Back

Privacy policy

Last updated: 12 June 2026

This Privacy Policy describes how On Sees (the “Service”, available at on-sees.com) collects, uses, stores, and discloses personal data, and the rights you have over your own data. The Service is operated by its individual developer, based in Thailand (the “Operator”, “we”). For all privacy matters, contact privacy@on-sees.com.

The Service is designed to collect as little as possible: there is no advertising, no cross-site tracking, no sale of personal data, and no collection of your device’s precise location. Your map is private by default and nothing about you is visible to others until you change a setting yourself.

1. Data we collect

1.1 Account and identity. If you sign in with a third-party provider (currently Google), we receive and store your email address, the provider identity used, your sign-in timestamps, and — on first link — the profile photo offered by the provider, which becomes your editable avatar. If you use the Service without signing in, an anonymous account is created on your device with a random identifier; it has no email address, no handle, and no public profile.

1.2 Profile. Your handle (auto-generated, editable), optional map title, optional bio, avatar (photo or colour preset), optional home country, and your settings (map visibility, search visibility, invite policy, date hiding, map appearance, and onboarding progress).

1.3 Travel data. The regions and cities you mark as visited, the dates you optionally attach, your wishlist, and the shared visits (trips) you create or join, including invitations sent and received. All travel data is entered manually by you; the Service does not access GPS or any other device-location source.

1.4 Relationships. Your circle (the people you allow) and your block list (the people you deny). Both lists are visible only to you; the people on them are not notified.

1.5 Technical data. Like any web service, our infrastructure processes IP addresses and request metadata to serve pages, secure the Service, and enforce rate limits (Clause 7). We do not build profiles from this data.

2. What other people can see

Visibility is governed by three settings you control — who can view your map, who can find you in search, and who can invite you to shared visits. Map viewing is set to no one by default; your map is not visible to anyone else until you change that setting. Public profile pages are excluded from search engines. If you join a shared visit, fellow members of that trip see your participation; viewers of someone else’s map never see you unless your own map is public. The full model is explained in the app’s privacy settings.

3. Purposes and legal bases

  • Providing the Service — storing and displaying your map, profile, and relationships as you direct (performance of a contract, GDPR Art. 6(1)(b)).
  • Security and abuse prevention — rate limiting, content moderation of bios, block enforcement (legitimate interests, Art. 6(1)(f)).
  • Error monitoring — collecting error reports that are scrubbed of identifying details before leaving your browser or our servers (legitimate interests, Art. 6(1)(f)).
  • Product analytics — only if you opt in (consent, Art. 6(1)(a)); see Clause 6.

4. Service providers (processors)

We use a small number of infrastructure providers to run the Service. Each receives only what its function requires:

  • Supabase — hosts the database, authentication, and file storage holding the data in Clause 1.
  • Vercel — hosts and serves the application; as the web host it processes request data, including IP addresses, in its standard server logs.
  • Upstash (via Vercel) — holds short-lived rate-limit counters keyed by IP address (Clause 7).
  • Sentry — receives error reports only. Reports are scrubbed of handles, coordinates, and identifying URLs before sending; IP address storage is disabled.
  • Google — provides Sign in with Google, and — only if you opt in to analytics — Google Tag Manager and Google Analytics (Clause 6).
  • OpenAI — when you save a bio, its text (and nothing else) is submitted to OpenAI’s moderation classifier to screen for abusive content before it is stored. Bios that fail the check are rejected and not stored.

The map itself is self-hosted: viewing the map sends no requests to any external map vendor.

5. Cookies and local storage

The Service uses essential cookies only: the authentication cookies that keep you signed in. There are no advertising or third-party tracking cookies. Your browser’s local storage holds device-level preferences — your analytics consent choice, onboarding progress, interface state, and (for anonymous accounts) your home country and map appearance.

6. Analytics and consent

Product analytics are off by default and run only after you opt in; you can withdraw at any time with the “Help improve On Sees” toggle in your account panel. When enabled, measurement is limited to product events (for example, that a mark was added) with identifying details excluded: no handles, no coordinates, no travel history, and page addresses generalised before they are sent. Advertising storage is permanently disabled — your data is never used for ads or remarketing, regardless of consent.

7. IP addresses and rate limiting

To protect the Service from abuse, mutating requests are rate-limited per IP address. These counters live for the duration of their window — between one minute and one hour — and then expire automatically. Beyond standard server logs (Clause 4), IP addresses are not stored with your account or used for any other purpose.

8. Retention

  • Your data is kept until you delete it or delete your account. Deleting your account permanently removes your profile, travel data, relationships, and avatar files; your traces in others’ shared visits are removed with no placeholder left behind.
  • Handles — after account deletion (or a handle change), the released handle is reserved for 30 days to prevent impersonation. The reservation holds no profile data.
  • Rate-limit counters expire within minutes to one hour (Clause 7). A short log of data-export requests is kept to enforce its rate limit and is deleted with the account.
  • Error reports are retained by Sentry for its standard rolling window, then deleted.

9. International transfers

Our service providers (Clause 4) may process data in countries other than your own, including the United States and the European Union. Where required, transfers rely on the safeguards those providers offer, such as standard contractual clauses.

10. Your rights

You can exercise the core rights directly in the app, without asking us:

  • Access and portability — Account → Data & privacy → “Download my data” produces a complete, machine-readable copy (JSON) of the personal data the Service holds about you. Other people appear in it only by their public handle; data others created about you (for example, who blocked you) is not included, to protect their privacy.
  • Rectification — your profile, settings, and travel data are all editable in place.
  • Erasure — Account → “Delete my account” permanently deletes everything (Clause 8). Anonymous accounts use “Forget this device”.
  • Withdrawing consent — the analytics toggle (Clause 6).

If you cannot access your account, email privacy@on-sees.com from the email address on your account — we verify requests against it — and we will fulfil access, export, or erasure requests within 30 days. You also have the right to object to or restrict processing, and to lodge a complaint with your local data protection authority.

11. Children

The Service is not directed at children and may not be used by anyone under 16 years of age. We do not knowingly collect personal data from children under 16; if you believe a child has provided us personal data, contact privacy@on-sees.com and we will delete it.

12. Security

All data is transmitted over encrypted connections and protected by per-row access controls enforced in the database itself, so that your private data is only ever readable by you. Reports of abusive content or suspected vulnerabilities can be sent to abuse@on-sees.com.

13. Changes to this policy

We may update this policy as the Service evolves. The “Last updated” date above always reflects the current version, and we will take reasonable steps to bring material changes to your attention within the Service before they take effect.

14. Contact

Privacy questions and data requests: privacy@on-sees.com. The terms governing your use of the Service are in the Terms of Service.