Privacy Policy

1. Who we are

Signpost.fyi ("Signpost," "we," "us," or "our") is a service operated by F of X Development, LLC, located at PO BOX 1202, Nederland, CO 80466. Signpost provides a geolocation-based QR discovery platform that lets organizations (schools, parks, historic sites, and similar) host interactive events where members scan QR codes at real-world locations.

This Privacy Policy explains what information we collect when you use Signpost, how we use it, and the choices you have. It applies to our website, applications, and related services (together, the "Services").

2. Information we collect

2.1 Information you provide

• Account information for members: display name, email address and/or phone number, and any optional profile details you choose to provide.
• Organization information for administrators: organization name, contact details, logo, event content (destinations, descriptions, quiz questions and answers), and payment or billing information if applicable.
• Quiz and event responses: answers you submit, points earned, and timestamps for visits.
• Communications: content of messages you send us through support or contact channels.

2.2 Information we collect automatically

• Device and usage data: IP address, browser type, operating system, device identifiers, referral URLs, pages viewed, and timestamps.
• Location data: approximate or precise geolocation at the moment you attempt to scan a destination QR code — used solely to verify that the scan occurred inside the destination's geo-fence. See Section 4 for details.
• Cookies and similar: session tokens, preference cookies, and limited analytics (see Section 6).

2.3 Information from third parties

We may receive limited information from sign-in code delivery providers (email and SMS) for the purpose of sending you authentication codes, and from our hosting and analytics providers in the course of delivering the Services.

3. How we use information

We use the information described above to:

• Provide, maintain, and improve the Services.
• Authenticate members and organization administrators, and send sign-in codes.
• Verify that QR scans occur at the intended physical location.
• Record visits, score quizzes, and compute leaderboards or analytics for your organization.
• Communicate with you about the Services, including notices, security alerts, and support responses.
• Protect the Services against fraud, abuse, and unauthorized access.
• Comply with legal obligations.

Where required by law (for example, in the EU/UK under the GDPR), our legal bases for processing are: performing our contract with you; our legitimate interests in operating a secure and effective service; your consent where required (for example, for precise location access); and compliance with legal obligations.

4. Location data

Signpost requests access to your device's location only when you actively attempt to scan a destination QR code. Location data is used to determine whether your scan is within the destination's configured geo-fence radius. We may store the scan outcome (success or failure) and the associated event and destination identifiers; we do not continuously track your location in the background.

You can disable location permission at any time through your browser or device settings. If location permission is denied, scan verification will not function and your visit cannot be counted.

5. How we share information

• With your organization. If you join an event as a member, your display name, visits, points, and quiz responses are visible to administrators of that organization and, where the leaderboard is enabled, to other participants in that event.
• Service providers. We share information with vendors that help us operate the Services (for example, cloud hosting, email and SMS delivery, error monitoring). These providers are contractually bound to use the information only to provide services to us.
• Legal and safety. We may disclose information where required by law, to enforce our Terms, or to protect the rights, property, or safety of Signpost, our users, or others.
• Business transfers. If Signpost is involved in a merger, acquisition, or sale of assets, user information may be transferred as part of that transaction, subject to standard confidentiality protections.

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising.

6. Cookies and similar technologies

We use cookies and similar technologies (such as local storage) for essential functions like keeping you signed in and remembering your preferences. We may also use limited analytics to understand aggregate usage patterns. You can control cookies through your browser settings, though some Services may not function correctly without them.

7. Data retention

We retain account and event information for as long as your account is active or as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements. When information is no longer needed for these purposes, we will delete or de-identify it.

8. Your rights and choices

Depending on where you live, you may have rights to access, correct, delete, or port your personal information, and to object to or restrict certain processing. To exercise these rights, contact us using the details in Section 13.

California residents. Under the California Consumer Privacy Act (CCPA/CPRA), you have rights to know, delete, correct, and limit the use of sensitive personal information. We do not sell personal information or share it for cross-context behavioral advertising.

EU/UK residents. You have rights under the GDPR to access, rectify, erase, restrict, object to, and port your personal data. You may also lodge a complaint with your local supervisory authority.

9. Children's privacy

Signpost is frequently used in educational settings that may include minors, including children under 13 in the United States. We do not knowingly collect personal information directly from children under the age of 13 without appropriate consent as required by the Children's Online Privacy Protection Act (COPPA).

When an organization (such as a school or youth program) enrolls members, that organization is responsible for obtaining any parental or guardian consent required by applicable law, and for ensuring that its use of Signpost complies with student-privacy laws such as FERPA and state equivalents. Organizations act as the "school official" or equivalent with respect to their members' information and should only collect the minimum information needed.

If you believe a child has provided us with personal information without proper consent, please contact us and we will take steps to delete it.

10. Security

We use reasonable administrative, technical, and physical safeguards to protect personal information against unauthorized access, disclosure, alteration, or destruction. No method of transmission or storage is perfectly secure, however, and we cannot guarantee absolute security.

11. International users

Signpost is operated from the United States. If you access the Services from outside the United States, your information may be transferred to, stored, and processed in the United States and in other countries where our service providers operate. Where required, we use appropriate safeguards for international transfers.

12. Changes to this Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page and, for material changes, provide additional notice through the Services or by email. Continued use of Signpost after an update means you accept the revised Policy.

13. Contact us

If you have questions about this Policy or our privacy practices, contact us at:

F of X Development, LLC
PO BOX 1202, Nederland, CO 80466
Email: privacy (at) fofx (dot) dev