Effective: 2026-05-17

QuickQuack — Privacy Policy

Who we are

QuickQuack is a WhatsApp-first visit-management app for delivery drivers. This policy explains what data we collect, how we use it, who we share it with, and your rights.

What we collect

• Account data — your phone number, a bcrypt hash of your password (never the password itself), your first and last name, email address, optional company name, and your language / theme / navigation / loading-order preferences.
• Delivery pins — when you forward a WhatsApp location pin to our bot, we store its coordinates, an optional contact name or phone you provide in a follow-up message, the inbound message ID for deduplication, the creation timestamp, and (once you mark it done or skipped) the completion timestamp.
• Subscription status — your plan (free or premium) and your trial-end date, kept in sync with RevenueCat.
• Session tokens — random 32-byte tokens that keep you signed in; they expire 30 days after issue.

We do not collect device identifiers, precise GPS background locations, contacts, photos, microphone audio, or browsing history. The app reads your current GPS only while the map screen is open and only to anchor the route's start point — that coordinate is not transmitted to our servers.

How we use it

• Pin coordinates power the on-screen map and the optimized driving order between your stops.
• Your phone number is the tenancy key — all your data is scoped to it.
• Your email is used for account recovery and account-related notices.
• Subscription status gates premium features (e.g. the Reports screen).

Who we share it with

We send the minimum data needed to provide the service:

• Meta (WhatsApp Business API) — delivers your inbound pin messages to us via the WhatsApp Business webhook.
• Google Maps SDK — renders map tiles on your device. No user data leaves your device through this SDK.
• OSRM (project-osrm.org) — receives the list of coordinates to optimize, with no user identifier attached.
• RevenueCat — manages your subscription. They receive a user ID we generate for you and the in-app purchase events, not your phone or email.
• Twilio — when you sign in, the phone number you type is sent to Twilio so they can deliver a one-time login code to it. Twilio receives only the phone number and the timestamp of the request. No user identifier is attached.
• LocationIQ — when you add a stop manually by typing an address, that address is sent to LocationIQ's geocoding service to convert it to a coordinate. No user identifier is attached.
• Supabase (database hosting) and Fly.io (app hosting) — our infrastructure providers; your data lives in their secure managed services.

We do not sell your data. We do not show ads. We do not share your data for advertising purposes.

How long we keep it

• Account + pins: until you delete your account.
• Sessions: 30 days from issue.
• Backups: our database provider keeps automated backups for a short rolling window for disaster recovery. Deleted data ages out of those backups within 30 days.

Your rights

• Delete everything: in the app, open Settings → Delete account, or visit https://meshmesh-api.fly.dev/account-deletion from any browser. Deletion is immediate and irreversible.
• Access / correct: through the app's Profile and Settings screens.
• Cancel subscription: through Google Play; the app links directly to your Play subscriptions.
• Contact us: nizar.elias.13@gmail.com.

Children

QuickQuack is not directed at children under 13 and we don't knowingly collect data from anyone under 13. If you believe a child has signed up, contact us and we'll remove the account.

Security

Passwords are stored as bcrypt hashes. Authentication tokens are transmitted only over HTTPS. The database is hosted on Supabase with network-level access controls.

Changes to this policy

We'll publish updates at this URL with a new effective date. Material changes will also surface in-app the next time you sign in.

Contact

Questions about this policy or our data practices? Email nizar.elias.13@gmail.com.