Legal

Privacy Policy

This policy explains what data we collect when you sign in, subscribe, or use AI features — what we do with it, and what we don't.

Last updated: 2026-05-23 · Effective: 2026-05-23

1. Summary

The short version:

If you create an account, we store your email address and a user ID with our auth provider (Supabase) so we can authenticate you.
If you use the AI features (generate task from a sentence or photo, improve a task, generate a list or stat), the text or image you provide is sent to our backend and to an AI provider to produce a response.
If you subscribe to To-Track Pro, RevenueCat manages the subscription state. Apple handles your actual payment — we never see your card.
We do not sell your data. We do not run ads. We do not track you across other apps or websites.

2. Who we are

"To-Track", "we", "us", or "our" refers to the developer of the To-Track mobile application. If you need to reach us about privacy, email [email protected].

3. What we collect

The data we collect, why, and where it goes:

DataPurpose

Email addressAccount creation, sign-in, password recovery, account-related communication. Stored by Supabase.

User IDA unique identifier issued by Supabase and a separate app user ID used by RevenueCat to tie your account to your subscription state. Used for app functionality only.

User content sent to AIWhen you use AI generation or task-improvement features, the prompt text and any image you attach are sent to our backend and to our AI provider so a response can be returned.

Purchase / subscription stateRevenueCat tracks whether your account has an active Pro subscription so the app can unlock paid features. We do not receive your payment card details — those stay with Apple.

Rate-limit metadataWhen you call an AI endpoint, we record minimal metadata (your user ID and a timestamp) to prevent abuse and enforce fair-use limits.

What we do not collect

We do not collect your location.
We do not access your contacts, calendar, health, or fitness data.
We do not use third-party analytics SDKs (no Google Analytics, no Mixpanel, no Amplitude, no Firebase Analytics).
We do not use third-party advertising or attribution SDKs.
We do not include crash-reporting SDKs that send your data off-device.
We do not read or scan your photo library; the only photos that leave your device are ones you explicitly attach to an AI request.

4. How your task data is stored

Tasks, notes, tags, states, properties, and lists you create in To-Track are stored in a database on your device. Specific content is transmitted to our backend only when you use a feature that needs it — for example, AI generation (described below).

5. AI features

To-Track offers optional AI features that generate or refine tasks. When you use these features:

The prompt text and any image you attach are sent over HTTPS to our backend (hosted on Supabase Edge Functions).
Our backend forwards the request to a third-party AI provider (Google Vertex AI) to produce a response.
The response is returned to your device. We do not retain your prompt or the model output on our servers beyond what is needed to complete the request and enforce rate limits.
You can avoid sending data to AI providers entirely by not using these features.

6. Subscriptions and payments

To-Track Pro is sold as an in-app purchase through the Apple App Store. Apple handles the payment, and we never receive your card number, billing address, or other payment credentials.

We use RevenueCat to manage subscription state — that is, to know whether your account is entitled to Pro features. RevenueCat receives a subscriber identifier and the receipt issued by Apple. See RevenueCat's privacy policy at revenuecat.com/privacy.

7. Third-party services we use

Supabase — authentication, database, and edge functions backing the AI endpoints. Supabase privacy policy.
RevenueCat — subscription management. RevenueCat privacy policy.
Google Vertex AI — AI model provider that processes the prompts you submit to AI features. Google Cloud privacy notice.
Apple — App Store distribution and in-app purchases. Apple privacy policy.

These providers act as data processors on our behalf. They are contractually required to protect the data we share with them and to use it only for the purposes described here.

8. Tracking and advertising

We do not track you. Specifically, we do not link your data with data from other companies' apps, websites, or offline properties for advertising or measurement purposes, and we do not share your data with data brokers. To-Track contains no ads and no advertising SDKs.

9. Data retention

Account data (email, user ID): retained for as long as your account exists. Deleted within 30 days of an account deletion request.
Subscription state: retained by RevenueCat for as long as needed to provide and reconcile your subscription, then per RevenueCat's retention policy.
AI request content: not retained on our backend after the request completes, beyond minimal rate-limit metadata (user ID + timestamp) kept for up to 30 days.
Task data on your device: retained until you delete it or uninstall the app.

10. Your rights

Depending on where you live, you may have rights to access, correct, export, or delete the personal data we hold about you, and to object to or restrict certain processing. To exercise any of these rights, email [email protected] from the email address tied to your account. We respond within 30 days.

You can delete your account from inside the app at any time. Deleting your account removes your email and user record from our auth system and revokes access to AI features. Task data on your device is removed when you uninstall the app.

11. Children

To-Track is not directed to children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

12. International transfers

The third-party providers listed above may process data in countries other than the one you live in, including the United States. Where required, we rely on standard contractual clauses or equivalent safeguards offered by those providers.

13. Security

All network traffic between the app and our backend is encrypted in transit (HTTPS / TLS). Account credentials are managed by Supabase's auth system and we never store passwords in plain text. No system is perfectly secure, but we work to follow current best practices.

14. Changes to this policy

We may update this policy from time to time. Material changes will be reflected by updating the "Last updated" date at the top of this page, and where appropriate we'll notify you in the app. Continued use of To-Track after a change means you accept the updated policy.

15. Contact

Email: [email protected]

Use this address for privacy questions, account deletion requests, and general support.