Passée

Effective April 27, 2026

Privacy policy

This page explains, plainly, what Passée does and does not do with your information. It's meant to be read, not skimmed. If you have sixty seconds, the short version is in the box below.

Your shelf lives on your device, and on your iCloud, never ours. We don't collect your name, your email, your contacts, or any usage data. We don't run analytics. We don't sell or share anything. We don't require an account. The only data that leaves your device is the barcode you scan (always, anonymous) and any AI feature you choose to enable (off by default, narrow scope, fully described below).

If that's enough for you, you can close this tab. Below, the details.

Who this policy is from

Passée (the app you're reading this for) is made by TA Studio. Sole developer, no investors, no data partners. "We," "our," and "us" on this page refer to TA Studio.

You can reach us at hello@passee.app for anything in this document or anything else.

What Passée collects

Passée does not collect personal information from you.

The app doesn't ask for your email, phone number, location, contacts, or any identifier tied to your identity. It doesn't create a user account. It doesn't phone home.

What Passée does let you save, entirely on your own device, is what you choose to save about the things on your shelves. That may include:

  • Item names, brands, categories, sizes, prices, and notes you type
  • Photos you take of products (or pick from your photo library)
  • Opened-on dates, PAO (period-after-opening) values, and expiration dates
  • A first name or nickname you optionally enter during onboarding
  • Your reminder preferences (time of day, warning window, seasonal nudges)

None of that leaves your device unless you turn on iCloud sync (see below). Even then, it goes to your iCloud account, accessed only by you.

Where your data lives

On your device. Passée stores everything locally using Apple's SwiftData framework. This is the same storage tier that holds your Notes and Reminders.

On your iCloud account, if you choose. When Apple's CloudKit sync is enabled in Passée, your shelf data syncs to the private database of your iCloud account. That's the same sync mechanism behind Apple's first-party apps. TA Studio has no read access to your iCloud private database. Only you do.

On your Apple Watch, if paired. When a reminder fires, your paired Apple Watch may display the notification mirrored from your iPhone. That mirroring is handled entirely by iOS; Passée never sends anything directly.

We do not run any servers for your shelf data. There is nowhere on our side for your shelf to "be."

What Passée does not collect

  • No analytics. We don't use Google Analytics, Firebase, Mixpanel, Amplitude, or any third-party analytics SDK. We don't know which buttons you tap, how often you open the app, or what's on your shelf.
  • No advertising. Passée is ad-free. We don't load ad SDKs.
  • No tracking across apps or websites. We don't.
  • No diagnostic uploads. Crash reports stay in Apple's TestFlight or App Store Connect pipeline (standard Apple behavior) and contain no personal data you haven't opted into sharing.
  • No location data. We don't request location permissions.
  • No contacts. We don't request contacts permissions, except when you explicitly use the Share-to-contact feature (see below). Even then, we hold a reference to the contact, not the phone number.
  • No microphone. We don't request microphone permissions.

Third-party services

Passée uses a small number of Apple-provided services, plus a few narrow third-party services. Each is described here.

Apple services (always active)

  • Apple iCloud (CloudKit). Used for device-to-device sync of your shelf when you enable iCloud. Governed by Apple's Privacy Policy. TA Studio cannot read the contents of your private iCloud database.
  • Apple Notifications (UserNotifications framework). Used to schedule and deliver reminders about items reaching passée. All scheduling happens on-device. We don't use push notifications, so no server is involved.
  • Apple Vision framework. Used on-device to read text (OCR) and remove backgrounds from product photos. Vision runs entirely on your iPhone; no photos or text leave your device through this framework.
  • Apple StoreKit 2. Used to process Passée Plus subscription purchases. Purchase status is governed by your Apple ID. TA Studio sees that you have an active subscription (to gate Plus features) but does not see your Apple ID, payment method, or billing address.

Optional third-party service: barcode lookup

Open Food Facts (openfoodfacts.org) and Open Beauty Facts (openbeautyfacts.org). When you scan a product's barcode, Passée sends only the barcode (a sequence of digits) to these public databases to look up the product name and image. They log nothing that identifies you. We don't send your name, device ID, or any other information with the lookup.

You can use Passée fully without ever scanning a barcode. If you do, only the barcode is transmitted, and only at the moment you scan.

Optional AI features (off by default)

Passée offers a small set of AI-powered features that depend on sending some information to a third-party AI processor. These features are off by default and turned on individually in Settings ▸ AI features. Each feature is independent. Turning one on does not turn the others on.

The third-party AI processor is Anthropic, makers of Claude. We chose Anthropic because their privacy posture aligns with ours: they do not train models on customer API data by default, they retain it only briefly for abuse-prevention purposes, and they publish clear documentation about what they do.

Requests to Anthropic do not go directly from your iPhone. They are forwarded by a thin Cloudflare Worker that we operate. The Worker holds our Anthropic API key as a server-side secret (so the key is never inside the iOS app) and proxies the request to Anthropic. The Worker does not store request bodies, response bodies, or any user identifier. It logs only operational metadata required by Cloudflare for delivery.

The first time you enable an AI feature, an in-app consent sheet explains what gets sent and what does not, and asks you to confirm. The sheet is per-feature: turning on photo auto-fill does not consent to receipt cost capture or AI Roast Mode. You can re-read the explainer or turn the feature off again at any time from Settings ▸ AI features.

Photo auto-fill (Plus)

When enabled, the masked product image (background already removed on-device using Apple's Vision framework, before the request leaves your iPhone) is sent so Claude can read the brand, name, product type, size, and printed PAO from the packaging and pre-fill the form for you.

What gets sent: the masked product image only.

What does not get sent: the original raw photo, your name, your other items, prices, notes, location data, device model, or any user identifier.

Receipt cost capture (Plus)

When enabled, a receipt photo is sent so Claude can identify the line item that matches the product you are adding and return the price.

What gets sent: the receipt photo only.

What does not get sent: anything else from your shelf, or any user identifier.

The receipt image is processed and discarded. It is not stored on the Cloudflare Worker, and Anthropic's policy is to not retain it beyond brief abuse-prevention windows.

Roast Mode AI personalization (Plus)

Free Roast Mode runs entirely on-device using a fixed pool of templated lines. Plus subscribers can enable AI-personalized roasts, which produce one-of-one observations specific to each item.

What gets sent for AI roasts: the item context (name, brand, category, opened date, expiration date, percent remaining, cost-per-use), one item per request.

What does not get sent: your name, a user identifier, or any other items from your shelf.

If you don't enable AI roasts, Roast Mode runs entirely on your device. The templated pool never leaves the app.

What never gets sent under any AI feature

  • The original raw photo (only the masked product image, when photo auto-fill is enabled and used)
  • Your onboarding name
  • A user identifier of any kind
  • Aggregate data about your other items (one item per request)
  • Location data, device model, or other metadata. The Cloudflare Worker receives the request IP for rate limiting; it is not forwarded to Anthropic.

Sharing reminders with people you choose

Passée's Share-to-contact feature (Plus) lets you nudge a partner or caregiver about an item. When you tap "Send a reminder," Passée opens the iOS Messages compose sheet with a draft message. You always tap Send yourself. Passée does not send messages on your behalf.

The contacts you configure for this feature are stored as iOS Contacts framework references. Passée holds the reference, not the phone number. If you delete a contact in iOS Contacts, the Passée reference becomes invalid and the contact is removed from your share list automatically.

Children

Passée is not directed at children under 13. We don't knowingly collect information from children under 13 because we don't knowingly collect information from anyone. If you believe a child has used Passée and you'd like their device's local data deleted, the data deletes itself when the app is uninstalled. There is no server-side record to remove.

Your rights

Because we don't collect personal data, most data-protection rights (GDPR access, rectification, erasure, portability; CCPA right to know, delete, opt-out of sale) are satisfied by the architecture of the app itself:

  • Access. Your shelf is on your device. Open the app, there it is. There's no second copy anywhere.
  • Rectification. Edit anything in the app at any time.
  • Erasure. Two paths: Settings ▸ Clear all items deletes every item; uninstalling the app deletes the entire local store. If iCloud sync was enabled, the deletion propagates to your iCloud copy through standard SwiftData and CloudKit behavior.
  • Portability. Settings ▸ Export as CSV (available to Passée Plus subscribers) exports your entire shelf to a CSV file you can open in any spreadsheet.
  • Opt-out of sale. We don't sell data because we don't have data to sell.

If you're in the European Economic Area, United Kingdom, or Switzerland and you believe your rights under applicable data protection law (GDPR, UK GDPR) aren't met by the above, email hello@passee.app and we'll make it right.

If you're a California resident, you have additional rights under the California Consumer Privacy Act (CCPA). To exercise those rights, email hello@passee.app. Because we don't collect personal information, most CCPA requests are answered by the structure of the app.

Security

Data stored on your device is protected by iOS's native encryption (your device passcode and Apple's Secure Enclave). Data synced to iCloud travels encrypted in transit and is stored encrypted in your iCloud account. We don't manage any of this ourselves. We rely on Apple's platform protections.

Changes to this policy

If this policy changes, the new version will be posted at passee.app/privacy with an updated "Effective" date at the top. Material changes (new data collection, new third-party services) will be flagged in the app itself via an editorial notice on the next launch.

Questions

Email hello@passee.app and a human will reply, usually within a day or two.

Last updated April 27, 2026. Passée · passee.app