Tidbit
Privacy Policy.

/ scope

This policy describes how Tidbit (the "App"), an iOS application published by Bay One Ten LLC ("Bay One Ten," "we," "us," or "our"), collects, uses, and shares information when you use the App. It applies to every user of the App, regardless of age or location.

This policy does not cover the bayoneten.com website (which has its own policy) or any other apps we may publish.

/ at a glance

/ information we collect

Device identifier (Identifier for Vendors / IDFV). Apple provides a per-vendor identifier that is stable while you have any of our apps installed and resets when you uninstall. We use it as a pseudonymous "device_id" attached to analytics events so we can analyze cohorts and retention without identifying you.

Reading data stored in your iCloud (CloudKit private database). Your category preferences, onboarding answers, daily reading goal, notification preferences, reading streaks, articles read, saved/liked articles, and a feed cache (for offline launches) are stored in your private iCloud container and synced across your devices by Apple. Bay One Ten does not have access to this data — it lives in your Apple account.

Product analytics events (Supabase). The App sends pseudonymous, write-only event data to our backend (Supabase) to understand product use. Each event includes the device_id described above, an app session ID, app version, and event-specific metadata. Categories of events include:

Analytics events do not contain your name, email, contact information, location, search query text, or article content. Events that fail to send while you are offline are queued locally and retried (up to a 200-event cap) when connectivity returns.

Meta (Facebook) SDK data. We use Meta's SDK to measure the effectiveness of ad campaigns that bring users to Tidbit. The SDK automatically logs basic app events (such as app activation) and we log a small number of custom events to Meta — completion of onboarding, first article read, and subscription purchase events. Cross-app and cross-website tracking using your device's advertising identifier (IDFA) is disabled by default and is only enabled if you grant permission via the iOS App Tracking Transparency ("ATT") prompt. If you decline or withdraw ATT permission (Settings → Privacy & Security → Tracking → Tidbit), Meta receives event data without the IDFA and cannot link it to your activity in other apps or sites.

Push notification token. If you grant notification permission, Apple issues a push token that we use to deliver notifications (morning "this day in history," editor's pick, streak-at-risk, lapsed-user re-engagement). The token identifies your device to Apple's push service, not you personally.

Subscription and purchase data. If you subscribe, the purchase is processed by Apple via StoreKit. We see whether you have an active subscription, the plan tier, and standard StoreKit transaction metadata. We do not receive your name, billing address, or payment-card details — those are handled entirely by Apple.

What we do not collect. Tidbit does not request access to your camera, microphone, photo library, contacts, calendars, location, health data, or files. The App is iPhone-only and does not require sign-in.

/ how we use information

/ third parties who process data on our behalf

ProviderRoleWhat it sees
Apple App distribution, CloudKit, StoreKit, Push (APNs), IDFV, ATT framework Subscription transactions, push tokens, your iCloud-synced reading data (kept in your private iCloud, not shared with us)
Supabase, Inc. Backend for story content, curated feeds, and analytics events Story-fetch requests, pseudonymous analytics events keyed by device_id
Meta Platforms, Inc. Facebook SDK for ad-campaign measurement App install / activation, custom events (onboarding completion, first article read, purchases). IDFA only with your ATT consent.

Each of these providers processes data under their own privacy practices: Apple, Supabase, Meta.

/ how we share information

We do not sell your personal information, and we do not "share" it for cross-context behavioral advertising in the CCPA/CPRA sense. We disclose data only:

/ data retention

iCloud data remains in your private iCloud as long as you keep the App installed and signed into iCloud. You can delete it at any time by deleting Tidbit and, optionally, the App's CloudKit data via Settings → [Your Name] → iCloud → Manage Storage.

Analytics events (Supabase) are retained for up to 24 months for product analysis, after which they are deleted or further aggregated.

Meta SDK data is retained per Meta's own retention policies.

Subscription records are retained as long as required by Apple, tax law, and accounting obligations.

/ your choices and rights

Tracking (ATT). You can change Tidbit's tracking permission at any time in Settings → Privacy & Security → Tracking. Denying tracking does not disable the App.

Notifications. You can disable push notifications at any time in Settings → Notifications → Tidbit, or for individual notification types in the App's Settings.

Reset your reading data. You can clear your reading state at any time by uninstalling Tidbit. To also delete the App's iCloud data, go to iOS Settings → [Your Name] → iCloud → Manage Storage → Tidbit → Delete Data.

Right to access, delete, correct. Because we do not collect a name, email, or other personal identifier, we cannot directly look up data about you. To request deletion of analytics events associated with your device, email contact@bayoneten.com with your device_id (visible in the App's developer/diagnostics view) and we will delete corresponding records within the time required by law.

California residents. The CCPA / CPRA give you the right to know, access, delete, correct, and limit certain processing of your personal information, and to opt out of any "sale" or "sharing" — we do not sell or share personal information in that statutory sense. To exercise these rights, email contact@bayoneten.com. We will not discriminate against you for exercising your rights.

European Economic Area / United Kingdom. If you use Tidbit from the EEA or UK, you have rights under the GDPR / UK GDPR including access, rectification, erasure, restriction, portability, and the right to object. Our legal bases are: legitimate interests (product analytics, ad-campaign measurement, fraud prevention), contract performance (delivering and maintaining your subscription), and consent (ATT-based tracking). To exercise these rights, email us. You may also lodge a complaint with your local data-protection authority.

/ children

Tidbit is not directed to children under 13 and we do not knowingly collect personal information from anyone under 13. The App is rated 12+ on the App Store. If you believe a child under 13 has provided information to us, email contact@bayoneten.com and we will delete it.

/ international data transfers

Bay One Ten LLC is based in the United States, and our processors (Apple, Supabase, Meta) operate facilities in the United States and other regions. If you use the App from outside the United States, your information will be transferred to and processed in the United States and other jurisdictions whose data-protection laws may differ from your own. By using Tidbit, you acknowledge this transfer.

/ security

We take reasonable administrative and technical measures to protect the limited information we hold. CloudKit data is encrypted by Apple in transit and at rest. Connections to our backend use HTTPS. No system is perfectly secure, and we cannot guarantee that information transmitted over the internet is invulnerable to interception or misuse.

/ changes to this policy

We may update this policy. The "Effective" date above reflects the most recent change. Material changes will be posted at this URL, and we may also surface an in-app notice for significant changes.

/ contact

Questions about this policy or about information we hold:

Bay One Ten LLC
325 100th Street, Apt 1C
New York, NY 10025
contact@bayoneten.com