Private Location Sharing — Who Sees You and When

Every location-sharing app calls itself private. Most aren’t. The word has become decorative — it appears on landing pages right above terms of service that grant the company perpetual rights to your movement data.

This page won’t tell you what to think. It will give you a checklist of concrete things to verify, an explanation of what each means, and a comparison of how different apps actually behave. By the end you should be able to evaluate any location app on its privacy merits in about five minutes.

What “private” should mean for a location app

For a location-sharing app to be meaningfully private, it has to satisfy at least these five things:

• Closed group. Only the people you explicitly add can see your location. Nobody else — not other users, not the company’s “suggestions” engine, not partner apps.
• No data sale or sharing with advertisers. Your location is not packaged and sold. Not in anonymized form (which is rarely actually anonymous for location data). Not at all.
• Bounded data retention. The app keeps your location only as long as it needs to, then deletes it. There’s a stated retention period, and it’s short for live data and bounded for historical.
• Clean account deletion. When you delete your account, your data is actually deleted — not “anonymized,” not “archived,” deleted. Within a stated number of days, with no exceptions for “legitimate business interests.”
• Encryption in transit. Location updates are sent over HTTPS. Tokens are stored in OS-managed secure storage (iOS Keychain, Android Keystore), not in plain SharedPreferences or NSUserDefaults.

If an app satisfies these five, it’s in the “reasonable” tier. If it goes further — per-recipient privacy controls, schedule-based sharing, approximate-location modes, end-to-end encryption — that’s a bonus.

How to read a location app’s privacy policy in 5 minutes

You don’t need to read the whole thing. Open the privacy policy and use Cmd-F (Ctrl-F) to search for these words. The answers tell you most of what you need to know:

1. Search: “sell” or “sale”

Look for a sentence that says either “we do not sell your data” (good) or describes “categories of personal information sold” (bad). California law (CCPA) forces companies to disclose this; if there’s a section labeled “Right to Opt-Out of Sale,” the company is selling at least some category of data.

2. Search: “third-party” or “third parties”

You want to see a short list (analytics, crash reporting, push notifications) and not a long list (advertisers, marketing partners, “trusted business partners”). Long lists are red flags.

3. Search: “retention”

Look for specific time bounds (“30 days,” “90 days”) rather than vague language (“as long as necessary,” “in accordance with our business needs”). Specific is good. Vague is bad.

4. Search: “deletion” or “delete your account”

You want a clear procedure (“delete from within the app,” “email us at...”) and a clear timeline (“within 30 days”). If the policy says they’ll “anonymize” your data instead of deleting it, that’s usually a euphemism for “keep it but strip the obvious identifiers.”

5. Search: “advertising” or “ads”

If you’re paying nothing and the policy talks about ad personalization, your location data is the product. That doesn’t make the app evil — ad-supported is a legitimate model — but it changes what you should expect about privacy.

Practical privacy controls to look for in the app itself

Beyond the policy, the app should give you mechanical controls so you don’t have to trust the company to do the right thing:

• Per-recipient or per-circle toggles. Share with your spouse but not your in-laws — without uninstalling the app or quitting their group.
• Approximate-location mode. Share your general area (~1 km) instead of your exact position. Useful when someone in the circle is a more casual contact.
• Schedule-based sharing. Auto-pause sharing during work hours or overnight.
• Time-limited shares. Share for a specific duration that ends automatically — see the temporary location sharing guide.
• Visible recipients list. The app should show you, in one place, every person and group that can currently see your location. No hidden recipients.
• Sharing status indicator. A visible reminder when sharing is on (iOS’s blue location pill, Android’s persistent notification). If an app hides the fact that it’s tracking you, that’s a problem.

How CircleMap handles privacy

For full disclosure, here’s how CircleMap stacks up on the checklist above:

• Closed circles. No one is added without accepting an invitation; no “suggested contacts.”
• No data sale. No advertising integrations of any kind. The app is free; there’s no ad-supported tier.
• Bounded retention. Location history kept for 30 days, then auto-deleted. Activity logs kept for 90 days. Temporary circle data deleted on circle expiry.
• Hard account deletion. Delete from in-app, all data removed within 24 hours.
• Encryption in transit. All API and WebSocket traffic over HTTPS / WSS. JWT tokens stored in iOS Keychain / Android Keystore.
• Per-circle controls + approximate mode + schedules. All on the privacy screen for each circle.

What private sharing doesn’t mean

A few things people sometimes expect from “private” that aren’t realistic for any location-sharing app:

• End-to-end encryption of locations. True E2EE for live location updates is rare because the server needs to know member relationships to route updates. A few apps claim it; verify the technical details before trusting the claim.
• Hiding from your operating system. Both iOS and Android show indicators when an app is using your location. That’s a feature, not a leak.
• Hiding from your circle members. The whole point is reciprocal sharing. Per-circle toggles let you choose which members see you, not whether they can tell sharing exists.