Privacy Policy
Last updated: June 18, 2026 Effective date: June 18, 2026
1. Introduction
This Privacy Policy explains how John Heaney ("Parkboxd," "we," "us," or "our") collects, uses, shares, and protects information when you use the Parkboxd mobile and web application (the "Service"). Parkboxd is operated from the United States.
By using the Service, you agree to this Policy. If you do not agree, do not use the Service.
Contact: contact@parkboxd.com
2. Information we collect
2.1 Information you provide
| Data | Examples | Why |
|---|---|---|
| Account identity | Email and authentication identifiers handled by Clerk | Create and secure your account |
| Profile | Username (handle), display name, bio, avatar, banner image | Build your public profile |
| Trip logs & activities | Visit dates, titles, written reviews, star ratings, parks/rides/food, notes, tags | Core journaling feature |
| Photos | Images you attach to trip logs, activities, or your profile | Display your content |
| Social actions | Follows, likes, saves, comments | Power the social feed |
| Reports | Content you flag and the reason given | Moderation and safety |
| Communications | Messages you send us (e.g., support, privacy requests) | Respond to you |
2.2 Information collected automatically
| Data | Source | Why |
|---|---|---|
| Push notification token | Expo, when you enable notifications | Send you notifications |
| Device/platform | iOS, Android, or web indicator tied to your push token | Deliver platform-appropriate notifications |
| Approximate location | Device location, only if you grant permission | Find nearby parks / relevant content |
| Usage & technical data | Standard app/backend logs (e.g., timestamps, error logs, coarse device/app info) | Operate, secure, and debug the Service |
Location is optional. The app requests location permission only to surface nearby or relevant parks. You can decline or revoke it in your device settings at any time without losing core functionality. We do not collect continuous or background location. Depending on your device and the permission you grant, location may be precise at the moment of use; we use it transiently to find nearby parks and do not build a location history.
2.3 Authentication data (Clerk)
Sign-up and sign-in are handled by Clerk. We store a Clerk user identifier to link your account to your activity. Your password and the primary handling of your login credentials are managed by Clerk under Clerk's privacy policy.
2.4 Information we do not collect
We do not require or intentionally request payment-card information, government identifiers, biometric identifiers, facial-recognition data, or special-category/sensitive personal information, and we do not perform facial recognition or build background-location profiles. Because trip logs, photos, and notes are free-form, your User Content could contain sensitive information (for example, accessibility, dietary, health, or religious details, or images of identifiable people) — please share only what you are comfortable making visible. We do not use that content to infer sensitive characteristics about you, and we do not sell your personal information or use it for cross-context behavioral advertising.
3. Cookies and tracking technologies
Parkboxd is not an advertising-driven service and does not use third-party advertising cookies or cross-site tracking.
- Mobile app: We use on-device storage (for example, Expo Secure Store) to keep you signed in and remember preferences. This is essential to operating the app.
- Web: If you use the web version, we use only essential cookies/local storage needed for authentication and core functionality.
We do not currently use third-party analytics or advertising SDKs. If that changes, we will update this Policy and, where required, request your consent.
4. How we use information
We use your information to:
- Provide and operate the Service (display your profile, trip logs, and feeds);
- Authenticate you and keep your account secure;
- Calculate derived, aggregated metrics such as crowd levels, trending parks, and wait-time context (these use catalog and aggregate data, not your private diary content);
- Send push notifications you have enabled;
- Respond to your communications and support requests;
- Enforce our Terms of Service, investigate abuse, and moderate reported content;
- Diagnose problems, prevent fraud, and improve the Service;
- Comply with legal obligations.
Legal bases (where applicable, e.g., for EU/UK users): we process information based on your consent (e.g., notifications, location), to perform our contract with you (providing the Service), to comply with a legal obligation, and for our legitimate interests (security, abuse prevention, and product improvement).
5. How information is shared
We share information only as described here. We do not sell your personal information, and we do not share it for cross-context behavioral advertising.
5.1 With other users
Your public content — username, profile, public trip logs, activities, comments, likes, and follow relationships — is visible to other users of the Service. Content you mark private is not shown to other users in the app, but it is not encrypted from us: we and our service providers can access it to operate, secure, support, and moderate the Service and to comply with law. Uploaded images are served from a content-delivery URL keyed to each file, so anyone who obtains that URL may be able to view the image regardless of the trip log's visibility setting. Choose your visibility — and what you upload — accordingly; public content can be viewed and re-shared by others.
5.2 With service providers (subprocessors)
We rely on these providers to run the Service. Where they process data on our behalf, they do so as processors under written contracts/data-processing terms. App stores (Apple, Google) generally act as independent controllers for the data they collect about your download and use, under their own policies:
| Provider | Purpose | Data involved |
|---|---|---|
| Clerk | Authentication & account management | Identity, login credentials |
| Convex | Backend, database, hosting | All app data |
| Cloudflare R2 | Image/object storage | Photos you upload |
| Expo (EAS) | Push notifications & app updates | Push token, device platform |
| Apple App Store / Google Play | App distribution | Per their own policies |
We also pull non-personal park, attraction, wait-time, and weather data from third-party sources (e.g., themeparks.wiki / queue-times.com). We do not send your personal information to those data sources.
5.3 Legal and safety
We may disclose information if required by law, subpoena, or legal process, or when we believe in good faith that disclosure is necessary to protect our rights, enforce our Terms, ensure the safety of users or the public, or investigate fraud or security issues.
5.4 Business transfers
If Parkboxd is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or use of your personal information, and the successor will be bound by this Policy or provide equivalent protection.
6. Data retention
We retain your information only as long as needed for the purposes in this Policy. Typical periods:
| Data | Retention |
|---|---|
| Account & content (active account) | Kept while your account is active |
| Account & content after deletion | Removed or de-identified within 30 days of your deletion request |
| Uploaded images never attached to content | Automatically purged within ~24 hours |
| Push notification tokens | Removed when you disable notifications, sign out, or the token becomes invalid |
| Approximate location | Used transiently to find nearby parks; not stored as a history |
| Technical/usage logs | Retained for a limited period (typically up to 90 days) for security and debugging |
| Moderation reports & admin/audit logs | Retained longer (typically up to 2 years) for safety and accountability |
| Backups | Routine backups expire on a rolling cycle (typically within 30 days) |
We may retain limited information beyond these periods where required for legal compliance, to resolve disputes, or to prevent fraud or abuse (a "legal hold").
These periods reflect our current practice; confirm them against your live Convex/Cloudflare backup and log-retention settings and adjust if they differ.
7. De-identified and aggregated data
We may create aggregated or de-identified data (such as crowd levels and trending metrics) that does not identify you. We may use and share this data for any lawful purpose, and we will not attempt to re-identify it except to test our de-identification processes.
8. Your rights and choices
Depending on where you live, you may have the right to:
- Access the personal information we hold about you;
- Correct inaccurate information (much of which you can edit in-app);
- Delete your account and associated data (available in-app);
- Object to or restrict certain processing;
- Port your data to another service;
- Withdraw consent for notifications or location at any time.
How to make a request. Email contact@parkboxd.com. We will verify your request by confirming control of your account (for example, the email associated with it) and respond within the time required by applicable law. An authorized agent may submit a request on your behalf with proof of authorization. We will not discriminate against you for exercising these rights. If we deny a request, you may ask us to reconsider by replying to our response.
9. California privacy disclosures (CCPA/CPRA)
If you are a California resident, this section supplements the rest of this Policy. If we are not a "business" covered by the CCPA/CPRA, we offer these rights voluntarily where feasible. The categories below are illustrative; the labels track the CCPA's statutory categories and the examples show how they map to Parkboxd. In the past 12 months we have collected the following categories of personal information:
| CCPA category | Collected? | Examples | Sources | Business purpose | Disclosed to |
|---|---|---|---|---|---|
| Identifiers | Yes | Username, email, account ID, push token | You, Clerk | Account, auth, notifications | Service providers |
| Customer records | Yes | Profile details, photos | You | Provide the Service | Service providers; other users (public content) |
| Internet/network activity | Yes | App usage and error logs | Automatic | Security, debugging | Service providers |
| Geolocation (approximate) | Only with permission | Coarse location | Your device | Show nearby parks | Service providers |
| Visual & similar information | Yes | Photos you upload | You | Core features | Service providers; other users (public content) |
| Commercial/usage information | Yes | Trip logs, reviews, comments, ratings | You | Core features | Service providers; other users (public content) |
Sensitive personal information: We do not collect or process sensitive personal information as defined by the CPRA, and we do not use any information for purposes that require a "limit the use of my sensitive personal information" option.
Sale/sharing: We do not sell or share (for cross-context behavioral advertising) personal information, and we have not done so in the past 12 months.
California residents have the right to know, delete, correct, and to be free from discrimination for exercising these rights. Submit a request via contact@parkboxd.com.
10. Do Not Track and Global Privacy Control
Because we do not track users across third-party websites for advertising, we do not respond differently to "Do Not Track" browser signals. Where required by law, we will treat a recognized Global Privacy Control (GPC) signal as a valid opt-out request to the extent it applies.
11. Children's privacy
The Service is intended for users 13 and older. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us information, contact contact@parkboxd.com and we will delete it. This complies with the U.S. Children's Online Privacy Protection Act (COPPA).
12. Security and breach notification
We use reasonable technical and organizational measures to protect your information, including authentication via Clerk, access controls, rate limiting, and reputable infrastructure providers. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security. Help protect your account by keeping your login credentials confidential.
If we become aware of a data breach affecting your personal information, we will notify you and any relevant authorities as required by applicable law.
13. International users
The Service is operated from, and directed to users in, the United States. It is not intended for, or directed to, individuals in the European Economic Area (EEA) or the United Kingdom, and we do not currently offer the GDPR/UK GDPR disclosures and transfer mechanisms those laws require. Your information will be processed and stored in the United States and in regions used by our service providers. If you access the Service from outside the U.S., you do so on your own initiative and are responsible for compliance with local law, and you consent to the transfer and processing of your information in the United States, where data protection laws may differ from those in your country.
14. Third-party links and services
The Service may reference or link to third-party sites, content, or services (for example, park information). We are not responsible for the privacy practices of those third parties; review their policies separately.
15. Changes to this Policy
We may update this Privacy Policy from time to time. We will update the "Last updated" date and, for material changes, provide notice in the app or by email where appropriate. Your continued use of the Service after changes take effect constitutes acceptance.
16. Contact
Questions or privacy requests? Email contact@parkboxd.com.