Sojourn Privacy Policy

Last updated: 1 June 2026

This Privacy Policy explains how the Sojourn app (distributed on the App Store as "Sojourn Atlas") handles information. Sojourn is a tax-residency and travel-day tracker for people whose lives span multiple borders.

The short version: your travel data lives in your own iCloud and on your device. We do not run a database of your personal information. We have no accounts and no login. The data that reaches our own infrastructure is anonymous, opt-out usage analytics that cannot identify you, the bare minimum needed to look up a public flight schedule (a flight number, or a route and date, never your identity), and, only if you choose to send feedback, the message and optional email you include.

This policy is written to be honest and specific to how Sojourn is actually built. Where it refers to "we," "us," or "Sojourn," it means Sacha Allard, the operator of the Sojourn app.

1. Who this applies to

This policy applies to everyone who uses Sojourn, anywhere in the world. Because Sojourn is built for people who track tax residency, many of our users are in the European Union and the United Kingdom. We have written this policy to align with the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA). Your rights under those laws are described in Section 12.

2. What data we do, and do not, collect

We want to be precise, because "we collect almost nothing" is core to how Sojourn is designed.

We do NOT collect or store on our own servers:

Your trips, stays, or travel history
Your location or location history
Your trackers, residency calculations, or day-counts
Your passports, citizenships, or any document scans
Your boarding passes or flight records
Your name, account, or any login (Sojourn has no accounts). The one exception is the optional email you can type into the feedback form, and only if you choose to (see Section 6).
Your payment details (Apple handles all payments; see Section 9)

The data that reaches our infrastructure:

Anonymous usage analytics, if you leave analytics on. These cannot identify you. See Section 5.
Feedback you choose to send, if you use the in-app feedback form. This contains your message and an optional email. See Section 6.
Flight lookup requests, when you choose to look one up. These contain only a flight number, or a route and a date. They never contain anything that identifies you. See Section 7.

Everything else stays on your device and in your personal iCloud account, which only you control.

3. Where your data lives

Sojourn is built on a simple principle: your data is yours, and it stays with you.

On your device. Sojourn stores your travel log, stays, trackers, passports, boarding passes, and flight records on your iPhone using Apple's on-device database (SwiftData).
In your own iCloud. When iCloud sync is enabled, this data syncs through your personal iCloud account (Apple's CloudKit Private Database). This is the same private iCloud that backs up your other Apple data. It is encrypted in transit and at rest by Apple, it is tied to your Apple ID, and we cannot see it. We do not have, and never receive, a copy.
Never on a Sojourn server. We do not operate any database that holds your trips, locations, trackers, passports, or other personal information. There is no Sojourn account to create, and no Sojourn server that stores your travel data. Full stop.

This is a deliberate architectural choice, not just a promise. Sojourn has no place to put your personal data even if we wanted to.

4. Location

Sojourn can sense your location on your device to help count the days you spend in each country, which is the heart of tax-residency tracking.

Location sensing happens entirely on your device. Sojourn uses Apple's CoreLocation to detect when you cross a border and resolves which country you are in locally.
The resulting travel days are stored only on your device and in your own iCloud, exactly like the rest of your travel log (Section 3).
Your location is never sent to Sojourn's servers. We do not receive it, log it, or store it. We have no map of where you have been.
Location access is requested through the standard iOS permission prompt, and you can change or revoke it at any time in the iOS Settings app. Sojourn also supports adding and editing trips manually, so you can use it with location turned off.

5. Analytics (anonymous, opt-out, and how to turn it off)

To understand which features are useful and prioritize improvements, Sojourn collects a small amount of anonymous usage analytics. This is designed from the ground up so that it cannot identify you.

What it is:

Anonymous. Analytics events are not linked to your identity, your Apple ID, an account, your location, or any cross-app tracking. We do not build a profile of you and we do not track you across other apps or websites.
An allow-list of events only. Sojourn can only send a fixed, pre-approved list of simple event names (for example, a record that a screen was opened). Anything not on that allow-list is rejected and dropped. Event details may only contain simple values (text, numbers, true/false), never structured personal data.
A rotating, opaque device id. Each device uses an opaque token, not a user identifier, and it rotates roughly every month. It cannot be used to identify you or to follow you over time.
We do not store your IP. Our analytics database never receives your IP address, and our Cloudflare gateway does not attach it to the events it forwards. As with any internet service, Cloudflare may briefly retain your IP in its own platform request logs (outside our analytics store) before discarding it.

Your control:

Analytics are opt-out. They are on by default, and you can turn them off at any time in the app under Settings. When you turn them off, Sojourn stops sending analytics.

Where analytics flow (and what each step does):

1. The Sojourn app on your device batches anonymous events.

2. They are sent to our Cloudflare Worker gateway, which validates them against the allow-list, drops your IP address, and ensures no personal data is attached.

3. The sanitized, anonymous batch is forwarded to our analytics service hosted on Railway (a managed Postgres database).

4. We view aggregate trends in Grafana, a dashboard tool.

Because this data is anonymous and IP-stripped before storage, it does not identify you. This analytics database is entirely separate from your travel data, which (as Section 3 explains) never reaches us at all.

6. Feedback you choose to send

Sojourn has an optional in-app feedback form (Settings → Help & feedback → Send feedback). This is the one place where you can deliberately send us a message, and it is entirely your choice.

What it collects. A free-text message that you write, and (only if you fill it in) an optional email address so we can reply. The form also records a simple sentiment and a kind tag (bug, idea, praise, or other), plus the rotating, opaque device id described in Section 5.
It is optional. If you never open the feedback form, none of this is collected. The email field can be left blank, in which case we receive no email.
Where it goes. Your feedback is sent to our own infrastructure: the Cloudflare gateway (which drops your IP address) forwards it to our service hosted on Railway (a managed Postgres database), where we read it.
It is not linked to an account. Sojourn has no accounts, so your feedback and any email you include are not tied to a user profile or to your travel data. We use the email only to reply to you, never for marketing.
Deleting your feedback. If you want a feedback submission deleted, email us (Section 15) and we will remove it. Because there is no account, please include enough detail (for example, the email you used or the approximate date) so we can find the right message.

7. Flight lookups, calendar, and photos

Sojourn offers a few optional, opt-in features that read flight or trip information. None of them upload your personal data to us.

Flight schedule lookups. When you choose to look up a flight, Sojourn can query a public flight-schedule provider (AeroDataBox) through our Cloudflare edge proxy. The request contains only a flight number, or a route (from and to) and a date. It never contains your name, device id, or anything that identifies you. The proxy holds the provider key so it never has to live on your device, and it forwards only that route or flight-number information.

Boarding passes. You can add a boarding pass by scanning its barcode, pasting an itinerary, or importing a PDF or photo. This all happens on your device. The resulting boarding pass is stored only on your device and in your own iCloud, like the rest of your data. It is not uploaded to us.

Calendar (optional, opt-in). If you choose to, Sojourn can read your calendar to find flight-shaped events and help fill in your travel log. This happens only after you explicitly tap to connect your calendar. Sojourn never requests calendar access automatically. The information stays on your device, and nothing is uploaded to us.

Photos (optional, opt-in). If you choose to, Sojourn can read the location and date stamps from your photos to help reconstruct past trips. This happens on your device, only with your explicit permission. Photo data is read locally to build your travel log, and nothing is uploaded to us.

You can grant or revoke calendar and photo access at any time in the iOS Settings app.

8. What we deliver from our servers

Our infrastructure exists to send you data, not to collect it.

Sojourn downloads rule packs (the day-cap parameters and display text for residency rules, such as the Schengen 90/180 window) and visa data from a Cloudflare Workers edge proxy.
This proxy is a one-way street for your privacy: it serves rule packs and visa data, acts as the privacy gateway for analytics (Section 5) and for feedback (Section 6), and proxies flight lookups (Section 7). It holds zero user personal information.

9. Subscriptions and Apple

Sojourn is free for your first 7 days. After that, Sojourn offers an optional Pro subscription.

Subscriptions are auto-renewable and sold through Apple using StoreKit. Pro is offered at the prices shown in the app (for example, a monthly plan and a discounted annual plan with a free trial on the annual plan).
All payment processing is handled by Apple. Sojourn never sees or stores your payment card, billing address, or any payment details. Apple processes the transaction under Apple's own privacy policy.
Sojourn verifies your subscription status on your device using Apple's StoreKit, which provides a signed, verifiable record. We do not run a server that receives or validates your purchases, so your purchase data does not reach Sojourn's infrastructure.
For information about how Apple handles your purchase and payment data, see Apple's Privacy Policy at https://www.apple.com/legal/privacy/.

10. Third parties and what each receives

Sojourn relies on a small number of service providers. Here is exactly what each one can see.

| Provider | Role | What it receives |

|---|---|---|

| Apple (iCloud / CloudKit) | Stores your travel data in your own private iCloud; syncs across your devices. | Your travel data, in your personal iCloud account. We cannot access it. Apple encrypts it in transit and at rest. |

| Apple (App Store / StoreKit) | Sells and processes the Pro subscription. | Your payment and billing details, under Apple's privacy policy. We do not receive them. |

| Cloudflare | Edge proxy that serves rule packs and visa data, gateways analytics (dropping your IP), and proxies flight lookups. | Network traffic for those requests. It drops IP addresses for analytics before storage. It holds no user personal information. |

| Railway | Hosts the analytics database (managed Postgres) and dashboards, and stores feedback you choose to send. | Anonymous, allow-listed analytics events (no IP), plus any message and the optional email you include if you submit feedback. |

| AeroDataBox | Public flight-schedule data provider for flight lookups. | Only a flight number, or a route and date. Never your identity. |

We do not sell your personal information to anyone. We do not share your personal information with advertisers or data brokers. We do not use third-party advertising or analytics SDKs.

11. Data retention and deletion

Because your travel data lives in your own iCloud and on your device, you are in control of it.

Delete the app and your data. To remove your data from your device, delete the Sojourn app. To remove the iCloud copy, delete Sojourn's data in your iCloud through the iOS Settings app (Apple ID, iCloud, Manage Storage), or by managing app data in iCloud. Because we never hold a copy, there is nothing for us to delete on your behalf, and nothing of yours survives on a Sojourn server.
Analytics retention. Anonymous analytics events are retained only as long as needed to understand product usage trends, and they cannot be tied back to you. Because they are anonymous, there is no way to single out and delete "your" analytics, since none of it identifies you.
Feedback retention and deletion. If you sent feedback (Section 6), the message and any optional email you included are kept only as long as needed to act on it. You can ask us to delete a feedback submission at any time by emailing us (Section 16); include enough detail for us to find it, since there is no account to look it up under.
Subscriptions. Your subscription record is managed by Apple. You can view or cancel it in the App Store (see Section 11 of the Terms of Service for how).

12. Your rights

If you are in the EU or UK (GDPR / UK GDPR). You have the right to access, correct, delete, restrict, and port your personal data, and to object to processing. For the personal data Sojourn handles, these rights are mostly exercised directly by you, because the data lives in your own iCloud and on your device, which you fully control. You can access, correct, export, or delete your travel data inside the app and through iCloud at any time.

Lawful basis. For the small amount of data we do process: anonymous analytics rely on our legitimate interest in improving the app, balanced against your privacy and made controllable by an in-app opt-out. Feedback you send (the message and any optional email) is processed on the basis of your consent, since you choose to submit it, and you can ask us to delete it at any time. The processing required to deliver the app's features (such as serving rule packs, or making a flight lookup you requested) is necessary to perform the service you asked for.
Data minimization. We process the minimum data needed. We do not collect personal data we do not need, and our architecture is built so that your personal travel data never reaches us.
No selling of data. We do not sell your personal data, and we do not use it for advertising.
Complaints. You have the right to lodge a complaint with your local data protection authority.

If you are in California (CCPA). You have the right to know what personal information is collected, to delete it, and to opt out of its sale. We do not sell your personal information. The personal information that could be associated with you (your travel data) is not collected by us at all; it stays in your iCloud and on your device.

To make any request or ask a question about your rights, contact us using the details in Section 16.

13. Children

Sojourn is not directed at children and is not intended for use by anyone under the age required by their local law to consent to data processing (for example, 16 in parts of the EU, or 13 in the United States). We do not knowingly collect personal information from children. If you believe a child has used Sojourn in a way that concerns you, please contact us.

14. Security

Your travel data is protected by Apple's device encryption and by iCloud's encryption in transit and at rest, tied to your Apple ID.
The data that reaches our infrastructure is anonymous (analytics) or carries no identity (flight lookups), and is transmitted over encrypted (HTTPS) connections.
Because we do not hold your personal data, there is no central store of your travel history for an attacker to target on our side.
No method of transmission or storage is ever completely secure, but Sojourn's design minimizes risk by keeping your personal data out of our hands entirely.

15. Changes to this policy

We may update this policy as Sojourn evolves. When we make a material change, we will update the "Last updated" date at the top and, where appropriate, note the change in the app. Continued use of Sojourn after an update means you accept the revised policy.

16. Contact

If you have questions about this Privacy Policy or your data, contact us:

Email: sacha.dev.app@gmail.com
Operator: Sacha Allard

*Sojourn counts your days. Not tax or legal advice. Verify with a professional.*