Effective: May 28, 2026
How WeRoll handles data across the platform: what we retain, for how long, how we minimize what we collect, and how city, vendor, and user data stays separated.
| Data type | Retention |
|---|---|
| Live location signals (broadcast pings) | 10 minutes (half-life decay) then expired |
| Session summaries (start/stop, duration, follower delta) | 90 days for operational analytics |
| Vendor profile (name, category, hours, photo) | Lifetime of the vendor account; deleted on account closure |
| Push subscriptions | Until unsubscribe or 90 days of inactivity |
| Account records (email, sub) | Lifetime of account; purged on deletion request |
| Server logs (operational) | 30 days, redacted of personal location |
| Audit logs (privileged actions) | 2 years |
No vendor location is collected until the vendor explicitly taps Go Live. No follower data is collected until the follower opts in (push subscription, email follow, or signed-in account). Permissions can be revoked at any time and prior data is expired according to the retention schedule above.
Vendors choose how precisely their stored location is exposed to the public. The setting applies to /vendors/<id>, /vendors/discover, and any map pin shown to followers. Storage is unchanged across modes.
| Mode | Public precision | Notes |
|---|---|---|
| Exact | ~100 m (stored precision) | Default. Matches the stored coordinate. |
| Approximate | ~1 km (2-decimal grid) | Neighborhood-only. Hides exact stop location. |
| Hidden | None | No coordinates returned publicly; vendor profile remains visible. |
Vendors set their default in the vendor dashboard and can override on a per-session basis from the Go Live screen. The per-session value lives on the broadcast entity row and wins over the persistent setting while that session is active.
Production data access is limited to a small operations team and gated by least-privilege IAM roles. Vendor data is logically isolated per account — one vendor cannot see another vendor's analytics or follower list. City tenants are scoped per municipality; cross-tenant access requires explicit admin role.
Privileged actions (admin grants, account deletions, vendor profile changes by non-owners, data exports) are logged with actor, timestamp, and target. Audit logs are retained for 2 years and reviewed during incident response.
Admin location reveal. Public discovery surfaces display vendor coordinates rounded to ~1 km. Stored coordinates are at ~100 m precision and are kept only for the duration of an active session (10-minute half-life decay after). A small number of authorized BusterSense Trust & Safety staff can view the stored precision via internal tooling for incident response, fraud investigation, and law enforcement requests. Each access produces an audit log entry capturing the admin's identity, the entity inspected, and a timestamp.
In the event of a security incident affecting user data, we follow a defined response process: containment, scope assessment, user notification, remediation, and public post-mortem at /transparency. We notify affected users via email within 72 hours of confirmation.
Questions about governance or data handling?
Email privacy@bustersense.com. For data subject access, export, or deletion requests, see the Privacy Policy.