Privacy
Data on the iOS app
Photos, GPS coordinates, voice notes, and report metadata are stored locally on your device using Apple SwiftData. The app does not run an analytics SDK. It does not collect crash reports, identifiers, or behavioral telemetry.
What leaves the iOS app
- Sealing a report sends the report's digital fingerprint, the trace ID, the region, the role (tenant/landlord), and the seal timestamp to a public registry we operate. Photos, names, addresses, and voice notes are NOT sent.
- Co-sign requests route through a co-sign service we operate. When the recipient signs or declines using their Apple ID, the service records: their Apple-verified email, name, role, timestamp, IP address, user-agent, decline reason if applicable, and the trace ID. This is the audit trail that makes co-sign meaningful.
- Sharing a PDF via the iOS share sheet — you choose the recipient.
- Purchases run through Apple StoreKit. Apple sees the transaction; Tenant Trace does not store payment information.
iCloud sync
If you have iCloud Drive enabled, photos, videos, voice notes, PDFs, and report manifests are stored in your private iCloud container so reports stay available across your Apple devices. This data is in your iCloud account; we do not have access to it.
Marketing website
This site (tenanttrace.app) uses Cloudflare's privacy-preserving web analytics for aggregate page views. It does not use cookies, does not track you across sites, and does not build behavioral profiles. The iOS app and the website have separate privacy postures: the app has no analytics SDK; the site has Cloudflare's beacon.
Third parties
No third-party analytics or advertising SDKs in the app (no Firebase, Mixpanel, Sentry, Facebook, Google). Apple StoreKit, Apple Sign-In (used by the co-sign service for recipient verification), our own registry / co-sign servers, and Cloudflare's web analytics on this site are the only network endpoints.
Location
Location data is captured only at the moment you take a photo, embedded in EXIF metadata, and stored locally. The app does not run background location.
Your rights
Delete a trace from the app to delete the local copy. Registry anchors are immutable once written (that's the point) but contain no personal information beyond the trace ID and fingerprint. To remove co-sign records associated with you, contact us.