Our principle

VolumeArc is built privacy-first. Wherever we can keep your data on your own device under Apple’s encryption rather than on our servers, we do. This policy describes exactly what data touches what system, and why.

1. Data we collect on your device

HealthKit

With your explicit permission, the App reads a small, fixed set of HealthKit types. The exact set differs by device:

On iPhone: workouts, heart-rate variability (HRV, SDNN), sleep analysis, Workout Effort (logged and estimated), Apple sleeping wrist temperature, and respiratory rate.
On Apple Watch: workouts, heart rate, and active energy burned.

The App writes one type back to HealthKit — completed workouts — so your VolumeArc sessions appear in Apple Health. It does not read body weight, body measurements, contacts, photos, or location.

Raw HealthKit samples never leave your device. They remain in Apple Health under Apple’s encryption boundary. The App reads them on-device and uses them to populate the recovery chip, the readiness signal, and the structured context that accompanies your coach prompt.

Computed aggregates derived from your HealthKit data may leave your device. When you ask the cloud AI coach a question, the prompt the App sends to Google’s Gemini API (via our Cloudflare Worker relay) embeds numeric aggregates such as a 7-day HRV mean versus your 28-day baseline (e.g. “54 ms vs 58 ms, −7%”), a 7-day sleep total versus target (e.g. “47.2h over 7 days vs 56h target”), a 7-day strength-training load in kilojoules and minutes (e.g. “4,200 kJ across 180 min”), Workout Effort trends, sleeping wrist-temperature trends, and respiratory-rate trends. These aggregates are derived from your HealthKit data; the raw samples themselves are not transmitted. These aggregates are numeric, not raw samples, and are included whenever you use the cloud coach. On devices that support Apple’s on-device Foundation Models, the coach may answer locally without contacting the relay; if the on-device model is unavailable, the request falls back to the cloud path. If you would rather these aggregates were never computed or sent, decline or revoke HealthKit access (iOS Settings → Privacy & Security → Health → VolumeArc).

Camera form check

If you start a form check during an active workout, the App asks for camera permission and uses the rear camera to run Apple’s on-device Vision pose detection. Camera frames are processed in memory on your device only. We do not save, upload, or transmit form-check video, photos, or camera frames to VolumeArc, Cloudflare, Google Gemini, Sentry, iCloud, or Apple Health. Starting or stopping capture from Apple Watch sends only a WatchConnectivity control message; it does not move camera frames off the iPhone.

The App keeps only derived form-check metrics such as exercise, rep count, tempo, lateral drift, verdict, and coaching cue. If you later ask the cloud AI coach a question, those derived metrics may be included in the structured coach context so the coach can reference the latest form check. The camera frames themselves are never included.

CloudKit (your private container)

Your training history (workouts, sets, RPE, training plans, workout notes, coach memory entries) is stored in your private CloudKit container under your own iCloud account. CloudKit private databases are encrypted in transit and at rest by Apple; Apple holds the keys; Mabry Ventures does not have access. We cannot read, list, search, or recover your CloudKit data.

Subscriptions

Subscription state is managed by Apple through StoreKit 2. The App receives an entitlement signal (premium yes/no) from Apple on each launch and on subscription state changes. Your payment method, billing address, name, and transaction history are held by Apple, not by Mabry Ventures.

2. Data that travels off-device

To the VolumeArc AI relay (Cloudflare Worker) and Google Gemini

When you query the cloud AI coach, the App sends your prompt through a Cloudflare Worker we operate at relay.volumearc.app. The Worker forwards the prompt to Google’s Gemini API and streams the response back. The Worker is operated by Mabry Ventures, runs in Cloudflare’s edge network, and is configured to log only request shape (path, status code, latency, timing) for operational monitoring. It does not log prompt content, response bodies, or your HealthKit aggregates.

Rate-limiting identifier.To prevent abuse, the Worker authenticates each request with Apple App Attest and keeps a short-lived count of recent requests for the attested app key in Cloudflare’s edge key-value store. That key is not your name, email, or Apple ID, is not forwarded to Google, and the counter entries expire automatically. It lets us enforce rate limits without an account system.

What the outgoing prompt contains depends on your privacy mode. In the default (Standard) mode, the prompt includes: the free-text question you typed or spoke; the coach intent category; a system persona; the recovery aggregates described above; latest derived form-check metrics when present; and a structured context block that includes your profile name, recent session summaries, and your most recent coaching notes so the coach can address you and reason about your training. In Strictmode, the App replaces your name with “the athlete,” omits session summaries and coaching notes, and applies best-effort redaction of email, phone, name, and street-address patterns to the free-text question before it leaves the device. (Strict-mode redaction is defense-in-depth, not a guarantee of zero PII egress — novel PII-shaped text you type may not be caught.) On devices that support Apple’s on-device Foundation Models (where enabled), the coach may answer locally, in which case the prompt is processed on-device; if the on-device model is unavailable the request falls back to the cloud relay path above.

Aside from the free-text question itself, the outgoing prompt’s structured fields never contain your email address, phone number, postal address, IP address (we do not pass it through), Apple ID, or raw HealthKit samples. The free-text question is whatever you type or dictate: in Standard mode it is sent as-is, so avoid typing sensitive personal details into the coach box; in Strict mode it is best-effort redacted as described above.

Google’s use of prompt data and any data-retention behavior on Google’s side is governed by Google’s API terms.

To Sentry (crash reporting & diagnostics)

We use Sentry (operated by Functional Software, Inc.) to find and fix crashes, performance problems, and bugs. The Sentry SDK is configured to collect:

Crash reports and error events, with breadcrumbs;
Automatic session tracking (app launches, foreground/background transitions) so we can compute a crash-free-sessions rate;
Failed network requests (status and timing, not bodies);
Performance traces on a 20% sample, with profiling on a small subset of those traces;
MetricKit diagnostics and app-hang (ANR) detection for hangs longer than 5 seconds.

Session Replay is enabled for crashed sessions only (0% of normal sessions; 100% of sessions that crash), so an engineer can see the final seconds of UI leading to a crash. All text and all images are masked in the replay, so workout notes, coach messages, HealthKit numbers, and profile fields never appear in replay frames — only anonymized layout boxes.

Before any event leaves your device, it passes through a privacy scrubber we wrote. The scrubber strips email and phone patterns, device identifiers, session tokens, and HealthKit-derived fields; drops breadcrumbs in the user-input and coach-memory categories; and clears Sentry’s built-in user fields (email, username, IP address). We do not deliberately send your name to Sentry; if a stray name string slips into an event field the scrubber does not cover, it may be transmitted, which is why we keep the scrubber patterns under test and expand them when we find gaps.

In-app feedback (sent to Sentry)

When you use Send Feedback(Profile → Help), the App sends Sentry the description you write plus diagnostic context: OS version, device model, recent in-app telemetry breadcrumbs, and a non-reversible app-state hash. This is sent only when you choose to submit feedback. Because you author the description, please avoid typing personal details you don’t want shared. To request deletion of a feedback submission, email privacy@volumearc.com.

Support form email (sent through Resend)

If you use the support form on volumearc.app/support, we send the name, email address, topic, and message you provide through Resend (operated by Resend, Inc.) to deliver the request to our support inbox. This is transactional support email only; we do not add support-form submissions to a marketing list. The route uses transient in-memory rate limiting from request metadata to reduce abuse; those counters are not sent to Resend and expire automatically.

Microphone & speech (voice input)

If you ask the coach a question by voice, the App requests microphone and speech-recognition permission and uses Apple’s Speech framework to transcribe your speech to text. Transcription is performed by Apple and is governed by Apple’s privacy practices; VolumeArc receives only the resulting text, which then follows the same coach-prompt path (and privacy-mode rules) described above. We do not store your audio. Microphone access is used only while you are actively dictating a question.

To Apple (HealthKit, CloudKit, StoreKit, APNs)

Apple-managed integrations carry their own data flows under Apple’s privacy practices. We use them as the OS intends; we do not re-publish the data they handle.

3. Data we do not collect

We do not use third-party advertising SDKs.
We do not use third-party analytics SDKs in the App.
We do not use a remote-configuration or experimentation service. Feature flags are local and shipped with the build.
We do not sell your data to anyone, ever.
We do not use your HealthKit data for any purpose other than running the App for you.
We do not read your contacts, photos, or location.
We do not upload or store form-check video, photos, or camera frames.

The marketing website at volumearc.app uses Plausible Analytics, which is a privacy-respecting analytics service that does not use cookies and does not collect personal data. Plausible only sees aggregate page-view counts and referrers for the website itself, not data from inside the App.

4. Your rights

Revoke HealthKit access.iOS Settings → Privacy & Security → Health → VolumeArc.

Delete your CloudKit data. Delete the App, then delete the VolumeArc data in iOS Settings → [your name] → iCloud → Manage Storage → VolumeArc.

Cancel your subscription. iOS Settings → [your name] → Subscriptions → VolumeArc.

Request server-side deletion. If you believe we hold any data about you on our own infrastructure (the AI relay, Sentry, etc.), email privacy@volumearc.com and we will confirm what we have and remove it within 30 days. Note: the relay does not log prompt content, so for typical users there is nothing on our side to delete; this right is still available.

5. Processors, transfers & retention

Mabry Ventures, LLC is the data controller for the limited personal data we process. We use the following processors, all based in the United States, under their respective data-processing terms:

Apple — HealthKit, CloudKit, StoreKit, push notifications, and on-device/Apple speech recognition.
Cloudflare — hosts the AI relay Worker and the edge rate-limit store.
Google — the Gemini API that generates coach responses.
Functional Software, Inc. (Sentry) — crash and diagnostics reporting.
Resend, Inc. — transactional support-form email delivery from the marketing website.

International transfers.If you are outside the United States, using the cloud coach or crash reporting transfers data to US-based processors. Those transfers rely on the processors’ standard contractual clauses and data-processing agreements as appropriate safeguards.

Retention.Your CloudKit training data stays in your iCloud account until you delete it (we cannot access it). The relay does not retain prompt content; the rate-limit identifier counters expire automatically within minutes. Sentry events are retained for Sentry’s default period (about 90 days) and then deleted. Support-form emails are retained in the support inbox only as long as needed to answer and audit the request.

6. GDPR (EEA & UK)

If you are in the European Economic Area or the United Kingdom, Mabry Ventures is the controller for your personal data. Our lawful bases (UK/EU GDPR Article 6, and Article 9 for health data) are:

Performance of a contract — operating the App and coach for you.
Explicit consent — reading HealthKit data and sending HealthKit-derived aggregates to the cloud coach (you grant HealthKit access and choose the cloud tier; health data is special-category data processed only on your explicit consent, which you can withdraw at any time by revoking HealthKit access or switching to the on-device tier).
Legitimate interests — crash/diagnostics reporting and abuse prevention (rate limiting), balanced against your rights.

You have the right to access, rectify, erase, restrict, port, and object to processing of your personal data, to withdraw consent, and to lodge a complaint with your supervisory authority. Email privacy@volumearc.com and we will respond within 30 days.

7. California (CCPA/CPRA)

If you are a California resident, the following describes our practices in the preceding 12 months. We do not sell or share your personal information(as “sell” and “share” are defined under the CPRA), and we do not use it for cross-context behavioral advertising.

Categories collected: identifiers (a pseudonymous per-install ID for rate limiting); health-derived aggregates and other content you provide to the coach (sensitive personal information); and usage/diagnostic data (crash and performance telemetry).
Sources: you, and your device/app interactions.
Purposes: to provide the coaching service, fix bugs and crashes, and prevent abuse.
Disclosures: only to the service providers listed above, for those purposes.

You have the right to know, delete, and correct your personal information; to limit the use of sensitive personal information; and to not be discriminated against for exercising these rights. To exercise any of these, email privacy@volumearc.com; we will respond within 45 days.

8. Children

VolumeArc is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you become aware that a child has provided us with personal information, contact privacy@volumearc.com and we will delete it.

9. Security incident response

If we become aware of a security incident affecting your personal data, we will notify affected users where legally required and without undue delay, using the channels available to us — an in-app notice on next launch, a notice on volumearc.app, the App Store release notes, and email where we have one — with the nature of the incident, the data involved, and the steps we are taking. Because we operate no account system and do not collect your email, an in-app/website notice is typically our primary channel.

10. Vulnerability disclosure

Security researchers who find a vulnerability in the App, the relay, or this website may report it to security@volumearc.com. We acknowledge within 2 business days and commit to working in good faith on coordinated disclosure. We do not pursue legal action against researchers operating within the spirit of this policy.

11. Changes to this policy

We will update the “Effective date” above when this policy changes. Material changes (new categories of data collected, new third parties, new egress paths) will be surfaced in-app on next launch.

12. Contact

Questions about this policy? Email privacy@volumearc.com or write to:

Mabry Ventures, LLC
Attn: Privacy
Nashville, Tennessee, USA