We designed Commuta to respect your privacy from day one. Here’s everything you need to know — in plain English — about how your data is (and isn’t) used.

No. Commuta does not track your movements, store your location history, or monitor your behavior. The app may briefly access your location with your explicit permission, for example when you tap “Use My Location” to get weather, routing, or disruption alerts. This access happens only at the moment you request it and is never stored or reused.

This use of location is based on your consent under the ePrivacy Directive and your iOS privacy settings.

Commuta stores only what’s necessary to function — and never your name, email, phone number, or any identity.

We store:

• Commute preferences (e.g. saved destinations, transport modes)
   
• Optional loyalty points
   
• A random device ID (used only to group this anonymous data)
   

Your data is stored either:

• Locally on your device, or
   
• Anonymously on secure EU-based servers (via Supabase) to prevent data loss and enable syncing across reinstalls
   

Although no personal identifiers are collected, we treat this data with care and follow GDPR standards — including the possibility that your random device ID could be considered personal data if it’s persistently linked to your device.

Because we don’t need it. Commuta works entirely without an account, meaning you don’t have to give us your name, email, or create a password. Preferences are stored either on your device or anonymously in the cloud — using a randomly generated ID, not your identity.

This keeps the app fast, private, and frictionless — while helping you stay anonymous.

Yes — some data is stored anonymously in the cloud, using our secure backend (Supabase), to make sure you don’t lose it when you reinstall the app or change devices.

This includes:

• Saved destinations and preferences
   
• Your loyalty point total (if enabled)
   

All data stored in the cloud:

• Is linked only to a random device ID
   
• Is hosted on EU-based servers
   
• Is encrypted in transit and at rest
   
• Is never sold, shared, or used for profiling
   

We use Supabase as a data processor under GDPR. If any data is ever transferred outside the EU (e.g. for backup or support), it is protected by Standard Contractual Clauses (SCCs) or other legal safeguards.

No. Commuta does not sell, rent, or share your data with advertisers, brokers, or third-party analytics companies.

However, the app does interact with a few external services only when necessary to deliver features you’ve requested:

• OpenWeather for weather forecasts
   
• Transport APIs (e.g. TfL in London) for disruption alerts
   
• Google Maps, Uber, and Apple Maps via deep links for navigation or rides
   

When these services are triggered, your device may automatically share location coordinates or IP address with them as part of the request. Commuta does not send any personal data or user history to these services — only the minimum data required to fulfill the function (like getting the forecast or launching directions).

We believe you should know that IP addresses and device metadata are technically exposed during these interactions, even if they’re not used to identify you.

Absolutely not. Commuta does not contain:

• Ads
   
• Tracking pixels
   
• Analytics SDKs (like Google Analytics or Firebase)
   
• Fingerprinting
   
• Cross-app tracking
   

We do not show personalized ads, track your behavior, or profile you in any way. There’s no need for an App Tracking Transparency prompt — because we don’t track you across other apps or websites.

The only app behavior stored is entirely local (e.g. your loyalty points or how many commutes you’ve launched). This is never transmitted externally.

It doesn’t. Points are stored:

• Locally on your device, or
   
• Anonymously in Supabase, using your random device ID
   

We do not associate points with your identity. There’s no email, login, or behavior profile — just a number increasing over time, visible only to you. You can reset your points at any time.

This feature is designed to reward frequent use, not to track your behavior or build any kind of user profile.

Yes — your data is encrypted and stored securely:

• On-device: Commute data and settings are stored using iOS’s secure local storage
   
• In the cloud: Anonymous data is hosted on Supabase servers located in the European Union
   

All cloud data is:

• Transmitted over HTTPS
   
• Encrypted at rest
   
• Protected by access rules that only allow your device to read or write to your own anonymous record
   

We do not use or access your data beyond what’s required to operate the app. No Supabase staff can access your content, and Commuta employees do not see or use your preferences.

We retain your commute data and points only for as long as you actively use the app. If your device remains inactive for 12 consecutive months, we may automatically delete the associated anonymous data.

You can also request data deletion at any time (see next section).

Yes. You have full control.

You can:

• Delete the app, which removes all local data
   
• Clear preferences or points in-app
   
• Request deletion of cloud-stored data by emailing us
   

To delete cloud data, email info@commuta.ai. While we do not collect personal identifiers, we may need your help confirming which anonymous record belongs to your device. If available, we’ll guide you through how to share your internal Commuta device ID (this feature may be added to Settings soon).

We’ll delete your data promptly and confirm once it’s removed.

Yes. Commuta is designed from the ground up to meet or exceed the requirements of:

• GDPR (General Data Protection Regulation)
   
• ePrivacy Directive (cookies and communications privacy)
   
• Apple’s App Store privacy requirements
   

We follow key GDPR principles:

• Data minimization: only collect what’s needed
   
• Storage limitation: data auto-deletes if unused
   
• Transparency: we explain everything clearly
   
• No profiling or ads: no hidden monetization
   
• Lawful basis: all processing is based on consent or necessity
   
• No international transfers without safeguards
   

You have full rights under GDPR, including access, erasure, and objection. And we make it easy — because we collect very little data in the first place.

📦 Data stored:

• Saved destinations and preferences
   
• Optional loyalty points
   
• A random device ID (anonymous, used only for syncing)
   
• No names, emails, contacts, or personal identifiers
   

📍 Stored where:

• On-device (iOS secure local storage)
   
• Supabase (EU-based cloud database, encrypted)
   

🔧 External tools and APIs used:

Tool / APIPurposeData SharedLegal BasisSupabaseAnonymous backend storagePreferences, device IDContractual necessityOpenWeatherWeather forecastsLocation/IP (temporarily)Legitimate interestTfL / Transit APIsTransit disruptionsLine name, city, IPLegitimate interestGoogle Maps / UberRouting & rideshare deep linksDestination or coordinatesUser-initiated action 

🔐 Not used:

• No advertising SDKs
   
• No analytics platforms
   
• No cookies or pixels
   
• No cross-app or behavioral tracking
   

🕒 Retention:

• Data kept while the app is in use
   
• Auto-deleted after 12 months of inactivity
   
• Deletable anytime by user request
   

📬 Request data deletion:

Email info@commuta.ai and we’ll assist. If device ID export is available, we’ll use it to identify and remove your record.
 

We take your trust seriously. If we ever add features that involve new types of data or processing:

• You’ll be notified before anything changes
   
• You’ll have the option to consent or opt out
   
• This privacy policy will be updated clearly and transparently
   

We will never weaken your privacy without your knowledge or permission.