1. Who we are
TilDawnis a long-distance relationship app operated by Pixelated Vectors LLC (“TilDawn,” “we,” “our”). Our registered address is [ENTITY_ADDRESS]. For privacy questions, write to privacy@tildawn.app. For legal notices, legal@tildawn.app. For anything else, hello@tildawn.app.
If you’re in the EU or UK, our Data Protection Officer (or equivalent contact) is Not applicable — Pixelated Vectors LLC is a United States LLC not established in the EU and does not conduct large-scale processing under GDPR Art. 37.
2. What we collect, and why
We only collect what the app needs to do its job. Each class below is tied to the feature it powers.
Account data
Email, password (hashed by our auth provider — we never see it), name, date of birth (so we can gate the app at 16+), timezone (so we wake your partner at 7am and don’t wake you at 3am), and a profile photo if you choose one.
Relationship data
Partner name or nickname, key dates like anniversaries and first-meet, and the difference between your timezones. This is how the countdown and the Sky Window know what to show.
Your content
The letters, voice notes, photos, time capsules, love notes, doodles, game answers, shared list items, notepad text, visit plans, and saved places you create inside the app. This is your side of the relationship, and it lives here so both of you can keep it.
Derived data
Weekly sentiment snapshots, streak counts and freezes, story chapter progress, and daily question history. These are built from your activity so the Inbox and Year in Review have something to show you.
Location (opt-in)
If you turn on live location, iOS sends us your city and country (and the coordinates behind them). Your partner only ever sees the city— never the coordinates, never the street. We use iOS Significant Location Changes, not precise tracking. You can pause for 2 hours with one tap, or stop entirely — your partner sees when you do.
Device data
Your push notification token (so the app can reach you), device timezone, locale, and OS version. No ad IDs. No contacts. No calendar. No health or financial data.
Cooling Filter data
When you choose to cool a message, we send your original draft to Anthropic’s Claude API for rewriting. On our side, we encrypt the original and keep it for up to 90 days so you can review or clear it in Settings. After 90 days, the encrypted copy is purged automatically. What survives permanently is a one-way cryptographic fingerprint (SHA-256 hash) plus a severity category (low / medium / high) — retained for safety analytics and platform-abuse investigations. The fingerprint can’t be reversed into your original words.
Crash and performance data
When the app crashes or slows down, Sentry receives a stack trace, the device OS, and the app version. No message content. No photos. No personal identifiers.
3. Who processes your data
We rely on a small set of vetted processors to run TilDawn. Each one is contractually bound to protect your data and only use it to provide their service to us.
| Processor | Purpose | Region |
|---|---|---|
| Supabase | Database, auth, file storage, realtime, edge functions. policy | AWS US-East |
| Anthropic | Cooling Filter rewrites via Claude API. policy | United States |
| Expo | Push delivery via Apple APNs. policy | United States |
| Sentry | Crash and performance telemetry. policy | United States |
| RevenueCat | Subscription status when we wire real purchases. policy | United States |
| Resend | Sending your data-export emails. policy | US / EU |
| Google (Sign in) | OAuth login claim (email, name, avatar). policy | United States |
| Apple | Sign in with Apple — relay or real email, name. policy | United States |
We do not share data with advertisers, brokers, or analytics networks. There are no tracking SDKs in this app.
4. How long we keep it
| Class | Retention |
|---|---|
| Account, relationship, content | Until you delete your account. |
| Cooling Filter original (encrypted) | Up to 90 days, then automatically purged. |
| Cooling Filter hash + severity | Until you delete your account. |
| Location (city + coordinates) | Only the latest known value. No history table. |
| Crash / performance logs | 90 days at Sentry, then purged. |
| Data export emails | Download link expires in 7 days. |
When you delete your account, the deletion cascades across every table we store your data in, removes your files from storage, and revokes your login.
5. Your rights
Wherever you live, you have the right to see and control the data we hold about you. In the EU, UK, and California, these rights are backed by GDPR, UK GDPR, and CCPA/CPRA respectively — but we honor them for everyone.
- Access and portability.Settings → Privacy → Export my data. We pack everything you’ve created into a JSON archive and email you a download link within 24 hours. One export per 24 hours.
- Rectification. Edit your profile, key dates, and preferences anytime in Settings. For anything else, email privacy@tildawn.app.
- Erasure.Settings → Privacy → Delete account. Two-step confirm. Removes every letter, photo, day you’ve logged together, and your login — permanent.
- Restriction and objection.Turn off the Cooling Filter, pause or stop location sharing, hide read receipts, clear cooling history — each is a toggle in Settings.
- Automated decision-making.We don’t use any. The Cooling Filter rewrites text you asked it to rewrite — you always see both versions and choose which to send.
- Complaints.You can lodge a complaint with your local data-protection authority. In the UK it’s the ICO; in the EU, your national DPA. We’d rather you talked to us first at privacy@tildawn.app.
6. Who can use TilDawn
TilDawn is for people 16 and older. We ask for your date of birth at signup and block accounts under 16. If you believe a child under 16 has created an account, email privacy@tildawn.app and we’ll remove it within 72 hours.
7. Where your data travels
Our primary database lives in the United States (Supabase on AWS US-East). Several of our processors are also US-based. If you’re in the EU or UK, transfers to the US are covered by Standard Contractual Clauses (SCCs) where adequacy decisions don’t apply, and by the EU-US Data Privacy Framework where they do. A full list of SCCs and processor addenda is available on request at legal@tildawn.app.
8. The Cooling Filter, specifically
The Cooling Filter is optional. You tap it; it doesn’t fire on its own. When you do:
- Your draft is sent to Anthropic’s Claude API to be rewritten.
- Anthropic’s standard API policy retains request and response data for up to 30 days for abuse monitoring. We are in active discussions with Anthropic to sign a Zero Data Retention (ZDR) amendment that removes this retention; until that is signed, the 30-day window applies.
- On our side, we encrypt your original with a per-user HKDF-derived key. We keep the ciphertext for up to 90 days so you can review or clear it in Settings → Privacy. Then it’s purged by an automated sweep.
- A SHA-256 fingerprint and a severity category survive permanently for abuse-prevention — these cannot be reversed to your words.
- The Filter rewrites language. It doesn’t diagnose, advise, or take sides. It is a communication tool, not therapy or counseling.
9. Live location, specifically
Live location is off by default. If you turn it on, iOS shares your position with TilDawnvia Significant Location Changes — a low-power, city-granularity mechanism. We resolve the coordinates to a city name and country via reverse geocoding, then your partner’s app displays the city only. Your partner never sees coordinates, never sees a street, and never sees a map pin at precise granularity.
You can pause sharing for 2 hours (auto-resumes), or stop entirely. When you stop, your partner is told — no silent exits.
10. How we protect your data
- Encryption in transit. Every request uses HTTPS/TLS 1.2+.
- Encryption at rest. Supabase storage and database are encrypted with AES-256. Cooling Filter originals use an additional layer: per-user keys derived via HKDF-SHA-256 from a master key held in Supabase Vault.
- Row-Level Security.Every table enforces access at the database level, so even a compromised client can’t read another couple’s data.
- Secure tokens.Your auth session lives in your device’s secure enclave, not in general app storage.
- Two-factor support.Sign in with Apple and Google both offer 2FA from the provider — we honor it transparently.
No system is perfectly secure. If we become aware of a breach that affects you, we’ll notify you within 72 hours of confirmation, per GDPR Art. 33 — and we’ll tell you what happened, what we’re doing, and what you can do.
11. Changes to this policy
If we change this policy in a way that materially affects you, we’ll notify you in the app and by email at least 30 days before the change takes effect. We won’t quietly rewrite it. The Effective date and Last updated below always reflect the current version.
12. How to reach us
Privacy: privacy@tildawn.app
Legal: legal@tildawn.app
Support: hello@tildawn.app
EU/UK Data Protection Officer (or equivalent): Not applicable — Pixelated Vectors LLC is a United States LLC not established in the EU and does not conduct large-scale processing under GDPR Art. 37
thank you for reading this far ✦
EFFECTIVE · APR 23 · 2026
LAST UPDATED · APR 23 · 2026
TILDAWN · V 1.0