Terndays
← Back to Terndays

Privacy, in detail

How Terndays stays private

This is the deeper version of what the summary on the homepage promises — every claim traced to how it actually works, so you can decide for yourself, not just take our word for it.

The short version

Your country is worked out on your phone, from a coarse location or a photo's metadata.

The exact coordinates are discarded right after — there's no column in the database to store them in.

The free app makes zero network calls. No account, no server, nothing to send anywhere.

The free app never requires an account — not to start, not to keep using it. Forever.

How the free app works

Once a day, the app checks where you are against a bundled map of country borders — the same lookup a paper atlas gives you, done automatically, entirely on your phone. That check runs when you open the app, or, if you turn on the optional background check in Settings, briefly during the day even while the app is closed — still once a day at most, never a trail. What it keeps is a whole day: one entry per country per date, so a day you cross a border counts for both sides. There's no minute-by-minute trail, on this device or anywhere else.

There's no server anywhere in this flow. The free app doesn't skip contacting one for privacy's sake — it simply has no reason to, so it never does.

Don't take our word for it. Turn on airplane mode — Terndays keeps working, map and photo scan included, because everything runs on your phone. Or on iOS, turn on Settings → Privacy & Security → App Privacy Report and use the free app for a day: it will show no contacted domains, because the free app makes zero network calls.

How sync will encrypt (Pro)

Sync is arriving with Pro, and it's being built encrypted from the first line, not fitted with encryption afterward.

Before anything leaves your phone, it will be sealed with libsodium — the same open-source encryption library used by end-to-end-encrypted photo and notes apps like Ente and Standard Notes — using a random key that only gets wrapped by your password (via Argon2id, the function that turns a password into a key), rather than derived from it. That distinction matters: changing your password later never means re-encrypting your history, because the password only ever wraps the same underlying key. What will reach our servers is that sealed envelope, plus the minimal routing metadata needed to sync it to your other devices — never the plain travel data inside it.

There will be two ways to hold that key, and we'd rather describe both plainly than pick the flattering one.

Standard

We'll hold a recovery key alongside yours, escrowed so a forgotten password doesn't cost you your history. That makes opening your data technically possible on our end — restricted by policy to account recovery and, if you ever connect an AI agent, the one opt-in case described under agent access below — not something that happens as a matter of course, and something we'll show you plainly before you ever turn sync on.

Private Vault

You'll hold the only key. This is zero-knowledge in the literal sense: we won't be able to decrypt your data — mathematically, not by policy. The tradeoff is real and disclosed up front: lose your password and your recovery key both, and the data is gone, with no way back — which is why setting it up will mean confirming you've saved that key before anything syncs.

Alerts and the migration news center (Pro)

Two more things are arriving with Pro. Both are designed; neither is live yet.

Threshold alerts will run as local notifications, worked out on your phone from the same counters you already see — no server, no push credentials, nothing to phone home to. They fire when you open the app and are scheduled ahead for the days you're not looking.

The migration news center will be a curated feed of visa and residency news, written by us, that you can narrow to the countries and keywords you're watching. Which countries and keywords you choose lives on your phone — matching happens there, never on our servers, because that list can say something sensitive about you. If it ever syncs to your other devices, it travels only inside the same sealed envelope as everything else. We'll send down the feed itself, not your interest in it.

How agent access stays inside this

If you connect an AI agent — Claude, ChatGPT, or another assistant — to ask it things like "how many Schengen days do I have left", that access will run on the same rules above, not around them. The design is decided; it arrives with the rest of the paid plan.

Your agent will never hold your encryption key. It will get a permission instead — something you grant, see plainly before your first connection, and revoke with one tap.

Cloud agents (claude.ai, ChatGPT) will be answered from a small summary your phone prepares ahead of time — counter states and rule results, like "23 Schengen days remaining, as of Jul 6" — never your day-by-day history, never coordinates. On Standard custody, our server will open that summary to answer your agent's question, with your explicit consent given before the first key exists. It's the same honesty as sync above: technically possible, policy-restricted, and disclosed exactly when and why.

On Private Vault, agent access will work a different way: a small app on your own computer will hold your key locally and answer agents running on that machine — Claude Desktop and its peers — directly. Cloud agents like claude.ai won't have a Vault path at all, because serving one would mean your key or your data passing through our servers — the two things Vault exists to prevent. Nothing in that flow touches our servers, and they never hold a key that could open it.

Either way, one thing won't change: no agent will ever get your day-by-day history through our servers — no scope, no setting, no future version of this. If an agent needs that depth, it happens only through the app on your own computer. Permanently.

What we never do

No ads. No data sale. No third-party trackers. Location analytics don't exist on any plan, free or Pro — there are no coordinates to analyze, only a country and a date, and any aggregate stats we ever compute will be opt-in, anonymous, and worked out on your phone, not ours.

And the pledge we're making in writing: we will never sell or adapt Terndays for use by immigration or tax authorities.

API access, sync, and the desktop app above are part of the paid plan, arriving after the free app. None of it is needed for privacy today — the free app is already fully private, on its own, because it simply never talks to a server.