Privacy Policy

Last updated: June 4, 2026

This Policy describes how Exploria collects, uses, stores, and shares your personal data when you use our mobile app (iOS and Android) and this website. It is written to be plain-spoken, without unnecessary legal jargon. If anything here is unclear, write to arthur@exploria.world.

1. Who we are

Exploria is a gamified loyalty app that turns visits to partner cafés, restaurants, and shops into quests with real rewards. The service is operated by Exploria World, based in Brazil, and acts as the controller of your personal data under Brazil's General Data Protection Law (Law 13.709/2018, "LGPD").

2. Data we collect

2.1. You provide to us

• Email and password — to create and authenticate your account.
• Display name and avatar — to identify you on your journey and in the social feed.
• City or neighborhood — optional, improves nearby venue suggestions.

2.2. Collected automatically

• Precise location (GPS) — to show nearby venues on the map, validate QR check-ins, and unlock proximity quests. Location is only collected with the app open and your explicit operating system consent. You can revoke it at any time in your device settings.
• Camera — used exclusively to scan partner QR codes. We do not store images.
• Device identifiers — model, operating system, app version, language. Used for diagnostics and compatibility.
• Push notification token (Expo Push, FCM, APNS) — to deliver quest, reward, and social activity notifications.
• Usage events — check-ins, completed quests, XP earned, achievements, friends added. These events form your progress and feed the in-app social feed.

3. How we use your data

• Operate and personalize the app (map, quests, ranking, feed).
• Validate check-ins and credit XP, points, and rewards.
• Send notifications about your quests and social activity.
• Prevent fraud (e.g. attempts to inflate XP with fake check-ins).
• Communicate important service changes.
• Comply with legal obligations and respond to authorities when required.

4. Legal basis (LGPD)

• Performance of contract — to operate the app and features you actively use.
• Consent — for precise location collection and sending notifications.
• Legitimate interest — for fraud prevention, security, and technical diagnostics.
• Compliance with legal obligation — when required by law.

5. Sharing with third parties

We do not sell your data. We only share with service providers essential to running the app, under contracts requiring confidentiality and equivalent protection:

• Supabase (database + authentication + edge functions) — stores your profile, events, and session.
• Mapbox (map) — receives your approximate location while the map is rendered.
• Expo Push Service / Google FCM / Apple APNS — deliver push notifications.
• Amazon Web Services — underlying infrastructure (CDN, DNS, website hosting).

Partner venues only receive aggregated or pseudonymized data about redeemed quests (e.g. "10 quests from quest X were completed today"), never your email, phone, or direct identifiers.

6. Where your data lives

Data is stored on Supabase servers hosted on AWS, primarily in the sa-east-1 (São Paulo) region. Some auxiliary services (push, maps, CDN) may process data in other regions. We take technical and contractual measures to ensure protection equivalent to LGPD across any international transfer.

7. How long we keep data

• Active account — for as long as you use the app.
• Inactive account — up to 24 months after the last login. After that we delete or anonymize.
• Deleted account — removed within 30 days, except for legal records that must be preserved (e.g. tax receipts when applicable).

8. Your rights (LGPD Art. 18)

You may, at any time, request:

• Access to the data we hold about you.
• Correction of incomplete or out-of-date data.
• Anonymization or deletion of unnecessary data.
• Portability of your data to another service.
• Revocation of consents.
• Information about who we share your data with.

To exercise any of these rights, send an email to arthur@exploria.world from your registered email. We respond within 15 days.

9. Security

We use encryption in transit (TLS), encryption at rest from the database provider, row-level access control (RLS), and per-account isolation. Even so, no system is 100% immune. If we identify an incident affecting your data, we will notify you and the ANPD within the legal deadlines.

10. Children and adolescents

Exploria is not intended for users under 13. If we identify an account created by a child in that bracket, it will be deleted. Parents or guardians who identify such a situation can contact us for immediate removal.

11. Changes to this policy

We may update this Policy to reflect changes in the service or in legislation. Material changes will be communicated in-app and by email. The last-updated date appears at the top of this page.

12. Contact

Questions about privacy, exercising rights, or incidents:
arthur@exploria.world

Data Protection Officer (DPO): same email above.