As with any app that takes advantage of Apple's Location Services, using WhatTrain may expose your location to Apple. But WhatTrain itself does not collect any information about you, including your location. Here's how that's possible:
First, WhatTrain does not collect your location; the app locally determines your location and uses your location on your phone, and that's it. There are two ways to use WhatTrain: with Apple's Location Services and without it. If you decide not to use Apple's Location Services, then you will have to manually set your location so that the app can determine which subway stops are closest to you. Either way of using the app exposes your location to Apple, but WhatTrain does not itself collect your location. All WhatTrain does is use your location exclusively on your phone.
Second, WhatTrain cannot figure out where you are based on what trains it shows you. The static schedules for the subway trains are included when you download the app. That's why the download is pretty big! When you use the app, the app does fetch the schedules for the realtime trains (the 1, 2, 3, 4, 5, 6, S, and L trains) from WhatTrain's server, but it fetches all of the realtime schedules at once, and the app then locally figures out which ones to show you based on where you are.
Third, WhatTrain's server (which is where the app downloads both the realtime feed and the service statuses) does not log any personally identifying information about those connecting to it for downloads. The server keeps count of each request it receives and when, as well as the user agent, but it does not log personally identifying such as your IP address. WhatTrain does log the "user agent" of those connecting to its servers, but for iPhone users, that information is not personally identifying. Here's an example of an actual line from WhatTrain's server log file:
2016-09-01T15:09:38-04:00 "GET /mtafeeds.json HTTP/1.1"
200 38106 "WhatTrain/1 CFNetwork/758.5.3 Darwin/15.6.0"
Finally, WhatTrain's servers use HTTPS only. This means that your phone's communications with WhatTrain's servers are relatively secure (there's no such thing as perfect security).
A note about law enforcement: It is possible that WhatTrain could be forced by law enforcement to log information about those connecting to its server, such as IP addresses. WhatTrain would attempt to secure legal representation to fight any request it believed to be unlawful, and even for lawful requests, it would seek to publish as much information as possible about the requests and the information WhatTrain provided in response.