Recently we’ve had a few questions about the privacy of data and conversations in Walk Together. In this post I explain what we do to minimise the data we gather while implementing essential functionality.

When I designed and built the software that runs on the Walk Together servers, I made sure it collects the minimum possible amount of information about you, and all our users. I’ve gone so far as to make it impossible for us to sell your email addresses, because we don’t store them. This approach not only means we can’t renege on our promise to not sell your details, but in the event of a hack or data breach of some sort, the attacker will find there is far less usable data to steal.

Groups that you create, or are a member of, are only visible to people who have been sent an invitation link to that group, and those links expire after two weeks. No one can join a group without approval from the group owner. There is no central searchable listing of all the groups. The only people who can tell you’re a member of a particular group are the other members of that group.

When you’re in a walk, audio data from your phone goes to our servers. When it’s in transit from your phone to our servers it’s securely encrypted, and no one intercepting that data can decode what’s being said. Our servers do have to decrypt this data for a few reasons, but at no point do we store any of this data on disk – the decoded audio data is held only ephemerally.

Why does the audio data have to go to our servers in the first place? Well, your phone could send the audio from your microphone to every other participant in the walk directly, and never send it to our servers. But, if you had six people on your walk, that would mean your phone would need to send out the same data six times, which starts to get wasteful. If your internet connection is poor (maybe you’re outside in a forest taking a walk!), then you may find that you have a good enough connection to send the data once, or twice, but not six times.

So your audio data gets sent to our servers, where we decode it, mix together all the different audio streams from everyone on our walk, and then send that back out to you. This also means that we can prepare different audio for different people. For example, some on your walk might have an excellent internet connection – maybe they’re at home on WiFi, whilst others might be outdoors and have a much worse connection. We can detect that, and reduce the fidelity of the audio we send back to different members, to try and make sure everyone has the best possible experience regardless of their connectivity.

The software on our servers does analyse the audio to detect when no one has been speaking for a few seconds. This is our cue to inject some fun into the walk, to nudge the conversation, and bring in a new topic to talk about. But, to repeat myself, at no point do we ever make any recording, or store any audio data either on your phone, or on our servers, or anywhere else that we control.

Finally, we do not store statistics on who you walked with or when or for how long. There is a chance this might change in the future in some limited cases. For example, our most expensive pricing tier is aimed at larger businesses who want to provide access to certain groups for all their employees. Such businesses may very well ask for some analytics so they can understand that their money is being well spent. That might mean we have to start gathering some statistics around how long each person in a group spent walking, average walk size and duration, that sort of thing. We don’t know yet what the demand will be, but I certainly expect it could only happen for the most expensive paid tier, and I would hope if it ever comes to that, we could do it in a way that preserves anonymity. To be crystal clear though, right now, we gather no stats on who was walking with who.

The rest of this post is somewhat technical: if you’re a software engineer or just keen to know more, what follows dives into the nitty-gritty. It doesn’t alter any of the details above.

If you create your account using Sign in with Google or Sign in with Apple, we do ask for your email address. Now certainly with Apple, you can hide your email address or use a fake one and that’s no problem at all with us. The only reason we ask for it is so that we can check that an account hasn’t already been created using that email address (via a different sign-in method).

Whatever method you use to sign in with, we store a cryptographic hash of your email address only. A hash function transforms an input (in this case your email address) into an output (which we shall call a hash-code). We can treat the output as a number. A hash function must have a few properties:

  • It must be deterministic: the same input (your email address in our case) must give the same output hash-code.
  • The input can be pretty much any size, but there are a known finite number of output hash-codes possible (though there can still be a lot of them, for example 2256).
  • Each output hash-code should be roughly equally probable – it would not be acceptable if the hash function output the hash-code 3 twice as often as 4 (when given uniformly random inputs).

A cryptographic hash function has all these above properties, but also:

  • It must be exceedingly difficult to reverse the function: to take a hash-code and figure out what the input was.

All we want with your email address is to check to see if we’ve already got a different type of account registered which uses the same address. If we do, then something’s probably gone wrong: maybe you’ve forgotten how you signed in originally, or maybe someone is trying to impersonate you. If we pass your email address through a cryptographic hash function and store only that, then we can still check to see if it’s already been used (the first property above, determinism, gets that for us – we’re just comparing hash-codes now, instead of email addresses), and we don’t have to store your email address.

Because of the last property (inability to reverse the function), we can’t send you any emails because we don’t actually know your email address. For the same reason, we can’t sell your email address. If anyone hacks into our servers and steals the database they will not be able to extract a list of email addresses from our database, because again, we don’t store your email address. What a hacker who stole our data could do is to ask “Is there an account here with email address” – but they have to have prior knowledge of your email address to be able to ask that question.

If you Sign in with Google or Sign in with Apple then you never create a password with us, and neither Apple nor Google tell us anything about your passwords with them. Be aware though that in general, with any app that offers this functionality, Google or Apple do know more or less every time you open the app. You may or may not be concerned about that. They also wrote most of the software that runs on your phone, so they probably know everything already. If you Sign in with Email then we don’t need to send anything about you or your account to Google or Apple. When you create such an account with us, you do set a password, and this password gets stored both on your phone (until you Sign out of Walk Together), and on our servers. On our servers, just like with your email address, we do not store your password verbatim, but instead store a cryptographic hash of your password, only this time it’s a very special cryptographic hash function which is specifically designed for passwords.

Your name we do store verbatim. If you sign-in using Google or Apple, then initially we get your name from them, but you are free to update your name to whatever you want in the app. We have to store your name verbatim so that you can see who else is in your groups, and who you’re walking with. We also have to store which groups you are a member of, and things like who owns a group: this is all critical functionality, and we can’t avoid needing to store this sort of data.

When you’re in a walk, all of the audio data is processed using an industry-standard set of protocols called WebRTC. These protocols are very widely used and ensure, for example, that audio data is encrypted in transit. As stated above, we do not write any audio data to disk.

That pretty much covers it all: by design we ask for as little personal information as possible; for email addresses and passwords we never store the data verbatim and instead only store a cryptographic hash; your name and group membership we have to store in order for the app to have the features we want; and your audio data is handled safely and ephemerally using industry-standard protocols, encryption, and software.

Hopefully that answers any questions about your privacy and Walk Together. If not, please do drop us an email at

Enjoy your walks.

– Matthew