Privacy Policy
Your flights, not your life.
Last updated: 16 June 2026
TiToLeave is built to know one thing well: when you should leave for the airport. It is pseudonymous by design. There are no accounts. We never ask for your name, email, or phone number. The main identifier is a random per-install ID; the only exception is Apple's advertising identifier, which we use solely to measure our ads and only if you allow it (see Advertising & measurement). Everything sensitive is processed on your device. Our servers see flight logistics, not lives.
This policy explains exactly what TiToLeave collects, why, where it goes, and the control you have over it.
Who we are
TiToLeave ("we", "us", "the app") is an iOS application operated by an independent developer. For any privacy question or request, contact support@titoleave.com.
What we collect
| Data | What it is |
|---|---|
| Install ID | A random identifier created the first time you open the app. It is not your name, email, or device hardware ID, and it is not shared across apps. It is how your trips stay yours without an account. |
| Trip details | Flight number, route, scheduled times, your computed Leave-By and the buffers behind it, the leaving point you pin (its coordinates and place name), and your "left" / "arrived" / "how it felt" markers. |
| Onboarding answers | If you complete the intro questions (flights per year, traveler type, how you book, buffer habit), we store those answers to tune the product. |
| Device basics | Language, country, and app / OS version, so the app works in your locale and we can debug. |
| Subscription status | Your purchase is handled by Apple. We store a transaction identifier Apple gives us to know whether your subscription is active. We never see your card or Apple ID. |
| Advertising identifier (only if you allow it) | If you permit tracking when iOS asks, we use Apple's advertising identifier (IDFA) only to measure which ad brought you to TiToLeave. If you decline, we don't use it. We never use it to profile you or to track what you do in other apps. See Advertising & measurement. |
Location: read this part
Location is the most sensitive thing a travel app touches, so we are precise about it:
- Your continuous location never leaves your device. Live position is used on-device to detect when you've left and to compute drive time. No movement trail is ever stored or transmitted, not on your phone, not on our servers, nowhere.
- What is sent: only the single leaving point you pin (its coordinates and place name, attached to that trip) and the resulting drive-time estimates in minutes. That's what lets the server watch traffic for you and move your Leave-By earlier.
- Drive-time estimates use Apple Maps. Those map queries go to Apple as a first party under Apple's own privacy terms.
- Your location is never shared with advertising partners.
What we deliberately do NOT collect
To be unambiguous, TiToLeave does not collect any of the following:
- Names, emails, phone numbers, or contacts
- Your photo library (the system photo picker runs outside the app)
- Your calendar's contents: if you enable calendar detection, flights are spotted on-device and only a flight number you confirm is ever looked up
- Boarding-pass images: the barcode is read on-device and the image is discarded; we do not parse or store passenger name or PNR
- Any movement trail or location history
- Any advertising identifier unless you explicitly allow it when iOS asks. If you allow it, it is used only to measure which ad led you to install or subscribe (see Advertising & measurement); if you decline, none is collected and no cross-app tracking occurs
How we use what we collect
- To compute your Leave-By and keep it correct, watching live traffic and flight status and moving the time earlier when needed.
- To send the alerts and Live Activity that are the core of the product.
- To understand, in aggregate, how the product is used and where it breaks (privacy-respecting analytics, see below).
- To operate subscriptions, and to keep transaction records for accounting and fraud prevention.
- If you allow tracking, to measure which ad brought you to TiToLeave so our advertising can reach more travelers like you (see Advertising & measurement).
Advertising & measurement
We run ads (for example on Facebook and Instagram) to find new travelers. To know which ads actually work, we share a small set of conversion events with Meta Platforms, Inc.: that an install happened, that a free trial started, and that a subscription began. This lets us measure cost per customer and stop wasting money on ads that don't land.
- What we share with Meta: only those conversion events and the purchase value, plus — if you permit it — Apple's advertising identifier and basic technical signals (such as IP address and device type) used to match the event to an ad. We never share your trips, your routes, your location, or any name or email (we don't have your name or email).
- Your choice: iOS asks your permission before any tracking (the App Tracking Transparency prompt). If you decline, we do not use the advertising identifier; measurement then relies only on Apple's privacy-preserving, aggregated reporting.
- Where it goes: Meta processes this in the United States under its standard data-processing terms.
- EU & UK: there, advertising tracking requires a separate consent step beyond the iOS prompt. Until that step is in place, we do not request tracking or run this measurement for users in the EU/EEA or UK.
Who processes your data
| Service | What they handle |
|---|---|
| Apple | Maps drive-time queries, App Store purchases, and push notifications. First-party, under Apple's terms. |
| Supabase | Our database and backend (a processor acting on our instructions). Holds the trip mirror and logs described above, protected by row-level security so rows are scoped to your install. Hosted in the Tokyo region (see transfers below). |
| PostHog | Product analytics. Receives a defined set of usage events and your onboarding answers, keyed to your install ID. No automatic screen capture, no session recording, no autocapture. Debug builds send nothing. |
| Meta (Facebook / Instagram) | Advertising measurement. Receives the conversion events above (install, trial, subscription) and, only with your permission, your advertising identifier, to attribute them to ads. Never your trips or location. See Advertising & measurement. |
| Flight-data provider | To fetch live flight status we send flight numbers and dates only, never any identifier tied to you. |
| Superwall | Used to present and experiment with the subscription screen. Sees paywall interactions, not your trips. |
Where your data lives & transfers
Our database is hosted in Japan, which holds a full EU adequacy decision, so data of EU users is processed lawfully without additional transfer mechanisms. Apple and Superwall operate under their own data-processing terms. Analytics (PostHog) currently runs on US infrastructure under its EU–US Data Privacy Framework certification. Advertising measurement (Meta) is processed in the United States under Meta's standard data-processing terms; as noted above, this measurement does not run for EU/EEA or UK users until a separate consent step is in place.
How long we keep it
- Diagnostic and live-signal logs: 90 days.
- Your trip mirror: while your subscription is active, plus 12 months.
- Short-lived operational data (queued notifications, flight schedule cache) is purged within days.
- Subscription transaction records are kept as long as required for accounting and fraud purposes, keyed only by the transaction identifier with no profile attached.
- Advertising-measurement events sent to Meta are retained per Meta's own retention terms.
Legal bases (EU / UK)
Where the GDPR or UK GDPR applies, we rely on these legal bases:
- Contract: to provide the Leave-By service you subscribe to (compute and watch your trips).
- Legitimate interests: privacy-respecting product analytics, security, and fraud prevention, balanced against your rights.
- Consent: device permissions (location, notifications, calendar, camera), which you grant in iOS and can withdraw anytime.
- Consent (advertising): advertising measurement via Meta runs only if you allow tracking; it is off by default and withdrawable in iOS Settings. For EU/EEA and UK users this needs a separate consent step that is not yet active, so no advertising tracking runs for them.
- Legal obligation: keeping subscription transaction records.
Your rights & control
We never sell your personal information. The only data we share for advertising is the limited set of conversion events described under Advertising & measurement, and only with your permission. We do not build advertising profiles of you or track your behaviour across other companies' apps and sites. You have the right to:
- Delete everything, in-app, anytime. Settings → Privacy → Delete my server data wipes everything tied to your install from our servers. The app stops syncing before it relies on the result, so nothing is re-uploaded; live coverage gracefully falls back to on-device estimates.
- Decline or turn off ad tracking at any time in iOS Settings → Privacy & Security → Tracking; if off, no advertising identifier is used.
- Access, correct, port, restrict, or object to the processing of your data, and withdraw consent at any time.
- Because we hold no name or email, there is no account to log into. Email support@titoleave.com to exercise any right and we'll act on it.
- Permissions (location, notifications, calendar, camera) are always yours to grant or revoke in iOS Settings.
We don't discriminate against you for exercising any of these rights.
Europe & the UK (GDPR / UK GDPR)
The data controller is the independent developer who operates TiToLeave; reach us at support@titoleave.com. You have all the rights above, plus the right to lodge a complaint with your local data-protection authority. International transfers are covered by the adequacy decision noted under "Where your data lives". Advertising tracking does not run for EU/EEA or UK users until a separate consent mechanism is in place.
California & other US states (CCPA / CPRA)
In the past 12 months we collect these categories: identifiers (a random install ID, and — only with your permission — Apple's advertising identifier), internet or app activity (usage events), geolocation (only the leaving point you pin), and commercial information (subscription status). We do not sell personal information. We "share" (in the CPRA sense, for advertising measurement) only the limited conversion events described under Advertising & measurement, and only if you allow tracking. You can opt out at any time by declining or turning off tracking in iOS Settings, or by emailing support@titoleave.com. You also have the right to know, delete, and correct your data, and we do not discriminate for exercising it.
India (DPDP Act, 2023)
We process your data with notice and, where required, your consent, which you can withdraw anytime. You have the right to access, correct, and erase your data, to grievance redressal, and to nominate someone to exercise your rights on your behalf. Our grievance contact is support@titoleave.com; we aim to resolve grievances promptly.
Diagnostics
The app keeps a local diagnostic log to help fix problems. It stays on your device and is only ever sent to us if you tap "Email diagnostics" in Settings. It rotates automatically and is capped to a few days.
Security
Data in transit is encrypted. Server rows are owner-scoped with row-level security so one install can never read another's. Sensitive parsing (boarding passes, calendar) happens on-device.
Children
TiToLeave is not directed at children and is not intended for use by anyone under the age required to hold an Apple account in their country.
Changes
If we change this policy we'll update the date above and, for material changes, surface it in the app.
Contact
Questions or requests: support@titoleave.com.