Privacy Policy
Last updated: July 2026
Summary: We collect account and profile data, device/push tokens, optional portal credentials, and operational server logs to run the app and send reminders. Optional diagnostic screen-navigation events may be enabled for closed testing. We use Supabase, Expo Push, and (for payments) Stripe. We do not sell your data. We do not use third-party advertising analytics SDKs (e.g. Firebase Analytics, Amplitude).
Data we collect
- Account: Email, password (handled by Supabase Auth), user ID, timezone, subscription status.
- Immigration profiles: Name, passport number and country, passport expiry, date of birth, visa type and dates, entry date, 90-day report dates, TM30 info, re-entry permit, work permit, profile stage, e-visa application data, planned entry, etc.
- Device and push: Expo push token, device ID, platform (iOS/Android), device name (for reminders and notifications).
- Documents: Files you upload (e.g. passport, visa, receipts) and metadata (category, expiry, tags, notes); stored in Supabase Storage.
- Travel log: Entry/exit dates and locations you record.
- Reminders and notifications: Reminder settings, quiet hours, notification preferences (email/push, digest frequency).
- API access logs (server): For each API request we may log method, path, status, duration, client IP, anonymized user id (JWT subject), and request correlation ids (
X-Client-Request-Id/X-Request-Id). Purpose: security, support, and reliability—not advertising. - Optional diagnostics: When diagnostics are enabled (typically closed testing via server flag
DIAGNOSTIC_EVENTS_ENABLEDand matching app config), we may receive screen route names (e.g./(tabs)/travel), event type, timestamp, and client request id. No profile names or other PII in these events. Default is off in production until you enable it. - Premium / optional:
- Portal account linking: Encrypted storage of usernames/passwords for Thai immigration portals (e-visa, 90-day, TM30, VFS extension) for in-app browser prefill.
- Bank balance (e.g. for retirement visa): Account name, bank name, balance, renewal date.
- Profile groups, check-ins, profile linking (invitations, access grants).
How we use it
To provide the service (tracking, reminders, notifications, document storage, optional portal linking and AI advice), to process payments (Stripe), and to communicate with you (email for verification, password reset, invitations, link requests, check-ins).
Storage and third parties
- Supabase: Auth, database (PostgreSQL), file storage; data stored in Supabase's infrastructure.
- Expo Push Notifications: To send push notifications to your devices.
- Stripe: Payment processing for premium subscriptions; payment data is handled by Stripe per their privacy policy.
- Email: Sending transactional email (verification, password reset, invitations, link requests, check-ins) via our server.
- Google / Apple: If you use "Sign in with Google" or "Sign in with Apple," those providers process the sign-in; we receive only what you allow (e.g. email, name).
Security
Passwords and auth by Supabase; sensitive portal credentials encrypted (AES-256-CBC) before storage; HTTPS for all traffic; Row-Level Security (RLS) in the database so users only access their own data.
Your rights
You can access, correct, or delete your data (account and profiles) via the app or by contacting us; we'll respond within a reasonable time. Contact: support@thaitrack.app.
Data retention
We retain your data while your account is active; you can request account deletion; we may retain some data as required by law or for legitimate purposes (e.g. backups, disputes).
Changes
We may update this policy; we'll post the new version at this URL and update the "Last updated" date; continued use after changes constitutes acceptance.
Contact
For privacy or data requests: support@thaitrack.app.