WPrivacy Policy
This Privacy Policy explains how Stardust Staking and Solutions OÜ ("we", "us", "Stardust") collects, uses, stores, and protects your personal data when you use the Waulk mobile application ("the App") and related services. We are committed to transparency and to protecting your privacy in compliance with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and Apple's App Store requirements.
01Data Controller
| Legal entity | Stardust Staking and Solutions OÜ |
| Registry code | 16489716 |
| Registered address | Narva mnt 7a, 15172 Tallinn, Estonia |
| Privacy contact | privacy@waulk.ai |
| Supervisory authority | Andmekaitse Inspektsioon (Estonian Data Protection Inspectorate), www.aki.ee |
02Data We Collect
2.1 Account Data
When you sign in with Apple, we receive:
- Apple user identifier (an opaque string unique to our app)
- Email address (may be an Apple Private Relay address if you choose to hide your email)
- Display name (provided by Apple only on your first sign-in)
You may also provide:
- Username (a public handle you choose, e.g. @yourname)
- Bio (a short text description on your public profile)
2.2 Location Data
Your location is sent to our servers only when you voluntarily:
- Submit a photo with the "Share location" toggle enabled (you can turn this off)
- Discover and submit a new point of interest (GPS coordinates are required to place it on the map)
- Request a new city area to be added to the app
2.3 User-Generated Content
- Photos you submit for points of interest
- POI discoveries (photo + description + GPS coordinates)
- Ratings and text feedback on audio guides
2.4 Points and Activity
Your points balance, transaction history (earned/spent), and contribution counts are stored on our servers to maintain your profile and contributor status.
2.5 Device and Technical Data
We generate a random, non-reversible device identifier stored locally on your device. This identifier is not linked to your Apple advertising identifier (IDFA), hardware serial number, or any other persistent device identifier. It is used solely to prevent duplicate ratings on the same guide and is not shared with third parties.
2.6 Content Moderation and Third-Party AI Processing
When you submit a photo or discover a new place, your submission may be processed by our AI providers — Anthropic PBC (Claude API), xAI Corp (Grok), and OpenAI Inc. — for quality, relevance, and content review. This means your submitted photo may be sent to servers operated by these providers in the United States for automated analysis. Before submission, the App will ask for your explicit confirmation. No personal account data (name, email, username) is sent to these providers — only the photo and the associated POI metadata.
Submitted photos may inadvertently capture images of other people, vehicles, or private property. Photos that contain identifiable individuals as the primary subject, inappropriate content, or content unrelated to the point of interest may be rejected during moderation.
If you believe a photo published in the App contains your image or personal data without your consent, you may request its removal by emailing privacy@waulk.ai. We aim to review such requests promptly.
03How We Use Your Data
| Purpose | Data Used |
|---|---|
| Authenticate you and maintain your session | Apple ID, email, JWT token |
| Display your public contributor profile | Username, display name, bio, contribution stats |
| Find nearby points of interest | GPS (on-device only, not sent to servers) |
| Review and approve submitted photos and discoveries | Photos, GPS coordinates, descriptions |
| Generate AI audio guides for points of interest | POI metadata (not your personal data) |
| Track your contributions and award points | Points balance, activity log |
| Prevent abuse and duplicates | Device identifier, submission timestamps |
| Respond to privacy and support requests | Email, account data |
We do not use your data for advertising, profiling, behavioral tracking, or sale to third parties.
04Legal Basis for Processing (GDPR Article 6)
| Processing Activity | Legal Basis |
|---|---|
| Account creation and authentication | Contract performance (Art. 6(1)(b)) - necessary to provide the service you requested |
| On-device location processing | Contract performance - core functionality of the walking tour service |
| GPS sent with POI discovery submissions | Contract performance (Art. 6(1)(b)) - coordinates are required to place the discovered location on the map; the feature cannot function without them |
| GPS sent with photo submissions (optional toggle) | Consent (Art. 6(1)(a)) - you choose whether to share location via a toggle that defaults to off; photos can be submitted without location |
| Points tracking and contributor profiles | Contract performance - part of the contributor reward system you participate in |
| AI content generation (using POI metadata) | Legitimate interest (Art. 6(1)(f)) - generating guides for POIs; does not use personal data |
| Abuse prevention (device ID deduplication) | Legitimate interest (Art. 6(1)(f)) - preventing system abuse |
| Responding to privacy requests | Legal obligation (Art. 6(1)(c)) - GDPR compliance |
05Third-Party Processors
We share data with the following processors, strictly for the purposes described:
| Processor | Location | Purpose | Data Shared | Transfer Mechanism |
|---|---|---|---|---|
| Apple Inc. | USA | Authentication (Sign in with Apple) | Apple user ID, authentication tokens | EU-US Data Privacy Framework (DPF certified) |
| Anthropic PBC | USA | AI content generation, submitted photo review | POI metadata; user-submitted photos (for AI moderation only) | Standard Contractual Clauses (SCCs) |
| xAI Corp | USA | Script generation, text-to-speech audio synthesis | POI metadata only (no personal data) | Standard Contractual Clauses (SCCs) |
| Cloudflare Inc. | Global (EU-primary) | Media storage (photos, audio files) | User-submitted photos, generated audio | EU-US Data Privacy Framework (DPF certified) |
| Hetzner Online GmbH | Germany (EU) | Server hosting, database storage | All data described in this policy | No international transfer (EU-based) |
We do not share your personal data with advertisers, data brokers, or any other third parties not listed above.
06International Data Transfers
Your data is primarily stored on servers located in the European Union (Hetzner Online GmbH, Germany). When data is processed by US-based processors, the specific transfer safeguard for each provider is listed in the processor table above (Section 5): Apple Inc. and Cloudflare Inc. are certified under the EU-US Data Privacy Framework; transfers to Anthropic PBC and xAI Corp are governed by Standard Contractual Clauses (SCCs) approved by the European Commission.
We ensure that any international transfer of personal data meets the requirements of GDPR Chapter V.
07Data Retention
| Data Category | Retention Period |
|---|---|
| Account data (Apple ID, email, username) | Retained while your account is active. Deleted within 30 days of account deletion request. |
| Points and activity history | Retained while account is active. Deleted with account. |
| Submitted photos (pending review) | Deleted within 90 days if not approved. |
| Approved photos and discoveries | May be retained in anonymized form after account deletion to maintain POI coverage. Your name and identifiers are removed. |
| GPS coordinates from submissions | Retained with the associated content. Deleted when the content is deleted. |
| Ratings and feedback | Retained in anonymized form after account deletion. |
08Your Rights
Under the GDPR, you have the following rights regarding your personal data:
| Right | What It Means |
|---|---|
| Access (Art. 15) | Request a copy of all personal data we hold about you. |
| Rectification (Art. 16) | Correct inaccurate data. You can edit your username, display name, and bio directly in the app. |
| Erasure (Art. 17) | Request deletion of your account and personal data. Use the "Delete Account" option in the app, or email us. |
| Restriction (Art. 18) | Request that we limit processing of your data in certain circumstances. |
| Portability (Art. 20) | Receive your data in a structured, machine-readable format. |
| Objection (Art. 21) | Object to processing based on legitimate interest. We will cease processing unless we have compelling grounds. |
| Withdraw consent (Art. 7(3)) | Where processing is based on consent (e.g. location sharing with submissions), you can withdraw at any time by toggling the setting off. |
To exercise any of these rights, email privacy@waulk.ai. We will respond within 30 days.
You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or with your local EU supervisory authority.
09California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (as amended by the California Privacy Rights Act):
Categories of Personal Information Collected
- Identifiers: Apple user ID, email address, username, display name
- Geolocation data: GPS coordinates (only when voluntarily submitted with photos or discoveries)
- User-generated content: Photos, text descriptions, ratings, feedback
- Activity information: Points balance, contribution history
Your California Rights
- Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
- Right to Delete: Request deletion of your personal information, subject to certain exceptions.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.
To exercise your California privacy rights, email privacy@waulk.ai with the subject line "CCPA Request".
10AI-Generated Content
Waulk uses artificial intelligence to generate audio walking tour guides. This involves:
- Script generation: AI models (xAI Grok, Anthropic Claude) create narration scripts based on publicly available information about points of interest (Wikipedia extracts, Wikidata facts, OpenStreetMap metadata). Your personal data is not used as input for script generation.
- Audio synthesis: Text-to-speech models convert scripts into spoken audio.
- Photo review: When you submit a photo, AI may be used to verify it matches the intended point of interest. The photo is sent to Anthropic's API for this purpose.
11Location Data
Location data receives special attention in our design:
On-Device Processing (Default)
When you use "Start Walk" or browse the map, your GPS coordinates are processed entirely on your iPhone to match your position against downloaded point-of-interest data. This happens locally. No location data leaves your device during normal use.
Server-Side Processing (Voluntary Only)
Your GPS coordinates are sent to our servers only when you take an explicit action:
- Photo submission with location toggle ON (you can turn this off)
- POI discovery submission (coordinates required to place the new location on the map)
- City area request (approximate coordinates sent to determine which city to add)
In all cases, you initiate the action and are informed that data will be sent before submission.
Background Location
The app may request background location access to notify you about nearby points of interest when the app is not in the foreground. You can deny this permission or revoke it at any time in iOS Settings. Background location data is processed on-device and is not sent to our servers.
13Children's Privacy
Waulk is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16 without appropriate consent, we will delete that data promptly.
If you are a parent or guardian and believe your child has provided personal data to us, please contact privacy@waulk.ai.
14Points System
The App includes a points system that tracks your in-app contributions (rating tours, submitting photos, contributing places, and similar actions). Points are stored on our servers as part of your account data.
Points are an in-app engagement reward only. They have no monetary value and are not redeemable for cash, cryptocurrency, or any financial instrument. No personal data is shared with any blockchain network.
15Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- All data transmitted over HTTPS/TLS encryption
- Authentication tokens stored in the iOS Keychain (hardware-backed secure storage)
- Passwords for admin accounts hashed with bcrypt
- API rate limiting to prevent abuse
- Server infrastructure hosted in the EU with access controls
While we strive to protect your data, no method of electronic transmission or storage is 100% secure. If you discover a security vulnerability, please report it to privacy@waulk.ai.
16Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Notify you via the App (e.g. through a banner or notification)
- Where required by law, seek your renewed consent
We encourage you to review this policy periodically.
17Contact
For any privacy-related questions, requests, or complaints:
| privacy@waulk.ai | |
| Entity | Stardust Staking and Solutions OÜ |
| Address | Narva mnt 7a, 15172 Tallinn, Estonia |
We aim to respond to all requests within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Andmekaitse Inspektsioon (Estonian Data Protection Inspectorate) at www.aki.ee, or with your local EU data protection authority.