Data you own and control

Here’s exactly what leaves your device, where it goes, and what we don’t do with it. No hand-on-heart language — the point of this page is to tell you the shape of the data flow in specific enough terms that you can decide for yourself whether it is the shape you want.

Where your syndicate data lives

Your syndicate’s data lives in a Supabase Postgres database on servers we rent. PowerSync replicates a filtered view of the relevant rows down to your device as a local SQLite file, so the app can run without a signal; writes queue locally and push back when you reconnect. The filter is per-membership — you only ever receive rows for syndicates you belong to.

The list of tables that actually replicate to the device — bookings, usage logs, maintenance, financial transactions, and so on — is on Offline capabilities. A handful of tables are deliberately online-only (settlements, invites, notification preferences) because they either need a server-side check or are too sensitive to last-write-wins conflicts. That reference page is the authoritative list.

What else leaves your device

Anonymised crash reports via Firebase Crashlytics. When the app crashes, we collect: the stack trace, the device model, the OS version, and the app version. We do not collect user content and we do not collect syndicate data. If you had a flight log open when the app crashed, the crash report does not contain that log — only the technical trace of where the code failed.

That is the whole list of non-sync egress. No analytics SDK, no advertising identifiers, no third-party tracking.

What we don’t do

We don’t sell your data.
We don’t train AI models on your data.
We don’t show ads.
We don’t share your data with marketing or advertising partners.

These are commitments, not hedges. The business model is straightforward — see Subscription philosophy — and none of the above is part of it.

Your account and your syndicate

A syndicate’s data belongs to the syndicate, not to any one member, because it is shared by all of them. When you delete your own account, your personal profile and your own identifying records are removed; records that belong to the syndicate as a whole — shared financial records, the booking history that the group relied on — may be retained in anonymised form for the other members, so their records of the syndicate are not torn up when one person leaves.

The in-app confirmation states this directly: deleting your account removes you from all syndicates, and your bookings and financial records are anonymised rather than destroyed. Deletion takes up to 30 days to complete, during which you can cancel; after that it is irreversible.

If you are the only member of a syndicate, there is no one left whose records depend on yours, and the syndicate can be wound up. If you are one of several, your departure does not erase the syndicate.

Your settings, your control

Separately from account deletion, you have fine-grained privacy controls at the syndicate level while you are a member. Three settings — whether member names appear on other people’s calendar bookings, which roles see the financial detail of other members’ usage logs, and whether usage photos are visible across the syndicate — are configured on Privacy & Visibility. Photos attached to usage logs are stored privately and served only via short-lived signed URLs; see usage photo privacy for the exact rules.

None of these settings are feature-gated. They apply equally on the free tier and the paid tier.

Where to read the legal version

This page explains the shape of the policy in plain terms. The legal versions live in-app at Account → About → Terms of Service and Account → About → Privacy Policy. They are also available as public routes — /terms and /privacy — so you can read them before signing up or share a link with a prospective member. The legal text is the binding version; if anything here and there disagree, the legal text governs.