Circa Get early access

Legal

Privacy policy

Last updated: 2026-05-29.

Draft notice. This is a draft prepared as a starting point for legal review. It is not yet legal advice and has not been reviewed by counsel. The published version will replace this notice. If you have a specific question about your data, please email privacy@circa-app.io.

1. Who we are

Circa is operated by Circa Limited, a private company limited by shares incorporated in Hong Kong SAR. For general contact, write to hello@circa-app.io. For privacy questions, write to privacy@circa-app.io.

2. Scope

This policy applies to personal data we collect through the Circa mobile app, the Circa marketing website, and when you contact us. It does not cover what Apple, Google, or other third parties do with your data, even when you reach them through Circa.

3. What we collect

  • Account data: email address, account identifier from Sign in with Apple or Google.
  • Trip data you enter: flight number, dates, personalisation answers, generated plans.
  • Optional health data: if you connect Apple HealthKit or a wearable, the metrics you authorise (sleep, heart rate variability, steps).
  • Subscription state: managed by Apple via RevenueCat, used to grant or revoke premium features.
  • Diagnostic and usage data: crash reports, anonymised event logs we use to improve the product.
  • If you sign up to the waitlist or marketing emails on this website: your email address and any optional fields you fill in.

4. What we do with it

We use your data to generate your plan, to operate your account, to send transactional emails (account verification, password reset, payout confirmations for affiliates), and to improve the product. We do not sell your data. We do not use your data to train third-party AI models.

5. Who we share with

We share data only with the service providers we need to run Circa: Supabase (database and authentication, hosted in the region closest to you), RevenueCat (subscription management), Apple and Google (for app distribution and in-app purchases), our email provider (for marketing emails you opt into). Each is bound by data-processing terms consistent with GDPR Art. 28.

6. Your rights

You have rights to access, correct, delete, port, and (in certain jurisdictions) object to processing of your personal data. To exercise any of these rights, email privacy@circa-app.io from the email address on your Circa account. We respond within 30 days.

7. Data retention

We keep your trip data for as long as your account is active. When you delete your account, the data is removed within 30 days, except where we need to keep records for legal, accounting, or fraud-prevention reasons.

8. Security

All data is transmitted over HTTPS. Account passwords are not stored in cleartext. Production databases are encrypted at rest. We follow the security advice of the platforms we build on.

9. International transfers

We are based in Hong Kong. Our service providers operate in multiple regions. Where data is transferred outside your jurisdiction, we rely on the contractual terms of our processors (including Standard Contractual Clauses where relevant under GDPR).

10. Children

Circa is rated 17+ and is not directed at children under 13. We do not knowingly collect data from children under 13. If we learn that we have, we delete it.

11. Cookies and tracking

The marketing website uses minimal first-party analytics (Cloudflare Web Analytics, cookie-free). The app does not use third-party advertising trackers. We do not participate in cross-site advertising networks.

12. Changes

If we change this policy materially, we will tell you in-app and on this page before the change takes effect.

13. Contact

Email privacy@circa-app.io. We respond within 30 days. The full draft policy, including detailed citations for the HK PDPO, GDPR, and CCPA sections, is being prepared for legal review and will be published here once finalised.