CLGeocoder (district, neighborhood)
ISO country codes for the countries you visit
Movement speed (used to calculate exploration points — walking earns more than driving)

Account Data (Optional)

If you choose to sign in with Google for cloud sync, we collect:

Your Google account email address
A unique user identifier (UUID)
A username you choose (for your share card profile)

If you do not sign in, no account information is collected. The App functions fully without an account.

Motion and Health Data (Optional)

With your permission, the App may access:

Motion & Fitness data — Used to detect when you are stationary so GPS can be paused, reducing battery usage
HealthKit step count — Used to display daily step statistics alongside your exploration data. This data is read-only and is never transmitted to any server.

What We Do Not Collect

Your name, phone number, or other personal identifiers beyond email (if signed in)
Device identifiers or advertising identifiers
Third-party usage analytics, crash reporting SDKs, or telemetry
Photos, contacts, or any other data from your device

2. How We Use Information

All data collected by HexStep is used exclusively for the App's core functionality:

Recording which hexagonal grid cells you have visited
Displaying your exploration map, statistics, and tier progression
Calculating the area you have covered and points earned
Showing the percentage of neighborhoods, districts, and provinces you have explored
Generating shareable map cards
Syncing your exploration data across devices (only if you sign in)

Your data is never used for advertising, profiling, behavioral analysis, or any purpose other than showing you your own exploration data within the App.

3. Data Storage and Security

Local Storage

All data generated by HexStep is stored locally on your device in a SQLite database within the App's sandboxed container, protected by:

App sandboxing (other apps cannot access HexStep's data)
Device-level encryption (when you set a passcode on your device)
iOS file protection

Cloud Storage (Optional)

If you sign in with Google, your hex visit data is synced to our cloud database hosted by Supabase. This enables you to access your exploration data across multiple devices. Cloud-synced data includes:

Hex cell identifiers and visit timestamps
GPS coordinates associated with each hex
Region and district information
Points earned per hex

Your local device is always the source of truth. Cloud data is a secondary copy for convenience.

4. Third-Party Services

HexStep does not integrate any analytics, advertising, or user tracking services. The third-party services involved are:

Service	Purpose	Data Shared
Apple Core Location	GPS coordinates	None (on-device)
Apple CLGeocoder	Reverse geocoding	Coordinates sent to Apple
Apple HealthKit	Step count display	None (on-device, read-only)
Apple MapKit	Map display and share cards	Map tile requests to Apple
Google Sign-In	Account authentication	OAuth token exchange
Supabase	Cloud database sync	Hex visit data (if signed in)

Google Sign-In is governed by Google's Privacy Policy. Supabase's data practices are described in Supabase's Privacy Policy.

5. International Data Transfers

If you use cloud sync, your hex visit data is stored on Supabase servers which may be located outside your country of residence. By signing in and enabling cloud sync, you consent to this transfer.

Data is encrypted in transit (TLS) and at rest
Access is restricted to your authenticated account only
You can delete all cloud data at any time from within the App

If you prefer not to transfer data outside your country, you can use HexStep without signing in and keep all data stored locally on your device.

6. Children's Privacy

HexStep is not directed at children under the age of 13 (or the applicable minimum age in your jurisdiction, such as 16 in certain EU member states under GDPR, or 14 under Korea's PIPA). We do not knowingly collect personal information from children.

7. Your Rights

Under the EU General Data Protection Regulation (GDPR)

If you are located in the European Economic Area, you have the right to:

Access your data — visible within the App, exportable as JSON from Settings
Erasure — delete all data (local and cloud) from Settings
Data portability — export your data in JSON format from Settings
Withdraw consent — revoke location permissions at any time through iOS Settings

Under Korea's Personal Information Protection Act (PIPA)

If you are located in the Republic of Korea, you have the right to access (열람), correct or delete (정정/삭제), and suspend processing (처리정지) of your personal information.

For the full Korean-language privacy policy, see 개인정보 처리방침.

Personal Information Manager: James Huh — hello@hexstep.app

8. Data Deletion

You can delete all data stored by HexStep at any time:

Within the App: Settings → "Delete All Data" permanently erases all records from your device and the cloud.
Delete the App: Uninstalling removes all local data. Cloud data can be deleted by reinstalling and using the delete option.

Data deletion is permanent and irreversible. Deleted data cannot be recovered.

9. Data Export

You can export all your exploration data from Settings → "Export My Data." The export is provided as a JSON file containing all hex visit records, timestamps, coordinates, and points.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be reflected in the "Last updated" date above.

11. Contact

If you have any questions about this Privacy Policy or your data, please contact us:

Developer: James Huh

Email: hello@hexstep.app

Website: hexstep.app