Privacy Policy
Your flights, not your life.
Last updated: 14 June 2026
TiToLeave is built to know one thing well: when you should leave for the airport. It is pseudonymous by design. There are no accounts. We never ask for your name, email, or phone number. The only identifier anywhere is a random per-install ID. Everything sensitive is processed on your device. Our servers see flight logistics, not lives.
This policy explains exactly what TiToLeave collects, why, where it goes, and the control you have over it.
Who we are
TiToLeave ("we", "us", "the app") is an iOS application operated by an independent developer. For any privacy question or request, contact support@titoleave.com.
What we collect
| Data | What it is |
|---|---|
| Install ID | A random identifier created the first time you open the app. It is not your name, email, or device hardware ID, and it is not shared across apps. It is how your trips stay yours without an account. |
| Trip details | Flight number, route, scheduled times, your computed Leave-By and the buffers behind it, the leaving point you pin (its coordinates and place name), and your "left" / "arrived" / "how it felt" markers. |
| Onboarding answers | If you complete the intro questions (flights per year, traveler type, how you book, buffer habit), we store those answers to tune the product. |
| Device basics | Language, country, and app / OS version, so the app works in your locale and we can debug. |
| Subscription status | Your purchase is handled by Apple. We store a transaction identifier Apple gives us to know whether your subscription is active. We never see your card or Apple ID. |
Location: read this part
Location is the most sensitive thing a travel app touches, so we are precise about it:
- Your continuous location never leaves your device. Live position is used on-device to detect when you've left and to compute drive time. No movement trail is ever stored or transmitted, not on your phone, not on our servers, nowhere.
- What is sent: only the single leaving point you pin (its coordinates and place name, attached to that trip) and the resulting drive-time estimates in minutes. That's what lets the server watch traffic for you and move your Leave-By earlier.
- Drive-time estimates use Apple Maps. Those map queries go to Apple as a first party under Apple's own privacy terms.
What we deliberately do NOT collect
To be unambiguous, TiToLeave does not collect any of the following:
- Names, emails, phone numbers, or contacts
- Your photo library (the system photo picker runs outside the app)
- Your calendar's contents: if you enable calendar detection, flights are spotted on-device and only a flight number you confirm is ever looked up
- Boarding-pass images: the barcode is read on-device and the image is discarded; we do not parse or store passenger name or PNR
- Any movement trail or location history
- Advertising identifiers, and we do no cross-app or cross-site tracking (our privacy manifest declares tracking off, with zero tracking domains)
How we use what we collect
- To compute your Leave-By and keep it correct, watching live traffic and flight status and moving the time earlier when needed.
- To send the alerts and Live Activity that are the core of the product.
- To understand, in aggregate, how the product is used and where it breaks (privacy-respecting analytics, see below).
- To operate subscriptions, and to keep transaction records for accounting and fraud prevention.
Who processes your data
| Service | What they handle |
|---|---|
| Apple | Maps drive-time queries, App Store purchases, and push notifications. First-party, under Apple's terms. |
| Supabase | Our database and backend (a processor acting on our instructions). Holds the trip mirror and logs described above, protected by row-level security so rows are scoped to your install. Hosted in the Tokyo region (see transfers below). |
| PostHog | Product analytics. Receives a defined set of usage events and your onboarding answers, keyed to your install ID. No automatic screen capture, no session recording, no autocapture. Debug builds send nothing. |
| Flight-data provider | To fetch live flight status we send flight numbers and dates only, never any identifier tied to you. |
| Superwall | Used to present and experiment with the subscription screen. Sees paywall interactions, not your trips. |
Where your data lives & transfers
Our database is hosted in Japan, which holds a full EU adequacy decision, so data of EU users is processed lawfully without additional transfer mechanisms. Apple and Superwall operate under their own data-processing terms. Analytics (PostHog) currently runs on US infrastructure under its EU–US Data Privacy Framework certification.
How long we keep it
- Diagnostic and live-signal logs: 90 days.
- Your trip mirror: while your subscription is active, plus 12 months.
- Short-lived operational data (queued notifications, flight schedule cache) is purged within days.
- Subscription transaction records are kept as long as required for accounting and fraud purposes, keyed only by the transaction identifier with no profile attached.
Legal bases (EU / UK)
Where the GDPR or UK GDPR applies, we rely on these legal bases:
- Contract: to provide the Leave-By service you subscribe to (compute and watch your trips).
- Legitimate interests: privacy-respecting product analytics, security, and fraud prevention, balanced against your rights.
- Consent: device permissions (location, notifications, calendar, camera), which you grant in iOS and can withdraw anytime.
- Legal obligation: keeping subscription transaction records.
Your rights & control
We never sell or share your personal information, and we don't use it for cross-context behavioural advertising or any advertising. You have the right to:
- Delete everything, in-app, anytime. Settings → Privacy → Delete my server data wipes everything tied to your install from our servers. The app stops syncing before it relies on the result, so nothing is re-uploaded; live coverage gracefully falls back to on-device estimates.
- Access, correct, port, restrict, or object to the processing of your data, and withdraw consent at any time.
- Because we hold no name or email, there is no account to log into. Email support@titoleave.com to exercise any right and we'll act on it.
- Permissions (location, notifications, calendar, camera) are always yours to grant or revoke in iOS Settings.
We don't discriminate against you for exercising any of these rights.
Europe & the UK (GDPR / UK GDPR)
The data controller is the independent developer who operates TiToLeave; reach us at support@titoleave.com. You have all the rights above, plus the right to lodge a complaint with your local data-protection authority. International transfers are covered by the adequacy decision noted under "Where your data lives".
California & other US states (CCPA / CPRA)
In the past 12 months we collect these categories: identifiers (a random install ID), internet or app activity (usage events), geolocation (only the leaving point you pin), and commercial information (subscription status). We do not sell or share personal information, and have not. You have the right to know, delete, and correct your data, and to opt out of sale or sharing (there is nothing to opt out of, as we do neither). Exercise any right at support@titoleave.com.
India (DPDP Act, 2023)
We process your data with notice and, where required, your consent, which you can withdraw anytime. You have the right to access, correct, and erase your data, to grievance redressal, and to nominate someone to exercise your rights on your behalf. Our grievance contact is support@titoleave.com; we aim to resolve grievances promptly.
Diagnostics
The app keeps a local diagnostic log to help fix problems. It stays on your device and is only ever sent to us if you tap "Email diagnostics" in Settings. It rotates automatically and is capped to a few days.
Security
Data in transit is encrypted. Server rows are owner-scoped with row-level security so one install can never read another's. Sensitive parsing (boarding passes, calendar) happens on-device.
Children
TiToLeave is not directed at children and is not intended for use by anyone under the age required to hold an Apple account in their country.
Changes
If we change this policy we'll update the date above and, for material changes, surface it in the app.
Contact
Questions or requests: support@titoleave.com.