← IlaakaHyderabad · Beta

Legal

Privacy policy.

Effective 8 May 2026

This is the policy for the Ilaaka mobile app and the website at ilaaka.dotportion.com. It is written to be readable. If anything here is unclear, write to sricharan.rayala@dotportion.com and I will rewrite it.

Who we are

Ilaaka is built and operated by dotportion, based in Hyderabad, India. For this policy and the Digital Personal Data Protection Act, 2023 (DPDPA), dotportion is the Data Fiduciary. Sri Charan Rayala is the founder and the named Grievance Officer.

What we collect

  • Account. Your email address, and either a password or a Google OAuth identifier — whichever you sign in with. We never see your Google password.
  • Profile. Username, display name, optional avatar, your chosen zone colour, the city and locality you entered during onboarding, and the answers you gave to the onboarding questions (activity type, motivation, frequency, time-of-day preference). All of these are editable from the profile screen.
  • GPS traces. While a walk, run, or cycle is recording, we capture latitude, longitude, accuracy, and altitude samples, plus the start and end timestamps. We capture this both while the app is in the foreground and while it is in the background — Android shows a persistent notification while recording, so this never happens silently.
  • Activity photos. Photos you choose to attach to a saved activity. You decide which ones to attach; you can delete them later.
  • Social signals. Who you follow, who follows you, and any likes or comments you leave on activities visible to you.
  • Device tokens. An Expo push token tied to your account so we can send you notifications about zones being captured, weekly stats, and friend activity.
  • Diagnostics. Crash reports and product-usage events (which screens were opened, which buttons were tapped). These never contain your raw GPS coordinates — that is a hard rule on our side.

Why we collect each thing

Account and profile data exists so you can sign in and so other users can find and follow you. GPS traces are the entire point of the product — without them there is no zone capture. Photos and social signals make the activity feed worth opening. Push tokens let us tell you when someone steals your zone. Diagnostics help us fix bugs and decide what to build next.

Under DPDPA, the lawful basis for almost everything we do is your consent. You consent by signing up and by granting the location permission. Crash reports also fall under our legitimate interest in keeping the app working.

The privacy radius around your home

You can configure a private radius around your home. Zones inside that radius are invisible on the public map — to friends, to strangers, to leaderboards. The raw trace is still stored on your account so your distance and route history stay accurate, but nobody else sees what streets you walked there.

Who else sees your data

We share data only with the service providers we need to run the app. Each is a sub-processor under DPDPA, and each gets only what it needs to do its job:

  • Supabase — hosts our Postgres database, file storage, and the server functions that process activities. All the data described above is stored here.
  • Mapbox — receives the GPS coordinates of an activity for the snap-to-road step that cleans up GPS jitter. Mapbox sees the coordinates of the route only; it does not see your name, email, or account ID.
  • Expo — receives your push token and the body of any notification we send to your device.
  • PostHog — receives product-analytics events (screen views, button taps) and your account ID. No GPS, no email, no photos.
  • Sentry — receives crash reports and the technical context around them. No GPS, no email, no photos.
  • Google — only if you sign in with Google. Google sees that you signed in to Ilaaka and shares your name, email, and profile picture with us.

We do not sell your data. We do not share it with advertisers. We have no advertising on the app, and no plans to add it.

Where your data lives

Most of our infrastructure runs on cloud regions outside India. Under DPDPA your data may therefore be transferred outside India for processing. The companies above all publish their own privacy and security commitments which we rely on.

How long we keep things

  • Zones on the public map expire 14 days after the last walk through them.
  • Your activities, photos, comments, and zone history stay until you delete them or you delete your account.
  • Your account and profile stay until you ask us to delete them.
  • Crash reports and analytics events are kept on a rolling 90-day window.

Your rights

You can sign in and edit your profile, change your colour, change your privacy radius, and delete individual activities at any time. To export everything we hold about you, to correct it, or to erase your account entirely, write to sricharan.rayala@dotportion.com from the email address on your account. We will respond within seven days.

You can withdraw your consent for processing at any time by asking us to delete your account. After erasure we keep only the minimum we are legally required to keep — typically nothing.

Children

Ilaaka is not for users under 18. Under DPDPA we do not knowingly process the personal data of children. If you believe a child has created an account, please write to us and we will remove it.

Security

Database access is gated by row-level security: no user can read another user's raw GPS trace. All traffic is HTTPS. The Supabase service-role key — the one with full database access — never leaves the server.

Changes to this policy

If we change this policy materially, we will update the effective date at the top and, where appropriate, send you a notification in the app. Smaller wording fixes do not get an announcement.

Grievance Officer

Under DPDPA, you have the right to escalate concerns to a named officer at our company.

Sri Charan Rayala
Founder, dotportion · Hyderabad, India
sricharan.rayala@dotportion.com

If you are not satisfied with our response, you may complain to the Data Protection Board of India.