Privacy Policy

Effective: 2 May 2026 · Specter ("we," "us")

The short version: your actual GPS route never leaves your device in a form anyone — including us — can read. This page explains exactly what we do and don't store, and what rights you have.

1. What we collect

When you use Specter, we receive the following on our servers:

• Account data. Your OAuth provider's user ID (Google or Apple), your email address (encrypted at rest), the handle and display name you choose, and any optional profile fields you fill in (age, weight, avatar).
• Activity stats. Duration, distance, pace, average and maximum heart rate, elevation gain, cadence, power, and per- kilometer splits for every workout you record.
• Encrypted, rotated GPX files. Before your phone uploads a GPS track, it rotates every coordinate by a per-user spherical key that exists only on your device. We then encrypt that already-rotated file at rest. We never see your real coordinates and have no way to recover them.
• Health-derived data you opt into. If you connect Apple Health or Health Connect, we receive heart-rate variability, resting heart rate, and sleep duration aggregates. You can revoke this access at any time from the OS settings, and the values immediately stop syncing.
• Device tokens for push notifications if you opt into them.

2. What we do not collect

• Your real GPS coordinates. They never leave your device in a form we can decrypt.
• Third-party advertising or analytics identifiers. We do not embed Google Analytics, Facebook Pixel, Mixpanel, Segment, or any other third-party tracker.
• Address book contacts, photos beyond what you explicitly select, or any system data outside the permissions you granted.

3. How we protect what we do collect

• Per-user spherical rotation. On first sign-in, your device generates a random rotation key (~96 bits of entropy from the OS cryptographic random source). The key is stored in your device's secure storage (Keychain on iOS, EncryptedSharedPrefs on Android) and is never transmitted. Every GPS point is rotated by this key before upload.
• Encryption at rest. The rotated GPX file is then encrypted with AES-256 (Fernet) on the server and only decrypted in memory when transposing it to a cover route. Email addresses are also encrypted at rest using the same scheme.
• Cover routes are what others see. Specter's Cover Location Engine takes the rotated, server-side track and lays it onto the road network of a different city — preserving distance and pace, discarding any link to your real location. Leaderboards, challenges, and any social view of your activity show this cover route, never the underlying data.
• Recovery phrase. The rotation key is encoded as a 12-word BIP-39 phrase shown to you once at sign-in. Save it offline. Re-entering the phrase on a new device reconstructs the same key and unlocks your prior activities. We do not store the phrase or the key. Lose the phrase and your historical routes become permanently unreadable — by anyone.

4. What we share, and with whom

We share data with the following third parties, only as necessary to make the product work:

• Google and Apple for OAuth sign-in (we send your ID token, they confirm your identity; standard OAuth 2.0).
• Mantis (our Cover Location Engine vendor) receives the already-rotated, server-side track for transposition onto a cover-city road network. Mantis cannot reverse the rotation.
• Apple Push Notification Service / Firebase Cloud Messaging for push-notification delivery, if you've opted in.
• DigitalOcean for our backend infrastructure and encrypted storage.

We do not sell, rent, lease, or otherwise transfer any of your data to advertisers, data brokers, or any other commercial party. There is no business model that depends on your activity data being exposed.

5. Activity visibility

Activities are published by default and globally visible on the cover-route feed and leaderboards. The cover route is the only thing visible — your actual route is never addressable through any endpoint. You can mark any individual activity as private from the activity detail screen at any time.

6. Your rights

• Export. Profile → Export Data produces a downloadable archive containing your activity stats, GPX files, and profile fields.
• Delete. Profile → Delete Account permanently removes your account. Encrypted route data is overwritten with cryptographically random bytes before the records are removed, so any prior backup or replication of the underlying storage cannot be used to recover the data.
• Revoke OS permissions. Location, HealthKit, and Bluetooth permissions are managed in your device settings. Revoking any of them takes effect immediately; we never cache stale data from a category you've disabled.
• Contact. Reach us at privacy@specter.fit for any privacy question or concern.

7. Children

Specter is not directed at children under 13. We do not knowingly collect data from children. If you believe a child has created an account, contact us and we will delete it.

8. Changes

We will update this page when our practices change. The effective date at the top reflects the most recent revision. Material changes will be communicated in-app before they take effect.

← Back to Specter