← bail.out

Privacy Policy

Last updated: May 16, 2026

Your privacy is the entire point of bail.out This policy explains exactly what we collect, what we don't, and why.

The short version

• We do not sell, share, or monetize your data. Ever.
• We don't use third-party analytics, tracking, or advertising SDKs.
• Your votes are anonymous. Not just to other users — to us too. We never read individual vote records.
• Your contacts stay on your device. We don't upload your contact list.

What we collect

iCloud identifier. When you sign in with Apple, bail.out receives an anonymous iCloud user identifier provided by Apple. We use this only to link the plans you create or are invited to. We never see your name, email, or Apple ID.

Plan content. Event names, dates, optional locations, and the phone numbers of guests you invite are stored in our Apple CloudKit database so they can sync across your devices and reach invitees.

Votes. When you cast a vote, the choice is stored as a record in CloudKit so the count can be aggregated. The app only ever queries the count. Even with raw database access, votes are not tied to displayed user identities in the UI.

Local notification preferences. If you grant notification permission, the app schedules local reminders on your device. No server-side notification data is stored.

What we don't collect

• Your name (we derive a display name from your device name locally)
• Your email or Apple ID
• Your full contacts list — only the specific phone numbers of guests you choose to invite
• Your location
• Your device identifiers (IDFA, etc.)
• Crash logs or analytics beyond what Apple provides at the OS level

Permissions we request

Contacts. Used only to populate the invite picker. The picker reads contact names and phone numbers on your device. We do not upload your contacts. Only the phone numbers of guests you actually select get sent to CloudKit so the invitees' apps can find the event.

Notifications. Used for event reminders and to alert you when a plan you're part of changes (e.g., gets cancelled).

iCloud. Required. bail.out uses Apple's CloudKit to sync plans across devices and to deliver real-time updates.

How bail votes stay anonymous

This is the core design promise of bail.out and we take it seriously:

• Bail vote records are stored in a separate CloudKit record type from guest records.
• The app only queries the aggregate count of bail votes — not individual choices.
• The event creator has the exact same view as every other guest. There is no admin mode, no "see who voted what" feature, and no way to add one without changing the app's source code.
• Auto-cancel messages are a fixed template — they never hint at vote counts or identities.

Location votes are not anonymous

When a plan uses location voting (guests vote on which venue to go to), those votes are intentionally visible. Everyone in the plan can see who voted for which location. This is by design — picking a restaurant is a preference, not a secret. Location votes are stored in CloudKit and attributed to your display name.

Data retention & deletion

You can delete any plan you created from the home screen (long-press → Delete). This permanently removes the event, guest list, and all associated votes from our CloudKit database — no action needed on our end.

For plans you were invited to but did not create, your phone number and anonymous vote count may remain in those records. To remove that data, email bail.out.app.official@gmail.com with the subject "Delete my account" and we will remove your records within 7 days.

Children

bail.out is not directed at children under 13. We don't knowingly collect data from anyone under that age.

Changes to this policy

If we make material changes, we'll update the "Last updated" date and notify users in-app on next launch.

Contact

Questions, concerns, or deletion requests: bail.out.app.official@gmail.com