TimeToTest Back to home

Privacy Policy

Last updated: 16 April 2026

TimeToTest (the App) is a free mobile application for iOS and Android that enables anonymous partner notification for sexually transmitted infections. Your privacy is fundamental to how the App is designed and operated.

Data controller

TimeToTest is operated by Victor Humenhuk. If the TimeToTest CIC registration completes, the data controller will transfer to that entity and this policy will be updated. You can contact the controller at victor@thesmios.com.

Lawful basis for processing

Under UK GDPR, our lawful basis is legitimate interest (Article 6(1)(f)). Our legitimate interest is reducing STI transmission by enabling anonymous partner notification. We have assessed this against your rights and concluded the processing is proportionate because no personal data is stored and recipients receive only a short health prompt directing them to NHS services.

What we collect

We collect as little data as possible.

  • Phone numbers you select: when you choose contacts to notify, their phone numbers are sent to our server solely to deliver the SMS. Phone numbers are used in real time and are never stored in any database, log, or file.
  • IP address: your IP address is temporarily recorded for rate limiting (to prevent abuse). Rate-limit records are automatically deleted within 48 hours.

What we do not collect

  • Your name, email address, or phone number
  • Your contact list (it is accessed on your device only)
  • Your diagnosis or which STI you selected
  • Who you notified, when, or how many people
  • Device identifiers, advertising IDs, or location data
  • Analytics, usage tracking, or crash reports

No accounts

TimeToTest does not require or create user accounts. There is no login, no registration, and no profile.

SMS delivery

Anonymous SMS messages are delivered through Twilio, a third-party communications provider. Twilio processes the recipient's phone number and the message content to deliver the SMS. We have configured Twilio message log retention to 0 days, meaning Twilio does not retain message content or recipient numbers after delivery. Twilio may retain minimal operational metadata as required by telecommunications regulations in the jurisdictions where it operates.

Rate limiting

To prevent abuse, the App enforces rate limits both on your device (maximum 1 send per 24 hours and maximum 10 recipients per send) and on our server using the IP address of each request. On Android this client-side limit is enforced via DataStore; on iOS it is enforced via local storage. Server-side rate-limit records are automatically deleted within 48 hours.

On-device data

The App accesses your device's contact list to display names and phone numbers for selection. This data is read locally on your device and is never uploaded or transmitted to our servers. Only the phone numbers you explicitly select are sent for SMS delivery. On both iOS and Android, contact access requires your permission and can be revoked at any time through your device settings.

Tips and donations

TimeToTest is free to use. After sending a notification you may optionally tip or donate to support the App:

  • iOS: tips are processed by Apple StoreKit. Apple handles all payment information.
  • Android: tips are processed by Google Play Billing. Google handles all payment information.
  • Ko-fi: you may also donate at ko-fi.com/victorhumenhuk. Ko-fi handles all payment information.

We do not receive or store your payment card details, billing address, or any other financial information.

Third-party services

  • Twilio: SMS delivery. See twilio.com/legal/privacy.
  • Supabase: backend hosting for Edge Functions and rate-limit records. See supabase.com/privacy.
  • Apple StoreKit: optional tip processing on iOS. Handled entirely by Apple.
  • Google Play Billing: optional tip processing on Android. Handled entirely by Google.
  • Ko-fi: optional external donations. Handled entirely by Ko-fi.

We do not use any analytics, advertising, or tracking SDKs.

Data retention

  • Phone numbers: not stored. Used in memory during SMS delivery, then discarded.
  • Rate-limit records: IP address and timestamp. Automatically deleted within 48 hours.
  • Everything else: not collected, therefore not retained.

International transfers

Twilio, Supabase, Apple, Google, and Ko-fi may process data outside the UK. Each provider relies on appropriate safeguards under UK GDPR, including Standard Contractual Clauses where applicable.

Children's privacy

TimeToTest is not intended for use by anyone under the age of 17. We do not knowingly collect data from children.

Your rights

Under UK GDPR you have rights to access, correct, delete, object to, and restrict processing of your personal data, as well as the right to data portability. Because we do not store personal data, in most cases there is nothing to access, correct, or delete. For the period that IP-based rate-limit records exist (up to 48 hours), you can request deletion by contacting us.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

Changes to this policy

If we make changes, the updated policy will be posted at this URL with a new "Last updated" date. Continued use of the App after changes constitutes acceptance.

Contact

Email: victor@thesmios.com

TimeToTest is made by Victor Humenhuk.