Privacy Policy

1. Summary

TDY Slayer is built to keep your data on your device. The only time information leaves your iPhone is when the App sends a receipt or document image to the cloud so it can be read by an artificial intelligence (AI) model, and that data is not retained by us after the read completes.

In plain English:

• Your trip data and receipt images live on your iPhone. They are stored in an Apple App Group container that the App and its Share Extension share.
• There is no TDY Slayer account. You do not sign up, and we do not have a username, password, or profile for you on our servers.
• Receipt images are temporarily transmitted to xAI for processing via a secure API. Your data isn't stored anywhere other than your personal device. We do not save the images or the extracted data on our servers after the response is returned.
• We do not sell your data. We do not show ads. We do not have advertising partners.
• We do not communicate with any official government system. Nothing flows from this App to DTS, to your finance office, to your command, or to any DoD network.

The rest of this policy explains the details.

2. Who we are

TDY Slayer is published by Southwind Digital LLC ("Southwind Digital," "we," "us"). Contact: [email protected].

3. Information stored on your device

The following information is created, captured, or imported by you and stored locally on your iPhone:

• Photos and PDFs of receipts, lodging folios, orders, Non-Availability ("Non-A") letters, Government Travel Card (GTC) statements, and other travel-related documents you choose to capture or share with the App.
• Structured information extracted from those documents by OCR — for example, merchant name, amount, transaction date, currency, and other fields useful for preparing a travel voucher.
• Trip data you create — trip names, date ranges, lifecycle status (Active / Travel Complete / Submitted / Paid), and progress through the voucher-prep workflow.
• A user profile you fill in — your full name, home address, rank, and home airport code. The App may also surface a candidate home address detected from a document you've imported, for your confirmation before it is saved.
• Per-trip review notes — for example, whether you have a Non-Availability letter on file for an off-base lodging stay.
• Settings and preferences stored using Apple's standard on-device preferences mechanism.

These items are stored on your iPhone. They are not synced to a Southwind Digital server.

4. Information sent to xAI for processing

When you capture, import, or share a receipt or document, the App sends it to xAI via a secure API for AI processing. The result comes back to your phone. Receipts stay on your phone. They are temporarily transmitted to xAI for processing via a secure API. Your data isn't stored anywhere other than your personal device.

What is sent:

• The receipt image or PDF you are processing.
• A small amount of trip context (such as the trip you're adding the receipt to) to help the App place the result correctly.
• A credential stored inside the App, used by the Worker to confirm that the request came from a copy of TDY Slayer.

What is not sent:

• Your name, rank, home address, or other profile fields, unless they happen to be printed on the receipt itself.
• Your location, contacts, browser history, device identifiers (other than the standard HTTPS metadata that any network request carries), or any other personal information from your phone outside of the document being processed.

How long the data is retained on our infrastructure

Receipt images and AI responses are processed in transit by xAI and are not persisted to a Southwind Digital database after the response is returned to your phone.

xAI maintains operational logs (for example, request counts, error rates, and abuse-prevention signals). Those logs are retained according to xAI's own privacy and security policies — see Section 7 below.

xAI's handling of the data

xAI processes the document and returns a result. Under xAI's commercial API terms, customer API data is not used to train xAI's models. xAI's privacy policy describes additional protections; we recommend reviewing it at https://x.ai/legal/privacy if you have questions.

5. Information you can share through Apple

If you grant the App access to the iPhone Camera or Photos library, those permissions are governed by Apple's standard iOS permission prompts. We do not see, read, or upload any photo from your library except the specific images you choose to capture or import into a trip.

If you use the App's Share Extension to send a receipt from another app (for example, Mail), the file is handed off to TDY Slayer so it shows up in your trip the next time you open the App. See Section 4 for what is sent to xAI for processing.

6. Information we do not collect

TDY Slayer is not:

• Use third-party analytics, attribution, or advertising SDKs.
• Show ads or have advertising partners.
• Track you across other apps or websites.
• Collect your contact list, calendar, microphone audio, or precise GPS location.
• Sell, rent, or share personal information with data brokers.
• Send any data to the U.S. Department of Defense, the Defense Travel System, the Defense Travel Management Office, the General Services Administration, the Treasury, or any other government entity.

7. Third parties we rely on

• Apple, Inc. — App distribution (App Store), on-device storage, device permissions, and push notifications (if added later). Privacy policy: apple.com/legal/privacy.
• xAI Corp — Provides the AI models that process receipt images for OCR and voucher preparation via secure API. Privacy policy: x.ai/legal/privacy.

Publicly available U.S. Government reference data (such as per-diem and currency-rate tables) is bundled inside the App and used locally on your device. No network call is made to those government sources at runtime.

8. Children

TDY Slayer is intended for adults preparing official government travel vouchers. It is not directed at children, and we do not knowingly collect information from anyone under 18. If you believe a child has provided information through the App, please contact us at [email protected] so we can advise.

9. Security

We design TDY Slayer to minimize the data that leaves your device. Concretely:

• Receipt images sent to xAI for processing are transmitted over HTTPS (TLS).
• The xAI processing is protected by a credential held by the App, and any API keys are stored in secure encrypted secret stores — not in the App.
• Receipt images and AI responses are not persisted to a Southwind Digital database after the response is returned to your phone.
• On-device storage is sandboxed to TDY Slayer and is encrypted at rest by iOS when your device passcode is set.

No system is perfectly secure. You can reduce your own risk by keeping iOS up to date, using a strong device passcode and biometrics, and avoiding shared devices.

10. Your choices and rights

Because the App stores your data on your device and does not maintain a Southwind Digital account for you, most data-management actions are taken directly in the App or on your phone.

You can:

• Delete a receipt by opening it and using the kebab menu → Delete.
• Delete a trip to remove its receipts, photos, and metadata.
• Edit your profile (full name, home address, rank, home airport) in the Profile tab.
• Export all your data to a JSON file using the Export All Data option in the Profile tab, then share or back it up however you like.
• Delete everything by uninstalling the App. iOS will remove TDY Slayer's local storage along with all of your receipts, photos, trip data, and profile information.

Because we do not maintain a server-side profile, account, or copy of your data, we generally have nothing about you to access, correct, port, or delete on our side.

State-specific rights (United States)

Depending on where you live, you may have additional rights under state law (for example, California's CCPA/CPRA, Colorado, Connecticut, Utah, Virginia, and other state privacy statutes), including the right to know, the right to delete, the right to correct, the right to opt out of "sale" or "sharing" of personal information, and the right to non-discrimination for exercising these rights.

We do not sell personal information and we do not share personal information for cross-context behavioral advertising. If you wish to exercise a state-law privacy right, email [email protected] and describe your request. We will respond within the timeframe required by your state's law. We may need to verify your identity before acting on the request.

GDPR / UK GDPR

TDY Slayer is designed for the U.S. military DTS workflow and is not marketed to data subjects in the European Union or the United Kingdom. If you nevertheless use the App from the EU/UK, you may have additional rights under the GDPR or UK GDPR, including access, rectification, erasure, restriction, portability, and objection. Email [email protected] to make a request. Our lawful basis for the limited processing we perform (sending an image to xAI for processing at your direction) is your consent and the performance of the service you are using.

11. International data transfers

xAI may run in a data center near you. xAI may transfer request data to the United States. If you use the App from outside the United States, you understand that your data will be processed in the United States and other jurisdictions where xAI operates.

12. Operational security (OPSEC) note for service members

TDY Slayer stores location, date, and travel-pattern information about you on your phone. This data — even at rest — could be sensitive in an OPSEC context. You are responsible for following your service's and command's OPSEC guidance regarding storing travel information on a personal device.

Do not use TDY Slayer to process classified information, controlled unclassified information (CUI) that prohibits commercial cloud processing, or any document your security manager has not authorized for handling on a personal commercial device. xAI is a commercial provider and is not part of any DoD authorized cloud boundary.

13. Changes to this policy

We may update this policy from time to time. Material changes will be reflected in the "Last updated" date at the top and surfaced inside the App where appropriate. Your continued use of the App after a change becomes effective constitutes acceptance of the updated policy.

14. Contact

Privacy questions or requests? Email [email protected].

Southwind Digital LLC