Privacy Policy
Effective date: June 5, 2026
Last updated: July 14, 2026
1. Summary
TDY Slayer is built to keep your data on your device. Your trips and receipt images live on your iPhone. Information leaves your phone in only a few limited situations: when the App sends a receipt or document image to the cloud so it can be read by an artificial intelligence (AI) model, when you sign in so the cloud service can recognize your requests, when the App sends limited, anonymous-by-design usage analytics so we can understand how the App is used and improve it, and — if you subscribe — when our subscription service records that your subscription is active.
In plain English:
- Your trip data and receipt images live on your iPhone. They are stored in an Apple App Group container that the App and its Share Extension share.
- You sign in with Sign in with Apple. We receive an Apple-provided identifier that lets the cloud OCR service recognize requests from your signed-in copy of the App. We do not receive or store your name or email address on our servers — Apple lets you keep your email private, and the App does not ask for it.
- Receipt images are sent to our OCR service (a Cloudflare Worker we operate) which uses commercial AI models — currently xAI's Grok and Anthropic's Claude — to read the document, and the result comes back to your phone. While a document is being read, it is briefly stored — encrypted — on Cloudflare so the work can finish even if you close the App, and the image is deleted as soon as its read completes (see Section 4).
- We collect limited usage analytics (which screens are used, which features are tapped) tied to the same opaque identifier as your sign-in — never receipt images, document contents, merchant names, or your profile details (see Section 4).
- If you subscribe to TDY Slayer Pro, Apple processes the payment — we never see your card or billing details. A subscription-management service (RevenueCat) records that your subscription is active, so it works across your devices and survives a reinstall. It receives an opaque identifier and your purchase history — never your receipts, trips, or profile (see Section 4).
- We do not sell your data. We do not show ads. We do not have advertising partners.
- We do not communicate with any official government system. Nothing flows from this App to DTS, to your finance office, to your command, or to any DoD network.
The rest of this policy explains the details.
2. Who we are
TDY Slayer is published by Southwind Digital LLC ("Southwind Digital," "we," "us"). Contact: [email protected].
3. Information stored on your device
The following information is created, captured, or imported by you and stored locally on your iPhone:
- Photos and PDFs of receipts, lodging folios, orders, Non-Availability ("Non-A") letters, Government Travel Card (GTC) statements, and other travel-related documents you choose to capture or share with the App.
- Structured information extracted from those documents by OCR — for example, merchant name, amount, transaction date, currency, and other fields useful for preparing a travel voucher.
- Trip data you create — trip names, date ranges, lifecycle status (Active / Travel Complete / Submitted / Paid), and progress through the voucher-prep workflow.
- A user profile you fill in — your name, home address, duty station, home airport, your preference for where mileage trips start, and any hotel-rewards numbers you choose to save. The App may also surface a candidate home address detected from a document you've imported, for your confirmation before it is saved.
- Per-trip review notes — for example, whether you have a Non-Availability letter on file for an off-base lodging stay.
- Voucher audit reports you generate with the App's voucher-audit feature, stored locally in the App's shared container.
- Settings and preferences stored using Apple's standard on-device preferences mechanism.
These items are stored on your iPhone. They are not synced to a Southwind Digital server.
4. Information sent to our cloud service
TDY Slayer talks to a Cloudflare Worker we operate for two things: signing you in, and reading your documents.
Signing in (Sign in with Apple)
You sign in with Apple. Apple sends the App a signed token that we pass to our Worker to verify you. From this, the Worker stores a small per-user record in Cloudflare's key-value store containing:
- an opaque user identifier,
- an access token your App uses to authenticate later requests,
- the Apple "refresh token" we need in order to disconnect your sign-in if you delete your account, and
- your device's push-notification token (see below), if you enable notifications.
We do not store your name or email address. Apple lets you hide your email, and the App does not request it. Any name shown in your in-App profile is stored only on your device.
Reading documents (OCR)
When you capture, import, or share a receipt or document — or audit a past voucher — the App sends it to the Worker, which uses one or more commercial AI models (currently xAI's Grok and Anthropic's Claude) to read the document and returns the result.
What is sent:
- The receipt image or PDF you are processing (for a past-voucher audit, the voucher PDF you choose to audit).
- A small amount of trip context (such as the trip you're adding the receipt to) to help the App place the result correctly.
- The per-user access token from your Apple sign-in, used by the Worker to confirm the request came from your signed-in copy of TDY Slayer.
What is not sent:
- Your name, home address, or other profile fields, unless they happen to be printed on the document itself.
- Your location, contacts, browser history, device identifiers (other than the standard HTTPS metadata that any network request carries), or any other personal information from your phone outside of the document being processed.
How long the data is retained on our infrastructure
So that a read can finish even if you close or quit the App, each document you import is briefly stored — encrypted — in Cloudflare's object storage (R2) while it is processed. The document image itself is deleted the instant its read finishes. The extracted result and a small processing record (which trip you were adding to) are held only until your phone retrieves the result. As a backstop, an automatic rule deletes any leftover images, results, and processing records within one day.
We do not keep a copy of your document images after this. The only long-lived record on our infrastructure is the small per-user sign-in record described above — never your receipts or their contents.
Cloudflare and the AI providers each maintain their own operational logs (for example, request counts, error rates, and abuse-prevention signals). Those logs are retained according to each provider's own privacy and security policies — see Section 7 below.
The AI providers' handling of the data
The AI provider processes the document and returns a result. Each provider's privacy policy and API terms describe how it handles data submitted through its API — including retention and whether API inputs are used to improve its models. We recommend reviewing xAI's current legal terms at https://x.ai/legal and Anthropic's at https://www.anthropic.com/legal if you have questions about how they handle the data.
Cloudflare's role
Cloudflare hosts the Worker, terminates the HTTPS connection, stores the small per-user sign-in record and (briefly) the background-batch images described above, and provides standard edge-network protections (DDoS, bot management, etc.). Cloudflare's privacy policy is at https://www.cloudflare.com/privacypolicy/.
Push notifications
If you enable notifications, the App registers your device's Apple Push Notification service (APNs) token with our Worker so we can tell you when a background batch has finished processing. The token is kept in the per-user record described above and is used only to send you these operational notifications. You can turn notifications off in iOS Settings or in the App's Profile at any time.
Usage analytics
The App sends limited usage analytics to PostHog, an analytics service, so we can understand how the App is used and improve it. What is sent: which screens are viewed, which features are used (for example, "a receipt was captured from the camera" or "an export was run"), basic app-lifecycle events, and a small number of aggregate numeric summaries (for example, how many receipts were in an import, or the total dollar amount of expenses the App surfaced for you). These events are associated with the same opaque user identifier as your sign-in.
What is never sent to analytics: receipt images or document contents, merchant names, individual expense line items, dates or locations of your travel, your profile details (name, home address, duty station), or your Apple identity. We do not use session recording, and we do not use analytics for advertising or cross-app tracking. If you would like the analytics records associated with your identifier deleted, email [email protected].
Subscriptions and purchases
TDY Slayer Pro is an optional auto-renewing subscription sold through Apple's In-App Purchase system.
We never see or receive your payment details. Apple processes the payment. Your card number, billing address, and Apple Account credentials are handled entirely by Apple and are never sent to us or to anyone on our behalf.
To know whether your subscription is active — including on a second device, or after you reinstall the App — we use RevenueCat, a subscription-management service. RevenueCat receives:
- The same opaque user identifier issued when you sign in with Apple, so your subscription follows you across your devices. If you are using the App as a guest, an anonymous identifier generated on your device is used instead.
- Purchase and subscription information from Apple — which plan you bought, when, whether it is currently active, its renewal and expiration dates, and the associated App Store transaction record.
- Standard app and device information — such as the app version, iOS version, device model, and country.
RevenueCat does not receive your receipt images or document contents, your trips or expenses, your profile (name, home address, duty station), or your payment details.
RevenueCat's privacy policy is at revenuecat.com/privacy.
Refreshing government reference data
The App periodically downloads updated copies of publicly available U.S. Government reference tables (per-diem and currency rates) from our server so your estimates stay current. This request carries no sign-in and no personal information — it is a plain file download, like fetching a public web page.
5. Information you can share through Apple
If you grant the App access to the iPhone Camera or Photos library, those permissions are governed by Apple's standard iOS permission prompts. We do not see, read, or upload any photo from your library except the specific images you choose to capture or import into a trip.
If you use the App's Share Extension to send a receipt from another app (for example, Mail), the file is handed off to TDY Slayer so it shows up in your trip the next time you open the App. See Section 4 for what is sent to our cloud service.
6. Information we do not collect
TDY Slayer does not:
- Use attribution or advertising SDKs. (The App does use an analytics service — see Section 4 — but analytics never receives receipt contents, merchant names, travel locations, or profile details, and is never used for advertising.)
- Show ads or have advertising partners.
- Track you across other apps or websites.
- Collect your contact list, calendar, microphone audio, or precise GPS location.
- Sell, rent, or share personal information with data brokers.
- Send any data to the U.S. Department of Defense, the Defense Travel System, the Defense Travel Management Office, the General Services Administration, the Treasury, or any other government entity.
7. Third parties we rely on
Each third party listed below acts as our service provider for the limited purpose described. Under our agreements with them, they are permitted to use the data only to provide that service to us — not for their own purposes — and are required to protect it consistent with this policy and with Apple's requirements.
- Apple, Inc. — App distribution (App Store), on-device storage, device permissions, push notifications, and Sign in with Apple. Privacy policy: apple.com/legal/privacy.
- Cloudflare, Inc. — Hosts the OCR Worker, the small per-user sign-in record, and the brief background-batch image storage described in Section 4, and proxies images to the AI providers. Privacy policy: cloudflare.com/privacypolicy.
- xAI Corp. — Provides an AI model used to read documents. Legal terms: x.ai/legal.
- Anthropic, PBC — Provides an AI model used to read documents. Legal terms: anthropic.com/legal.
- PostHog, Inc. — Provides the usage-analytics service described in Section 4. Privacy policy: posthog.com/privacy.
- RevenueCat, Inc. — Provides the subscription-management service described in Section 4 (records whether your TDY Slayer Pro subscription is active). Privacy policy: revenuecat.com/privacy.
Publicly available U.S. Government reference data (such as per-diem and currency-rate tables) is bundled inside the App and used locally on your device. The App refreshes those tables from our own server (see Section 4); no network call is made to the government sources themselves at runtime.
8. Children
TDY Slayer is intended for adults preparing official government travel vouchers. It is not directed at children, and we do not knowingly collect information from anyone under 18. If you believe a child has provided information through the App, please contact us at [email protected] so we can advise.
9. Security
We design TDY Slayer to minimize the data that leaves your device. Concretely:
- Documents sent to the OCR service are transmitted over HTTPS (TLS).
- Sign-in is handled through Apple. We never receive or store your password; we store only an opaque identifier and the tokens needed to operate the service.
- The cloud OCR service is protected by a per-user access token issued at sign-in, and the API keys used to call the AI providers are stored in Cloudflare's encrypted secret store — not in the App.
- Document images are stored only briefly and encrypted while being read, and deleted the instant each read completes, with a one-day backstop that clears any leftover images, results, or processing records (see Section 4).
- On-device storage is sandboxed to TDY Slayer and is encrypted at rest by iOS when your device passcode is set.
No system is perfectly secure. You can reduce your own risk by keeping iOS up to date, using a strong device passcode and biometrics, and avoiding shared devices.
10. Your choices and rights
Because the App stores your trips, receipts, and profile on your device, most data-management actions are taken directly in the App or on your phone.
You can:
- Delete a receipt by opening it and using the kebab menu → Delete.
- Delete a trip to remove its receipts, photos, and metadata.
- Edit your profile (name, home address, duty station, home airport, mileage-origin preference, hotel rewards) in the Profile tab.
- Export all your data to a JSON file using the Export All Data option in the Profile tab, then share or back it up however you like.
- Delete your account using the Delete Account option in the Profile tab. This wipes your local data and asks our Worker to delete your per-user sign-in record (identifier and tokens) and disconnect your Apple sign-in.
- Cancel your subscription in your Apple Account settings (on iPhone: Settings → your name → Subscriptions), or via Manage subscription in the Profile tab. Apple handles the billing, so deleting your account or the App does not cancel a subscription — it must be cancelled through Apple.
- Delete everything locally by uninstalling the App. iOS will remove TDY Slayer's local storage along with all of your receipts, photos, trip data, and profile information. (If you only uninstall, your per-user sign-in record on our Worker is not automatically removed — use Delete Account first if you want that erased.)
Apart from the limited sign-in record described in Section 4, we do not maintain a server-side copy of your trips, receipts, or profile, so there is generally nothing else about you for us to access, correct, or port — and you can delete the sign-in record at any time via Delete Account.
State-specific rights (United States)
Depending on where you live, you may have additional rights under state law (for example, California's CCPA/CPRA, Colorado, Connecticut, Utah, Virginia, and other state privacy statutes), including the right to know, the right to delete, the right to correct, the right to opt out of "sale" or "sharing" of personal information, and the right to non-discrimination for exercising these rights.
We do not sell personal information and we do not share personal information for cross-context behavioral advertising. If you wish to exercise a state-law privacy right, email [email protected] and describe your request. We will respond within the timeframe required by your state's law. We may need to verify your identity before acting on the request.
GDPR / UK GDPR
TDY Slayer is designed for the U.S. military DTS workflow and is not marketed to data subjects in the European Union or the United Kingdom. If you nevertheless use the App from the EU/UK, you may have additional rights under the GDPR or UK GDPR, including access, rectification, erasure, restriction, portability, and objection. Email [email protected] to make a request. Our lawful basis for the limited processing we perform (authenticating your sign-in and sending a document to the OCR service at your direction) is your consent and the performance of the service you are using.
11. International data transfers
The OCR Worker is hosted on Cloudflare's global edge network and may run in a data center near you. Cloudflare may transfer request data to the United States, where the AI providers' APIs and the analytics service are operated. If you use the App from outside the United States, you understand that your data will be processed in the United States and other jurisdictions where Cloudflare, the AI providers, and PostHog operate.
12. Operational security (OPSEC) note for service members
TDY Slayer stores location, date, and travel-pattern information about you on your phone. This data — even at rest — could be sensitive in an OPSEC context. You are responsible for following your service's and command's OPSEC guidance regarding storing travel information on a personal device.
Do not use TDY Slayer to process classified information, controlled unclassified information (CUI) that prohibits commercial cloud processing, or any document your security manager has not authorized for handling on a personal commercial device. Cloudflare and the AI providers are commercial services and are not part of any DoD authorized cloud boundary.
13. Changes to this policy
We may update this policy from time to time. Material changes will be reflected in the "Last updated" date at the top and surfaced inside the App where appropriate. Your continued use of the App after a change becomes effective constitutes acceptance of the updated policy.
14. Contact
Privacy questions or requests? Email [email protected].
Southwind Digital LLC