Skip to main content
WWilDi Maps
Sign inBook a demo

Privacy Policy

Last Updated: April 26, 2026

1. Introduction

WilDi Maps, Inc. ("WilDi Maps", "we", "us", "our") operates a two-sided mobile advertising platform. Drivers use the WilDi Maps mobile app to receive geo-triggered advertising events and earn passive income. Advertisers use our business portal to configure campaigns, view analytics, and manage billing.

This Privacy Policy explains how we collect, use, retain, and protect information from (a) drivers and (b) advertisers who use our services.

2. Definitions

  • Personal Information – Information that identifies or can reasonably be linked to an individual.
  • Driver Data – Location, device, and event-level data collected from the driver app strictly for delivering and verifying campaigns.
  • Advertiser Data – Account, billing, usage, and campaign configuration data submitted through the advertiser portal.
  • Non-Personal Information – Aggregated, de-identified, or anonymized data not capable of identifying an individual.
  • Controller – WilDi Maps acts as the controller of personal information collected from both drivers and advertisers.
  • Processor – Third-party services that process data on our behalf (e.g., hosting, payments, analytics).

3. Information We Collect

3.1 Driver Information

Information provided directly:

  • Name (optional)
  • Email
  • Phone number (for authentication)

Payment Information (Drivers)

WilDi Maps does not collect or store bank account numbers, card numbers, or other sensitive payout credentials. All payout-related financial data is collected and processed directly by Stripe. WilDi only receives non-sensitive payout metadata (such as payout status and timestamps).

Information collected automatically:

  • Device identifiers
  • OS version and app version
  • IP address
  • Diagnostic logs
  • Precise location data, including background location. Background location (location collected while the app is not visible on screen) is collected only while you are logged in and have chosen to actively participate in ad delivery through the WilDi Maps driver app. It is required to detect ad delivery area entry/exit, verify CPVD (Cost Per Verified Delivery) events, calculate earnings, and prevent fraud. Collection stops when you log out, stop participating in ad delivery, or revoke the permission via your device settings. See Section 6 for full details.
  • Motion/route information used exclusively to:
    • Detect ad delivery area entry and exit
    • Verify ad delivery events
    • Prevent fraud and falsified movement

WilDi Maps does not collect contacts, photos, messages, or unrelated device data.

3.2 Advertiser Information

  • Name, business name, and contact details
  • Email and account credentials
  • Campaign configuration (areas, streets, messaging)
  • Uploaded ad content

CRM Enrichment Data (Advertisers)

WilDi Maps may enhance advertiser account records using information that is publicly available (such as business websites, social media pages, public business listings, or government-registered business data). This enrichment is used solely for:

  • Verifying business legitimacy
  • Improving advertiser qualification and fraud prevention
  • Enhancing sales and onboarding efficiency

We do not purchase third-party marketing lists, and we do not combine advertiser data with non-public third-party datasets.

Billing Information (Advertisers)

WilDi Maps does not collect or store full credit card numbers, bank account details, or other sensitive billing credentials. All billing information is transmitted directly to Stripe and processed under Stripe's own Privacy Policy. WilDi only receives limited non-sensitive billing metadata (such as subscription status and payment success/failure notifications).

  • Usage logs and dashboard interactions

3.3 Automatically Collected Technical Data (All Users)

  • Browser type (for portal users)
  • IP address and region
  • Session logs
  • Cookies and analytics data

4. Legal Basis for Processing (EEA, UK, etc.)

  • Contract: Required to provide app functionality and advertiser services.
  • Legitimate Interests: Security, fraud prevention, service improvement, analytics.
  • Consent: For marketing communications and any optional features requiring opt-in.
  • Legal Obligations: Tax requirements, accounting, compliance.

5. How We Use Your Information

5.1 Driver Data is used to:

  • Deliver geo-triggered campaigns
  • Verify CPVD (Cost Per Verified Delivery) events
  • Calculate earnings and route-based payouts
  • Detect falsified or simulated movement
  • Prevent bot activity, spoofing, or mapping exploits
  • Improve driver experience and app performance

5.2 Advertiser Data is used to:

  • Provide access to the advertiser portal
  • Process payments and manage subscriptions via Stripe
  • Configure, optimize, and deliver campaigns
  • Provide analytics dashboards
  • Communicate account notices and service updates

5.3 Aggregated Analytics

We generate aggregated, anonymized insights such as:

  • Total verified deliveries
  • Area/street performance summaries
  • Attribution events (e.g., a driver later visiting a business)

Advertisers never receive:

  • Individual driver identity
  • Individual location trails
  • Per-driver attribution data

All analytics provided to advertisers are strictly aggregated.

6. Location Data (Driver-Specific)

WilDi Maps collects precise location data from drivers — including background location — to operate the core ad-delivery and earnings features of the platform. This section explains what we collect, when, why, and how you can control it.

6.1 Foreground Location

While the WilDi Maps driver app is open and visible on your screen, we collect your precise location to display your position on the map, detect entry into ad delivery areas, validate ad delivery events, and calculate earnings.

6.2 Background Location

WilDi Maps collects background location data — that is, your precise location while the app is not visible on your screen — when you are logged in and have voluntarily chosen to participate in ad delivery through the driver app. Background location is required because the core function of the driver app (delivering geo-triggered ads as you move) cannot work if location is only available when the screen is open.

We use background location to:

  • Detect when you enter or exit an ad delivery area
  • Verify CPVD (Cost Per Verified Delivery) events
  • Calculate your earnings accurately
  • Detect and prevent fraudulent or simulated movement
  • Generate aggregated, anonymized campaign metrics

Background location collection stops when:

  • You log out of the driver app
  • You stop participating in ad delivery within the app
  • You revoke background location permission via your device settings
  • The app is uninstalled

You can disable background location access at any time through your device's location settings (iOS or Android). However, disabling background location will prevent you from earning while the app is not in the foreground, and may prevent you from earning at all.

6.3 Limits on Use

We do not:

  • Provide advertisers with user-level GPS tracks
  • Sell or broker personal location data
  • Use driver movement for third-party advertising networks
  • Collect location data when you have stopped participating or logged out
  • Use location data for any purpose other than those listed in Sections 6.1 and 6.2

Use of the driver app is voluntary and subject to the Driver Terms (Part B of our Terms of Service), which include important provisions on lawful operation, distracted-driving safety, and the non-employment nature of driver participation.

7. Cookies and Similar Technologies

We use cookies and similar identifiers on the public marketing site and the advertiser portal in four categories. You can control non-essential cookies via the cookie banner that appears on your first visit and via the Cookie Settings link in the footer.

7.1 Strictly necessary

Always active — required for core site function:

  • wdm_consent — your cookie preference state (1-year max-age)
  • sb-* — Supabase authentication session
  • __stripe_* — Stripe checkout flow + fraud prevention
  • Cloudflare Turnstile session cookies on lead-form pages

7.2 Analytics

_ga, _ga_*, _gid, _gat* — set by Google Analytics for aggregated traffic metrics. Default-on under our notify policy; off when you opt out via the banner or under Global Privacy Control.

7.3 Marketing & attribution

wdm_vid — our first-party visitor identifier (HttpOnly, SameSite=Lax, Secure, 1-year max-age) used solely to attribute your visit to the marketing source you arrived from. _gcl_au — Google Ads click attribution. Default-on under our notify policy; off when you opt out or under Global Privacy Control.

7.4 Customer Match (ad-platform sharing)

No client-side cookies in this category. Server-side flow: with your separate explicit opt-in (the "ad-platform matching" checkbox on lead forms or the cookie banner), we may share your hashed email address with Google Customer Match to enable personalized re-engagement. Always default-off; requires affirmative consent. You can withdraw consent at any time.

7.5 Universal opt-out signals

We honor the Global Privacy Control (GPC) browser signal automatically. If your browser advertises GPC (Brave, DuckDuckGo, Privacy Badger, Firefox with the preference enabled, etc.), we treat it as a binding opt-out of analytics and marketing cookies — no manual interaction required. We display a visible confirmation that the signal has been honored.

Drivers (mobile app) do not receive third-party tracking for advertising purposes.

8. Subprocessors

We share personal information with the third-party service providers listed below, each of which has agreed to confidentiality and data protection terms via a Data Processing Agreement or equivalent contractual mechanism (Standard Contractual Clauses for international transfers, EU-US Data Privacy Framework participation where applicable).

  • Vercel (US + global edge) — hosts the Next.js application; processes server logs and request data
  • Supabase (US-East-1) — primary Postgres database; stores all persisted personal data; authentication identity
  • Resend (US) — transactional email (lead-form notifications + confirmations, support replies, privacy-request verification, deletion confirmations)
  • Stripe (US + global) — payment processing; checkout sessions; subscription management. We never see raw payment-card data; Stripe holds it under PCI DSS Level 1
  • Cloudflare (global) — Turnstile bot protection on lead forms; edge DNS
  • Google (US + global) — Google Ads (Click Conversion uploads; Customer Match only with consent); Google Analytics (Consent Mode v2 — cookieless pings while denied; full hits after consent)
  • Mapbox (global) — map tile rendering and geocoding inside the authenticated dashboard only; not loaded on public marketing pages
  • MongoDB Atlas (US) — ad asset storage in the dashboard; not in scope for the marketing site or lead pipeline

All subprocessors operate under contractual confidentiality and data protection requirements. A current list with detailed DPA mechanisms is maintained as docs/SUBPROCESSORS.md in our public repository.

9. Information Sharing

We do not sell personal information for monetary or other valuable consideration.

We may share limited data with:

  • Subprocessors (listed in Section 8)
  • Legal authorities, when required by court order, subpoena, or other binding legal process
  • Successors in a merger or acquisition, under equal or greater privacy commitments

Customer Match (separate explicit consent).

The only practice that may be classified as "sharing" under California law (CCPA) is the optional Customer Match flow: with your affirmative opt-in via the lead-form checkbox or cookie banner, we may share your hashed email address with Google so Google can match you to ad impressions and personalized retargeting. This is gated by two layers of consent (form opt-in plus cookie-banner per-purpose toggle), is always default-off, and you can opt out at any time via:

  • The "Cookie Settings" link in the footer
  • The "Do Not Sell or Share My Personal Information" link in the footer
  • Sending a deletion request via /privacy/request
  • Enabling Global Privacy Control in your browser

Aggregated, de-identified data may be shared without restriction.

10. Data Retention

  • Marketing-site visitor tracking events: 90 days from event, then automatically hard-deleted by our retention cron
  • Sales inquiries and lead forms: 7 years from creation, then automatically hard-deleted by our retention cron. Anonymized immediately on a verified deletion request — identifying fields (name, email, phone, message, IP, user-agent) are removed; the residual record is hard-deleted at the 7-year mark
  • Privacy-request audit log: 7 years for accountability
  • Driver earnings & event logs: retained as long as required for accounting and fraud prevention (typically 24–36 months)
  • Advertiser account & billing records: account life + 7 years
  • Campaign analytics: 24 months by default
  • Support communications: 3 years
  • Job applications: 2 years from application

De-identified, aggregated datasets may be retained indefinitely. Our retention enforcement runs as an automated daily process and is auditable in our records of processing.

11. Data Security

  • Encryption of data in transit and at rest
  • Strict access controls
  • Fraud monitoring (bot/spoof detection)
  • Routine security reviews and penetration testing
  • SOC 2 compliance program underway

Users are responsible for protecting their login credentials.

12. International Data Transfers

Data may be processed in the United States and other regions where service providers operate. We use recognized safeguards, including Standard Contractual Clauses.

13. Your Rights

Depending on your jurisdiction, you may have rights to:

  • Access your data (we provide a JSON export)
  • Correct inaccurate data
  • Request deletion (anonymization for active records; hard delete after the retention window)
  • Restrict or object to processing
  • Download a machine-readable copy (portability)
  • Withdraw consent at any time
  • Opt out of "sale" or "sharing" via the footer link or Global Privacy Control
  • Lodge a complaint with your local data protection authority (EU/UK)

California residents have additional CCPA / CPRA rights, including the right to know what categories of data we collect, why, and with whom we share it; the right to limit use of sensitive personal information (we do not collect any); and the right to non-discrimination for exercising any privacy right.

14. Exercising Your Rights

We provide a self-serve, identity-verified portal for access and deletion requests at /privacy/request.

How verification works. Submit your email address and choose an action (access or delete). We send a verification link to your inbox via an HMAC-signed token (24-hour expiry). Clicking the link confirms you control the address — no password or account required. Once verified, we execute the action and email you confirmation. This protects you from unauthorized requests in your name and protects us from acting on unverified requests.

For other privacy inquiries, email privacy@wildimaps.com. We respond to verified requests within 30 days. We may extend by up to 60 days for complex requests, and we'll notify you if we do. We do not charge a fee for the first request in any 12-month period.

To control cookies: use the "Cookie Settings" link in the footer or enable Global Privacy Control in your browser (we honor it automatically).

To opt out of "sale" or "sharing" (CCPA): click the "Do Not Sell or Share My Personal Information" link in the footer.

15. Children's Privacy

Not intended for individuals under 18.

We do not knowingly collect children's data.

If you believe a minor has provided information to WilDi Maps, contact us immediately at privacy@wildimaps.com, and we will delete the data.

16. Policy Updates

Material changes will be announced via email or prominent notice. The "Last Updated" date reflects the current revision.

17. Contact Us

WilDi Maps, Inc.
Jacksonville, Florida, USA
privacy@wildimaps.com