Refusing a permission shouldn't cost you the app

The principle.

Aeyo’s refusal to collect personal data and reject third-party SDKs is necessary but not sufficient. The next layer is harder: building the app so refusing a permission doesn’t make it worse. Even if you fully trust Aeyo with your data, a right that comes with a cost is coercion in slow motion.

This applies whether or not you trust Aeyo, and whether or not Aeyo collects data. Those are different conversations.

The test

Sign out of iCloud. Deny location. Deny notifications. Open Aeyo.

  • Search returns results.
  • Lists save.
  • Insights surface.
  • Shopping Mode opens manually from any store you visit.

Every gap you encounter is honestly physical — a feature that genuinely needs the permission, not a feature Aeyo could have delivered without it.

What Aeyo asks for

Location

Detects when you arrive at a saved store so Aeyo can open your list automatically. Auto-fills coordinates for nearby stores you add. Sorts catalog search by regional relevance.

If you skip: Shopping Mode opens manually from each store’s detail page. Catalog search still works — it falls back to your last-known region or your device’s timezone. Store coordinates are entered manually. Arrival detection is off.

Notifications

Lock-screen alerts when you arrive at a store. That is the entire surface today.

If you skip: The Insight Centre still surfaces every reminder in-app. Only the system-level banner is missing.

iCloud

Syncs your lists and items between devices under the same Apple ID. Records your founding-member status. Enables cart sharing. Lets your purchases nudge the catalog’s ranking in your region.

If you skip: Your data lives on this device only. Founding-member status can’t be claimed. Cart sharing isn’t available. The catalog still works; only your purchases don’t contribute to its ranking.

The invariant

In code, this principle is enforced as a registered business rule (permission.no-artificial-gap). Every place Aeyo could ask for a permission carries a tag pointing back to the rule. Any new feature that introduces a permission gate has to justify the gap as physical, in writing, in the same code review — or it can’t ship.