Privacy Policy

The short version.

We don't sell your data. We barely collect it. Where we have to ask for something — your email, your study progress, your logbook entries — it's because the app needs it to work for you.

Effective: 2026-04-26 · Applies to confirmdev.com and every ConfirmDev mobile app

1. Who this covers

ConfirmDev (a small independent studio of four) operates this site and the following apps:

  • Altimeter — pilot logbook and currency tracker
  • Civics Master — US naturalization (USCIS) civics test prep
  • A320 Study App, and forthcoming type-rating prep apps for the Boeing 737, the Bombardier CRJ 200/700/900, and the Cessna 208 Caravan A/B/EX

Each app may have a brief in-app addendum if it processes data differently from the defaults below; the addendum will always be linked from this policy.

2. What we collect, and why

Account data. Email address, a hashed password, and optionally a display name — only if you create an account. Used to sign you in and sync your progress between devices.

Study progress & app content. The questions you've answered, your scheduled review times, decks you've created, notes, flagged items. Stored end-to-end-encrypted on our servers so the app can pick up where you left off on another device. Used only to deliver the app to you.

Logbook data (Altimeter only). Flight entries, currency events, certificates, endorsements. Treated as confidential pilot records. Encrypted at rest and in transit. Never shared, never used for model training.

Diagnostic data. Crash logs and anonymous performance metrics. Tied to a randomly generated install ID, never to your account. Used only to find and fix bugs. You can opt out in app Settings.

Purchase data. When you buy a subscription or one-time purchase, the App Store or Google Play handles the transaction. We receive a transaction receipt (no card details) so we can unlock paid features for your account.

Contact form / support email. Name, email, and message you send us. Used only to reply to you. Deleted when the conversation closes.

3. App Store / Google Play data disclosure (summary)

For Apple's App Privacy "nutrition labels" and Google Play's Data Safety form:

  • Data linked to you: email, optional name, study progress, purchase receipts.
  • Data not linked to you: crash logs, anonymous performance metrics.
  • Data used to track you across other companies' apps or websites: none.
  • Data sold to third parties: none.
  • Encryption in transit: yes (TLS 1.2+).
  • Encryption at rest: yes (AES-256).
  • User can request data deletion: yes — see Section 8.

4. What we never do

  • We don't sell, share, or rent your personal information.
  • We don't run ad networks or behavioral tracking. There is no advertising in our apps.
  • We don't train AI models on your study data, your logbook, or anything else you put into our apps.
  • We don't fingerprint your device.
  • We don't cross-correlate your data with data from other apps or services.

5. Service providers we use

We use a short list of vendors. Each is contractually bound to handle your data only for the purpose listed.

  • Self-hosted Supabase on our own infrastructure — auth, database, encrypted storage.
  • Apple App Store / Google Play — purchase processing and app distribution. Their privacy policies apply to the transaction.
  • Apple Push / Firebase Cloud Messaging — only if you opt in to study reminders. The push token is the only identifier sent.
  • Resend (transactional email) — sign-up confirmation, password reset, contact replies. No marketing email.

No analytics SDK (no Firebase Analytics, no Google Analytics, no Mixpanel, no Amplitude, no Segment).

6. Children's privacy

Our apps are not directed to children under 13 (or the equivalent minimum age in your country). We don't knowingly collect personal information from children under 13. If you believe a child has provided us information, email privacy@confirmdev.com and we'll delete it.

Civics Master is rated for adult learners; aviation training apps are intended for adult flight students and pilots.

7. Cookies and similar technologies

On the website: a single first-party session cookie set only after you sign in to the admin panel. HttpOnly, SameSite=Lax, expires on sign-out. No analytics, marketing, or consent-banner cookies.

In the apps: standard auth tokens and a randomly generated install ID for crash diagnostics. No advertising IDs. We don't use Apple's IDFA or Google's Advertising ID.

8. Your rights (including deletion)

No matter where you live, you can:

  • Access a copy of the data we hold on you.
  • Correct anything that's wrong.
  • Delete your account and all associated data. In-app: Settings → Account → Delete account. From the web: confirmdev.com/delete-account. By email: privacy@confirmdev.com. We complete deletion within 30 days.
  • Export your data as JSON, including logbook entries and study decks.
  • Opt out of crash diagnostics in app Settings.
  • Withdraw consent at any time without affecting prior processing.

If you're in the EEA / UK (GDPR): our legal bases are contract (to deliver the app you asked for), legitimate interest (security, debugging), and consent (push notifications, crash diagnostics). You can complain to your local data protection authority. ConfirmDev is the data controller; privacy@confirmdev.com is the contact.

If you're in California (CCPA/CPRA): we do not "sell" or "share" your personal information as those terms are defined under California law. You have the rights listed above plus the right to non-discrimination for exercising them.

9. Data retention

  • Account & study data: as long as your account is active. Deleted within 30 days of account deletion.
  • Logbook data (Altimeter): kept until you delete it; exportable any time.
  • Crash logs & performance metrics: 90 days, then purged.
  • Server access logs (IP-hashed): 30 days, used only to spot abuse.
  • Contact form messages: kept while we resolve your issue, then deleted.

10. Where your data lives

Our servers are hosted in North America. If you use the apps from outside North America, your data will be transferred to and processed in the US. For EEA/UK users, we rely on Standard Contractual Clauses for the transfer.

11. Security

TLS 1.2+ in transit, AES-256 at rest, hashed passwords (bcrypt or argon2), least-privilege DB roles, encrypted backups, and an audited admin panel. No system is perfectly secure — if we discover a breach affecting your data, we'll notify you within 72 hours and tell you what we know.

12. Changes to this policy

When we make a material change, we'll bump the "Effective" date above and email signed-in users. Continued use after the date is acceptance of the updated policy.

13. Contact

Privacy questions: privacy@confirmdev.com.
Anything else: hello@confirmdev.com. Replies within two business days.

Last updated · 2026-04-26
Looking for our terms of use? See confirmdev.com/terms.