You are wanting to acquire a rather sensitive combination of information - user email (as identity), phone number, and location.
So firstly, you'll have to be very considerate about privacy issues for users, having a policy on how this information is stored and distributed and make it clear to users what they are allowing. I would suggest not storing any aggregate of this type of dataset in the client, in as much as possible.
For this purpose I would recommend using GAE storage as much as possible.
Your app querying a user's location shouldn't be too worrying, provided things are done over secure channels kept well.
What is worrysome is that that information only reaches an allowed source. i.e that only a mutual contact can request this information.
I'd suggest that for each user, a whitelist of allowed contacts would be best. For each user, have a secret random uuid associated (that never goes out to any client) on GAE. A user registering for your service would create this ID. The whitelist would then consist of a list of secret IDs.
A process could then be-
- A makes request for B's location
- request is forwarded to GAE app.
- GAE app verifies that A's secret ID is on B's whitelist
- The app then queries for B's location
- Once the app retrieves this information, it then verifies that it is only sending this information to the user identified by A's secret ID
- The info is then sent securely to A's client