# WhatTemp — Privacy Policy

**Draft v0.1 · Template for legal review — not yet legal advice.**
_Last updated: 2026-06-09_

WhatTemp helps you know the indoor temperature of public and opted-in private spaces, and — only if you choose — learn the temperature your own body prefers. This policy explains what we collect, why, and the controls you have. We wrote the plain-English version first; defined terms and jurisdiction-specific disclosures follow.

---

## 1. The short version
- The app is **free** and we do not sell your personal data.
- **Location** is used to find places near you. We do not keep a history of where you go.
- **Wearable / biometric data is 100% opt-in.** We never read it unless you connect a device, and we only read the narrow "comfort signals" needed to learn your comfort range.
- **Venues never see you.** They can only ever see anonymized, aggregated comfort trends — and only if you switch that sharing on (it is off by default).
- You can **disconnect, stop sharing, or delete everything** from one screen.

## 2. Data we collect
| Category | What | Why | Basis |
|---|---|---|---|
| Account | Email or Apple Sign-In identifier | Authenticate you | Contract |
| Approximate location | Coarse lat/long at time of use | Show nearby places | Consent |
| Crowd reports | Temperature confirmations you submit | Improve readings | Consent |
| **Biometric comfort signals (opt-in)** | Resting heart rate, heart-rate variability, skin/wrist temperature | Learn your personal comfort range | **Explicit consent** |
| Device/diagnostic | App version, crash logs | Reliability | Legitimate interest |

We do **not** collect: your workouts, GPS tracks, sleep stages, medical history, contacts, or a location history.

## 3. Biometric & wearable data (the sensitive part)
- We read comfort signals **only** through the official, read-only API of a wearable you explicitly connect (e.g. WHOOP, Garmin, Apple Health, Oura).
- These signals are processed to derive a single, low-sensitivity output: **your comfort temperature range**. We do not store raw biometric streams longer than needed to compute it, and you can require deletion.
- Your comfort range is stored against a **pseudonymous identifier**, not your name.
- We obtain **separate, explicit, opt-in consent** before any biometric processing, and a **second, independent** opt-in before any aggregate sharing.
- Where laws such as the Illinois **Biometric Information Privacy Act (BIPA)**, **GDPR Art. 9** (special-category data), or comparable rules apply, we follow their consent, retention-schedule, and disclosure requirements. _(Counsel to finalize a standalone Biometric Data Policy and written retention schedule.)_

## 4. What venues and partners can see
- Venues and platform partners receive **only anonymized, aggregated** comfort statistics (e.g. "patrons here are most comfortable around 70°F"), computed across enough people to prevent re-identification (k-anonymity threshold, counsel to set k).
- They never receive your identity, your individual readings, your location history, or any raw biometric data.
- Aggregate sharing is **off by default** and tied to the second opt-in above.

## 4a. Wearable provider terms (important constraint)
Each wearable platform's developer agreement governs what we may do with data obtained through it, **and those terms can override user consent**:
- **WHOOP** prohibits selling, licensing, or sublicensing member data to third parties *even if the user consents.* WHOOP-derived data is therefore used **only to power your own in-app experience** and is **excluded** from any aggregate product sold or licensed to venues.
- **Apple Health (HealthKit)** prohibits using or disclosing health data for advertising or use-based data mining, including by third parties. Apple-sourced data is used only to improve your comfort experience.
- **Garmin / Oura** permit commercial and aggregate/anonymized use under their programs, subject to approval and their terms.

Accordingly, our **aggregate comfort product for venues is limited to sources whose terms permit it** (and our own sensors), and we honor each provider's restrictions per integration. We do not blend restricted-source data into any third-party or commercial output.

## 5. Your controls & rights
- Disconnect any wearable, stop aggregate sharing, or delete your comfort data and account from **Settings → You**.
- Access, correction, deletion, portability, and objection rights under **GDPR/UK-GDPR**, **CCPA/CPRA**, and similar laws. We do not "sell" or "share" personal information for cross-context behavioral advertising as defined by the CPRA.
- Contact: privacy@whattemp.app · Data Protection Officer (to be appointed).

## 6. Retention, security, transfers
- Retention per the schedule in §3; comfort signals deleted on disconnect.
- Encryption in transit and at rest; access controls; breach notification per applicable law.
- International transfers under Standard Contractual Clauses where required.

## 7. Children
Not directed to children under 16. We do not knowingly process their data.

## 8. Changes
Material changes will be notified in-app before they take effect.

---
_This template is a starting point for qualified privacy counsel. Biometric handling, BIPA written-consent language, retention schedules, and the k-anonymity threshold must be finalized by a lawyer before launch._