Bustro / Privacy Policy

Privacy Policy

Updated13 May 2026 Effective13 May 2026 Singapore · PDPA

Plain summary: Bustro is a free, ad-free public-transit app for Singapore. We use your location on your device to show nearby bus stops; we do not send it to our servers. We generate a random device ID (not linked to your name or Apple ID) so that, if you choose to post in the Commute Feed or subscribe to traffic alerts, we can route notifications and let you delete your own posts. We use Firebase for crash reports, app-usage analytics, push delivery, and storing Commute Feed posts. We do not show ads, sell data, or track you across other apps.

This Privacy Policy explains what data Bustro collects, why we collect it, where it goes, how long we keep it, and the rights you have. It applies to the Bustro iOS application, the Bustro Home/Lock Screen widget, and any related online services we provide (collectively, the "App"). The App is operated by the Bustro team ("we", "us", "our"), based in Singapore.

This Policy is read together with the Bustro Terms & Conditions.

Bustro is a Singapore-only utility — bus stops, bus services, weather data, and traffic alerts are all Singapore-specific, and the App is operated and hosted with Singapore users in mind. We make our best effort to handle data in line with the Singapore Personal Data Protection Act 2012 (PDPA) and Apple's App Store privacy requirements.

§ 1

Information we collect

1.1Location

WhatYour device's coarse and precise location, while the App or its widget is in use.
WhyTo show bus stops near you, calculate walking distances, and select the closest favourite stop for the Home/Lock Screen widget.
WhenOnly when you have the App open or the widget on screen, and only if you grant the When In Use permission. Background location is disabled.
StorageOn your device only. We never transmit your location to our servers, to Singapore LTA, to data.gov.sg, to Apple, or to any other third party.
ControliOS Settings → Privacy & Security → Location Services → Bustro. The App remains functional without location, with reduced features.

1.2Device identifier

WhatA randomly-generated UUID created on your device the first time you open the App.
WhyTo attribute Commute Feed posts and reactions you submit, to route push notifications to your device, and to let you edit or delete your own Commute Feed submissions.
Linked to your identity?No. The UUID is not linked to your name, email, Apple ID, phone number, or any other identifying information. Under Singapore's PDPA it is treated as pseudonymous personal data.
StorageLocally in app preferences (UserDefaults), and on Google's Firebase Firestore servers when accompanying a Commute Feed submission, reaction, or push-notification subscription.
ResetReinstalling the App generates a new UUID and disconnects you from prior submissions. A future App update will add an in-app Reset Device Identity control.

1.3App preferences and favourites

WhatYour favourite bus stops, custom labels, custom colours and icons, sort order, and pinned services.
WhyTo personalise the App and the widget.
StorageLocally on your device, and synced via Apple iCloud / CloudKit to your other Apple devices if you have iCloud enabled. CloudKit data is encrypted by Apple and is never visible to us. The CloudKit container holds only favourites and pinned services — no Commute Feed content, no analytics, no usage history.
ControliOS Settings → [your name] → iCloud → Bustro.

1.4Commute Feed posts (user-generated content)

WhatThe text of any message you post in the Commute Feed, any URL you include, any reaction you tap, your device identifier (§1.2), a server-side timestamp, and the language detected on-device.
WhyTo display your message to other users after admin review and approval, and to let you edit or delete it.
StorageGoogle Firebase Firestore. Messages enter a pending state and are reviewed by a member of the Bustro team before becoming visible to anyone else.
RetentionUser-submitted messages are deleted automatically 7 days after submission. Reactions are deleted with the message. Official advisories from the Bustro team and automated LTA service alerts are retained indefinitely.
VisibilityAfter admin approval, your message is visible to all users of the App. Do not include personal information you would not want to be public.
On-device checks before uploadLength limits, rate limiting, transport-topic keyword check, and language detection (Apple's on-device NLLanguageRecognizer) all run on your device — drafts that fail these checks are never uploaded.
Link previewsIf your message contains a URL, your device fetches a preview using Apple's LinkPresentation framework. This contacts the URL's origin server directly from your device — that server may log your IP address. We do not see or store the contents of those preview requests.
RemovalDelete your own messages from within the App, or email hi@bustro.app referencing the device on which you submitted.

1.5Push-notification token and subscriptions

WhatYour Apple Push Notification (APNs) device token, the Firebase Cloud Messaging (FCM) token derived from it, and the list of traffic-incident categories you have subscribed to (e.g. accident, road closure, weather disruption).
WhyTo deliver the traffic alerts and Commute Feed notifications you have opted in to.
StorageIn Firebase Firestore, keyed to your device identifier.
ControliOS Settings → Notifications → Bustro to revoke permission entirely. In-app subscription preferences to change which categories you receive. Uninstalling the App removes your token from active rotation.

1.6Crash and error reports

WhatStack traces, error messages, the iOS version, device model, App version, and the Firebase App Instance ID. We do not set a custom user ID in Crashlytics.
WhyTo identify and fix bugs and crashes.
ServiceFirebase Crashlytics (Google LLC).

1.7Usage analytics

WhatPseudonymous, event-level data: which screens you open (e.g. weather, traffic dashboard, favourites), interaction events such as community-message-submitted (with the detected language only — never the message content), reaction-tapped (with the reaction type only), App Store rating prompt shown, and engagement events. The Firebase App Instance ID and Apple's IDFV are automatically collected by the Firebase SDK.
WhyTo understand which features are used and where the App needs improvement.
What is not collectedYour name, email, phone, location, search queries, message content, or stop codes you view.
ServiceFirebase Analytics (Google LLC).
Retention14 months (the maximum we configure in the Firebase console).

1.8What we do not collect

  • Your name, email address, phone number, photos, contacts, microphone, camera, or health data.
  • Your location while the App and widget are not in use.
  • Your search queries — these are processed locally on your device against bus-stop and bus-service data already on the device.
  • Browsing or usage data from other apps. We do not use the App Tracking Transparency (ATT) tracking permission.
  • Any payment information — Bustro is free and contains no in-app purchases or advertising.

We do not send marketing or commercial electronic messages. Push notifications carry only the operational alerts and Commute Feed updates you have opted in to, and Bustro does not engage in any activity subject to the Spam Control Act 2007.

§ 2

On-device intelligence (Foundation Models)

Bustro uses Apple's on-device Foundation Models (iOS 26+) to generate the short transit-mood headline shown above the bus-stop list. Generation runs entirely on your device. Weather context used to seed the prompt is never sent to Apple, to us, or to any third party. If on-device generation fails for any reason, a deterministic scripted fallback runs locally instead.

§ 3

How we use your information

We use the data described in §1 only to:

  • Show bus stops near you, calculate walking distances, and power the widget;
  • Save your favourites and sync them across your Apple devices via iCloud;
  • Display, moderate, edit, and delete Commute Feed content you submit;
  • Deliver traffic-alert and Commute Feed notification pushes you have opted in to;
  • Generate crash reports and usage analytics to fix bugs and improve features;
  • Decide which version of the App to recommend (Firebase Remote Config gates an in-app "update available" prompt — it does not personalise content);
  • Comply with applicable law and respond to lawful requests from authorities.

We take reasonable steps to keep the personal data we hold about you accurate and complete (PDPA §23), and you may request correction of any inaccurate data at any time (§6).

§ 4

Third parties and cross-border transfers

We use the following third-party services. Each has its own privacy practices.

ServiceOperatorData sharedPurposeRegion
Firebase AnalyticsGoogle LLCApp Instance ID, event names, device model, OS versionUsage analyticsUS / EU
Firebase CrashlyticsGoogle LLCApp Instance ID, crash logs, device model, OS versionDiagnosticsUS / EU
Firebase Cloud MessagingGoogle LLCAPNs token, FCM token, device identifier, subscription listPush deliveryUS / EU
Firebase FirestoreGoogle LLCCommute Feed post text, URLs, reactions, device identifier, FCM token, subscriptionsUGC storage and push routingUS / EU
Firebase Remote ConfigGoogle LLCApp version, App Instance IDGate in-app "update available" promptUS / EU
Apple Push Notification serviceApple Inc.Device push tokenPush deliveryApple infrastructure
Apple iCloud / CloudKitApple Inc.Favourites and pinned servicesSync across your Apple devicesApple infrastructure
Apple LinkPresentationApple Inc. (your device contacts the linked site)URL, your IPRender link previews in Commute Feed postsDirect from your device to the linked site
Singapore LTA DataMallLand Transport Authority of SingaporeOnly an API key (no user data)Real-time bus arrivals, stops, services, routesSingapore
BusRouter SGdata.busrouter.sgOnly an API key (no user data)Bus route geometrySingapore
Singapore Government data.gov.sgGovernment Technology Agency of SingaporeOnly an API key (no user data)Weather, rainfall, lightning, air quality, temperature — fetched in bulk for all of Singapore; the relevant zone for your location is selected on your deviceSingapore
Apple Maps / Google MapsApple Inc. / Google LLCStop coordinates when you tap "Get Directions"External directionsPer provider

Cross-border data transfers (PDPA §26). Data sent to Firebase services is processed by Google LLC on infrastructure that may be in the United States or European Union. Google's data-protection terms (https://firebase.google.com/support/privacy) bind Google to provide a standard of protection comparable to what the PDPA requires; we rely on those terms for compliance with PDPA Section 26.

We do not sell, rent, or trade your information. We do not share data with advertisers, data brokers, or analytics providers other than those listed above.

We may disclose information when required to do so by Singapore law, by a valid order of a Singapore court, or by a Singapore regulator or law-enforcement authority acting within its statutory powers (including the Personal Data Protection Commission, the Infocomm Media Development Authority, and the Singapore Police Force under the Criminal Procedure Code), or to protect the rights, property, or safety of users, the public, or us. Where the law permits, we will notify the affected user before disclosing their information.

§ 5

Retention

DataRetention
LocationNot retained — processed in memory on your device only
Device identifierUntil you reinstall the App, reset device identity (planned), or request deletion
Favourites & pinned servicesUntil you delete them, sign out of iCloud, or delete the App
User-submitted Commute Feed posts7 days, then automatic deletion
Official advisories and LTA alertsIndefinite (no personal data)
ReactionsDeleted with the message
FCM token + subscriptionsUntil you uninstall, revoke notifications, or change subscriptions
Firebase Analytics events14 months
Crashlytics records90 days (Google default)
Email correspondence with usUp to 24 months for support and dispute-resolution purposes
§ 6

Your rights

Under the PDPA you have the right to:

  • Access — request a copy of personal data we hold about you (Commute Feed posts tied to your device, your push token, your subscription list). PDPA §21.
  • Correction — request that inaccurate data be corrected. PDPA §22.
  • Withdraw consent at any time, which (subject to legal retention obligations) will result in deletion of your data. PDPA §16. See §7 below for the practical ways to do this.
  • Lodge a complaint with the Personal Data Protection Commission of Singapore at https://www.pdpc.gov.sg.

To exercise any right, email hi@bustro.app. You will need to provide the device identifier on which you used the App so we can locate the relevant data — we cannot honour requests we cannot tie to a record. We aim to respond within 30 days.

If you are a resident of a jurisdiction with its own data-protection regime and would like to exercise rights granted by your local law, email us at the same address. We will assess such requests in good faith, even where the local regime does not formally apply to us.

§ 7

Withdrawing consent

You can withdraw consent at any time by:

  1. Revoking Location permission in iOS Settings;
  2. Revoking Notifications permission in iOS Settings;
  3. Disabling iCloud sync for Bustro;
  4. Deleting your Commute Feed posts from within the App;
  5. Deleting the App, which removes the device identifier and ends push delivery;
  6. Emailing hi@bustro.app to request server-side deletion of any remaining data.
§ 8

Security

We protect your data using:

  • iOS sandboxing and Keychain protection on your device;
  • HTTPS/TLS for all network communication;
  • Firebase's encryption at rest and in transit;
  • Server-side admin review on Commute Feed submissions before publication;
  • The principle of least data — we do not collect data we do not need.

No system is perfectly secure. If we become aware of a data breach affecting your personal data, we will notify the Personal Data Protection Commission of Singapore as soon as practicable, and in any case no later than 3 calendar days after we determine that the breach (a) is of a significant scale (affecting 500 or more individuals) or (b) results in, or is likely to result in, significant harm to an affected individual, in accordance with PDPA Part VIA (Data Breach Notification). Where a breach is likely to result in significant harm to you, we will also notify you in a reasonable manner.

§ 9

Children and minors

Bustro is a general-audience public-transit utility, rated 4+ on the App Store. It is designed to be useful to Singapore students and young commuters who rely on buses to get to and from school, and there is no minimum age for using it for its primary purpose: checking bus arrival times, viewing stops, services, and routes, saving favourites, using the widget, viewing weather and traffic information, or viewing the Commute Feed.

For posting in the Commute Feed, you must be at least 13 years old. Every Commute Feed submission is reviewed and approved by a member of the Bustro team before it becomes visible to other users — this human review is part of our child-safety and content-quality controls, so that no harmful, identifying, or otherwise inappropriate content (whether about a young person or by one) is published. We may decline submissions and disable posting from a device if we have reason to believe the submitter is under 13.

If you are a parent or guardian and believe a child under 13 has submitted content, email hi@bustro.app and we will remove it.

§ 10

Singapore Open Data Licence attribution

In accordance with the Singapore Open Data Licence v1.0:

Contains information from the Singapore Government data.gov.sg APIs, made available under the Singapore Open Data Licence version 1.0.

We also acknowledge Singapore LTA DataMall as the source of bus arrival, bus stop, and bus service information.

§ 11

Changes to this Policy

We may update this Policy. The "Last updated" date at the top reflects the most recent revision. Material changes will be highlighted in-app or via push notification at least 14 days before they take effect, except where an immediate change is required by law or to address a security issue. Continued use of the App after the effective date constitutes acceptance.

§ 12

Contact us

  • General enquiries: hi@bustro.app
  • Data Protection Officer: hi@bustro.app (mark "DPO" in the subject line)
  • Privacy or content reports: hi@bustro.app

We aim to acknowledge most enquiries within 7 days, and to formally respond to data-rights requests within 30 days.

§ 13

Compliance

This Policy is designed to comply with:

  • Singapore Personal Data Protection Act 2012 (PDPA), including the Data Protection Provisions, Section 26 (transfer limitation), and Part VIA (data-breach notification);
  • Apple App Store Review Guidelines, including 5.1 (Data Collection and Storage) and 1.2 (User-Generated Content);
  • Apple App Privacy Nutrition Label disclosure requirements.

Bustro is built with privacy in mind: no ads, no trackers across other apps, no sale of data, and as little personal data on our servers as possible.