Legal

Privacy Policy

Effective date: TBD — pending legal review (VOL-124)

Draft. This page is a placeholder structure. Final content is being prepared with legal counsel and will replace this page before App Store submission. See VOL-124.

Our principle

VolumeArc is built privacy-first. Wherever we can put your data on your own device under Apple’s encryption rather than on our servers, we do.

Data we collect

HealthKit

With your explicit permission, the App reads from HealthKit: workout history, heart-rate variability (HRV) trends, sleep duration, training load, and basic recovery signals. This data is read on-device and used by the Readiness model and the AI coach prompt. Raw HealthKit data never leaves your device unencrypted. Computed summaries (e.g., “HRV down 8% vs baseline”) may be included in the redacted coach prompt envelope when you ask the coach a question.

CloudKit (your private container)

Your training history (workouts, sets, RPE, training plans, coach memory) is stored in your private CloudKit container under your own iCloud account. Mabry Ventures does not have access to this data and cannot read it. Apple holds the encryption keys.

AI relay (Cloudflare Worker → Gemini)

When you query the AI coach on the cloud tier, the App sends a redacted prompt envelope through a Cloudflare Worker we operate to Google’s Gemini API. The envelope includes: your question, the coach intent, the structured context block (readiness score, recent session count, current program), and a system persona. It does not include: your name, email, address, phone number, exact body weight, or any HealthKit raw values.

Sentry (crash reporting)

We use Sentry to collect anonymous crash reports and error telemetry. All payloads pass through VolumeArcSentryPIIScrubber before leaving the device, which strips emails, phone numbers, and other PII. We do not send user identifiers, names, or HealthKit data to Sentry.

Subscriptions

Subscription state is managed by Apple via StoreKit 2. We receive an entitlement signal (premium yes/no), not your payment details.

Data we do not collect

  • We do not use third-party advertising SDKs.
  • We do not sell your data to anyone, ever.
  • We do not use your HealthKit data for any purpose other than running the App for you.
  • We do not read your contacts, photos, or location.

Your rights

You can revoke HealthKit access at any time in iOS Settings → Privacy & Security → Health → VolumeArc. You can delete your CloudKit data by deleting the App, then deleting the VolumeArc-related data in iOS Settings → [your name] → iCloud → Manage Storage. To request deletion of any server-side data we hold, email privacy@volumearc.com.

GDPR & CCPA

If you reside in the European Economic Area, the United Kingdom, or California, you have specific rights under GDPR and CCPA including the right to access, port, and delete your data. Contact privacy@volumearc.com to exercise these rights.

Children

VolumeArc is not directed to children under 13 and we do not knowingly collect data from children under 13.

Changes to this policy

We will update the “Effective date” above when this policy changes. Material changes will be communicated in-app.

Contact

Questions about this policy? privacy@volumearc.com.