ROUTLAS PRIVACY POLICY Effective date: 2026-05-10 Last updated: 2026-05-10 1. INTRODUCTION This Privacy Policy describes how Routlas (the "Service" -- the Routlas iOS and iPadOS application and the related backend services hosted under *.routlas.app) handles information. By using the Service you agree to this Policy. Routlas is designed to require as little data as possible to function. There are no user accounts, no advertising, no third-party analytics, and no cross-app or cross-site tracking. 2. PLAIN-LANGUAGE SUMMARY - We do not ask you to sign in. - We do not collect your name, email, phone, address, or location. - We do not show ads and we do not use advertising identifiers. - We do not embed analytics, attribution, marketing, push- notification, or crash-reporting SDKs. - When you browse routes, the filters you pick (airport codes, airline names, countries, aircraft types) are sent to our servers so we can return matching results. They are not linked to your identity, because we do not have one for you. - Our edge provider (Cloudflare) sees your IP address and basic request metadata transiently for routing, rate limiting, and abuse prevention. 3. INFORMATION WE DO NOT COLLECT We do not collect, request, or store any of the following: - Name, email address, phone number, mailing address, or any other personally identifying contact information. - Government identifiers, account numbers, payment card data, or other financial information. - Precise or approximate location, GPS coordinates, Wi-Fi or Bluetooth scan results, or other geolocation signals. The Routlas app does not request the iOS location permission. - Photos, files, contacts, calendar, reminders, health, motion, microphone, or camera data. The Routlas app does not request any of these permissions. - Advertising identifiers (IDFA), App Tracking Transparency consent, SKAdNetwork postbacks, or any cross-app tracking signals. - Behavioral analytics events, screen views, taps, session recordings, or heatmap data. 4. INFORMATION WE DO COLLECT OR PROCESS a) On your device. The Routlas app stores your interface preferences (selected map style, filter selections, display options) locally on your device using Apple's UserDefaults. This information stays on your device. We do not receive it. b) Sent to our servers when you use the app. When you request route information, the app sends the parameters needed to fulfill the request to our backend at api.routlas.app. These parameters may include: - Airport IATA codes you are viewing. - Airline, country, continent, alliance, or aircraft-type filters you have selected. - Display options that affect what the server returns. These requests do not include any identifier for you or your device beyond what is necessary for the network connection itself. c) Server-side technical data. Our edge provider (Cloudflare) processes standard request metadata in the course of delivering the Service. This may include your IP address, user-agent string, request timestamps, TLS metadata, and the path and method of the request. This data is used to route traffic, enforce rate limits, mitigate abuse, and maintain availability. It is retained transiently in edge logs per Cloudflare's standard practices and is not linked by us to any user identity. d) On-device AI. The Routlas app uses Apple's on-device foundation models to interpret natural-language filter input (for example, "routes from the US to Japan"). This processing happens entirely on your device. The text you type into that feature is not transmitted to us or, by the Routlas app, to Apple's servers. 5. HOW WE USE INFORMATION We use the limited information described in Section 4 only to: - Operate, maintain, and improve the Service. - Respond to user-initiated requests, such as returning route data for the filters you selected. - Detect, prevent, and address abuse, fraud, security issues, or violations of our terms. - Comply with applicable legal obligations. We do not sell, rent, or trade information. We do not share information with advertisers or data brokers. We do not use any information to build advertising profiles, infer demographic attributes, or perform cross-context behavioral advertising. 6. THIRD PARTIES The Service relies on the following third parties, each subject to its own privacy practices: - Cloudflare, Inc. -- content delivery, DNS, edge proxying, Web Application Firewall, and rate limiting for *.routlas.app. See https://www.cloudflare.com/privacypolicy/ - Apple Inc. -- App Store distribution and the on-device machine-learning frameworks used by the app. See https://www.apple.com/legal/privacy/ We do not integrate analytics, attribution, advertising, A/B-testing, push-notification, or crash-reporting SDKs from any third party. 7. DATA RETENTION Because we do not maintain user accounts and do not link requests to identities, we do not store user records. Request metadata processed transiently by Cloudflare is retained according to Cloudflare's standard logging practices. We may retain aggregated, non-identifying operational metrics (such as total request counts) for as long as needed to operate and improve the Service. 8. SECURITY The Service is delivered exclusively over HTTPS with modern TLS (TLS 1.2 or higher), HSTS, and a Web Application Firewall with edge rate limiting. We take commercially reasonable measures to protect the Service. No system, however, is perfectly secure; we cannot guarantee absolute security. 9. CHILDREN'S PRIVACY The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided information through the Service, contact us at the address in Section 15 and we will take appropriate steps. 10. INTERNATIONAL USERS The Service is operated from the United States. If you use the Service from outside the United States, you acknowledge that your request metadata is processed in the United States and in other countries where Cloudflare operates edge infrastructure. 11. YOUR RIGHTS UNDER CALIFORNIA LAW (CCPA / CPRA) Subject to certain exceptions, California residents have the right to: - Know what personal information we have collected about you. - Request deletion of personal information. - Correct inaccurate personal information. - Opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising. We do not sell or share personal information as those terms are defined under the CCPA. - Limit the use of sensitive personal information. We do not collect categories of sensitive personal information as defined under the CCPA. - Non-discrimination for exercising your rights. Because the Service does not associate requests with named individuals or persistent user identifiers, in most cases we cannot identify any data as belonging to a specific person. Where we are unable to verify a request on that basis, we will explain why in our response. 12. YOUR RIGHTS UNDER EUROPEAN AND UK LAW (GDPR / UK GDPR) If you are located in the European Economic Area, the United Kingdom, or Switzerland, you may have the right to access, rectify, erase, restrict, or port personal data we hold about you, and to object to certain processing. Our lawful bases for processing the limited information described in this Policy are: performance of a contract (Article 6(1)(b)), our legitimate interests in operating and securing the Service (Article 6(1)(f)), and compliance with legal obligations (Article 6(1)(c)). The same identifiability limitation noted in Section 11 applies. You may lodge a complaint with your local supervisory authority. 13. DO NOT TRACK AND GLOBAL PRIVACY CONTROL We do not track users across sites or applications, so there is nothing to disable in response to "Do Not Track" or Global Privacy Control signals. We honor those signals by not tracking in the first place. 14. CHANGES TO THIS POLICY We may update this Policy from time to time. Material changes will be reflected by updating the "Effective date" above and, where appropriate, by an in-app or in-product notice. Your continued use of the Service after a change takes effect constitutes acceptance of the updated Policy. 15. CONTACT For privacy questions or to exercise any of the rights described in this Policy, contact us at: https://support.routlas.app -- End of Policy --