Privacy Policy
Last updated: May 25, 2026
1. Introduction
This Privacy Policy explains how Daft Detours LLC ("we", "us", "our") collects, uses, and protects information about you when you use the Daft Detours mobile application (the "Service"). Daft Detours LLC is a Wyoming limited liability company with its registered office at 30 N Gould St, Ste N, Sheridan, WY 82801.
We collect only the information we need to deliver the Service, and we protect it with the safeguards described below. We do not sell your data, and we do not use it for advertising.
2. Anonymous Use
You can browse tour summaries and listen to preview content without providing any personal information. When you open the app for the first time, we create an anonymous account that allows the app to function without identifying you personally.
You only need to provide an email address when you purchase a tour or redeem a code that requires email verification. Even after providing your email, you remain in control of your data and can delete your account at any time from within the app.
3. Information We Collect
Information you provide
- Email address. Collected after a tour purchase to enable cross-device access and recovery, or when you sign in via magic link.
- Authentication identifiers. If you sign in with Apple or Google, we receive your unique identifier from that provider and (in most cases) an email address. We do not request profile data, friend lists, or any other information from these providers.
-
Apple private relay addresses. If you sign
in with Apple and choose to hide your email, we receive
Apple's private relay address (ending in
@privaterelay.appleid.com). This is a working email address that forwards to you; we cannot see your real email. - Consent preferences. Whether you have consented to analytics and to receiving optional marketing emails. Both default to off until you opt in.
- Country and language preferences. Optional; used to tailor your in-app experience.
Information collected automatically
- Anonymous usage data. If you consent to analytics, we collect events about app interactions, tour completion, and stop engagement to understand how the Service is used and to improve it. This includes a hashed device identifier that allows us to count distinct devices without identifying you personally. If you do not consent, no analytics data is sent.
- Device identifiers (for download limits). To enforce our limit of three devices per tour, we store a device identifier on our servers. This identifier is used only for download management and is separate from any analytics data.
- IP address and request metadata. Our servers log basic request information (IP address, timestamp, browser user agent) for security and abuse prevention purposes. These logs are retained for a limited period and are not used for advertising.
- Purchase records. When you buy a tour, we record your purchase through RevenueCat (our subscription management provider) to grant you access. We do not store your payment card information.
4. How We Use Your Information
We use the information we collect to:
- Deliver the Service and enable you to access tours you have purchased
- Recover your purchases across devices when you sign in
- Send transactional emails (sign-in links, purchase confirmations, account deletion confirmations)
- Enforce our three-device limit and prevent fraud or abuse
- Improve the Service through anonymous analytics (only with your consent)
- Send marketing emails about new tours and features (only with your consent)
We do not sell your information to third parties. We do not use advertising identifiers. We do not share your information with advertisers.
5. How We Share Your Information
We share information only with service providers that help us deliver the Service. Each of these providers processes data on our behalf under contractual obligations to protect it.
- Supabase (database and authentication) — stores your account, profile, and entitlement data in Frankfurt, Germany (EU). supabase.com/privacy
- Cloudflare (server infrastructure and content delivery) — operates the API and serves tour assets. cloudflare.com/privacypolicy
- RevenueCat (purchase management) — processes in-app purchase records and entitlement grants. revenuecat.com/privacy
- Resend (transactional email) — sends sign-in links, receipts, and other emails on our behalf from a server in the European Union. resend.com/legal/privacy-policy
- PostHog (anonymous analytics) — processes analytics events in the European Union. Only used if you consent. posthog.com/privacy
- Apple and Google (in-app purchases and sign-in) — process payments and verify identity when you use Sign in with Apple or Sign in with Google. apple.com/privacy · policies.google.com/privacy
We may also disclose information if required by law, court order, or to protect against fraud or abuse of the Service.
6. Where Your Data Is Stored
- Account data, entitlements, and identity records are stored on Supabase servers in Frankfurt, Germany (EU)
- Analytics data, if you consent, is processed on PostHog servers in the EU
- Transactional email is sent through Resend's EU infrastructure
- Tour audio, images, and scripts are served via Cloudflare's global content delivery network
- Purchase records are processed by RevenueCat (US-based)
All data is transmitted over encrypted connections (HTTPS/TLS). Authentication tokens are stored in your device's secure platform storage (iOS Keychain or Android EncryptedSharedPreferences), not in general application storage.
7. Your Rights
European Union (GDPR)
If you are in the European Union, you have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your data ("right to be forgotten")
- Restrict or object to certain processing
- Receive your data in a portable format
- Withdraw consent at any time
- Lodge a complaint with your local data protection authority
To exercise these rights, contact privacy@daftdetours.com or delete your account from within the app (Profile → Delete Account). Account deletion permanently removes your profile, entitlements, redemption history, device records, and authentication records from our systems.
California (CCPA / CPRA)
If you are a California resident, you have the right to know what personal information we collect, to request deletion of your data, to correct inaccurate data, and to opt out of the sale or sharing of personal information. We do not sell or share personal information for advertising purposes. To exercise your rights, contact privacy@daftdetours.com or use the in-app account deletion.
8. Account Deletion
You can permanently delete your account at any time from within the app: Profile → Delete Account → type "DELETE" to confirm. Account deletion is immediate and irreversible. We delete:
- Your profile and authentication records
- Your tour entitlements and download history
- Your code redemption history
- Your device registration records
- Your analytics records (if any)
- Your purchase records held by RevenueCat
Once deleted, your tours cannot be recovered and any in-app purchases are not refundable through us. (Refunds for in-app purchases are handled by Apple or Google through their respective policies.)
9. Data Retention
We retain your account data for as long as your account is active. When you delete your account, your data is removed from our active systems immediately. Backups containing your data are retained for up to 30 days before being permanently deleted.
Server access logs (IP address, request metadata) are retained for up to 30 days for security and abuse prevention purposes.
If you do not consent to analytics, no analytics data is collected. If you have consented and later withdraw consent, no further data is collected from your device. Previously collected analytics data is retained by PostHog according to its retention policy.
10. Marketing Emails
We may send you marketing emails about new tours and features, but only if you have explicitly opted in. You can withdraw consent at any time from the Profile screen in the app. You can also unsubscribe using the link at the bottom of any marketing email.
Marketing emails are separate from transactional emails (sign-in links, purchase confirmations, account deletion confirmations), which are sent as part of using the Service and are not subject to marketing consent.
11. Children's Privacy
Daft Detours is intended for users aged 13 and over. We do not knowingly collect personal information from children under 13. If you believe we have collected data from a child under 13, please contact us at privacy@daftdetours.com and we will delete it promptly.
12. Security
We protect your information using appropriate technical and organizational measures, including:
- Encrypted connections (HTTPS/TLS) for all data transmission
- Encrypted storage for authentication tokens on your device
- Row-level access controls on our database
- Server-side authentication required for all privileged operations
- Rate limiting and audit logging on sensitive endpoints
No system is perfectly secure. If we become aware of a breach affecting your data, we will notify you as required by applicable law.
13. Changes to This Policy
We may update this policy from time to time. If we make material changes, we will notify you through the app or via email to the address associated with your account. The "last updated" date at the top of this policy reflects the most recent revision.
14. Contact
Questions about this policy or your data? Contact us at:
Daft Detours LLC
30 N Gould St, Ste N, Sheridan, WY 82801
Email: privacy@daftdetours.com
For EU users, you may also contact your local data protection authority.