Document   /   Privacy

Privacy policy

Last updated: 2026-05-20

The short version

Understory does not collect your health data, location data, or personal information on servers we operate. Your data lives on your device and in your personal iCloud account, encrypted by Apple. We can't see it.

The only data that touches a server we run is an encrypted bundle you create and upload yourself for care-team sharing. We store ciphertext. We have no key. The bundle expires when you revoke it.

There are no trackers. No analytics. No advertising identifiers. No crash reports unless you opt in. The app has no eyes on you.

What data is collected

Data that never leaves your device (Ring 0)

The following is stored locally in the app's SwiftData database and syncs to your personal iCloud private database. It does not touch any server we operate at any time.

  • Heart rate and heart rate variability readings from Apple Watch
  • Resting heart rate, RR intervals collected during morning readings
  • Session logs: start/end time, category, spoon count, notes
  • Symptom entries: kind, severity, timestamp, optional notes
  • Medication entries: name, dose, timing, optional notes
  • Morning reading results: stability score, subjective check-in response
  • Location context: user-assigned venue names and visit frequency (coordinates stored only for venue matching, never displayed, never exported)
  • Environment snapshots from WeatherKit: barometric pressure, temperature, humidity, AQI, pollen
  • Cycle data, if you choose to enable cycle tracking
  • App preferences and notification settings

Data stored on servers we operate (Ring 1, your explicit choice)

If you generate a care-team sharing bundle, the encrypted file is uploaded to a Supabase Storage bucket we operate. This file:

  • Is sealed on your device before upload. We cannot decrypt it.
  • Is accessible only via a time-limited signed URL you choose to share.
  • Expires and is permanently deleted when you revoke access or when the expiry you set passes.
  • Is never indexed, analysed, or accessed by us.

We also store your Sign-in with Apple user identifier to support authentication. This is an opaque identifier issued by Apple, not your email address or name unless you choose to share those with the app.

Data we never have

  • Raw biometric samples
  • Symptom or medication records in plaintext
  • Location data (coordinates or venue names)
  • Notes or journal entries
  • Cycle data
  • Any plaintext personal health data of any kind

HealthKit usage

Understory requests access to the following HealthKit data types. Access is granted by you in iOS and can be revoked at any time in Settings.

  • Heart Rate (read, during sessions and morning readings)
  • Heart Rate Variability SDNN (read)
  • Resting Heart Rate (read)
  • Mindfulness Minutes (write, to support morning reading sessions)
  • Workouts (read, to ingest native workout sessions)
  • Sleep Analysis (read, to support baseline computation)
  • Menstrual Flow and Basal Body Temperature (read, only if cycle tracking is enabled)
  • State of Mind (read, optional correlation feature)

HealthKit data is read from the HealthKit store on your device. It is processed locally. It is not uploaded to any server.

Location handling

Location tracking is off by default. If you enable it, the app uses CoreLocation's CLVisit monitoring: event-based, not continuous. The device detects when you arrive at or leave a place and records an approximate coordinate for that event.

Coordinates are stored only to match future visits to venues you have already named. They are never shown in the app's UI, never included in care-team bundles by default, and never exported. The "forget this venue" option in venue settings deletes the coordinates and all associated data permanently.

The three privacy rings

The app's architecture is designed around three concentric rings of data sharing. A feature lives in the lowest ring that can support it. Promotion to a higher ring requires your explicit opt-in per feature, not a global setting.

  • Ring 0 (default): Everything on your device and in your iCloud. Encrypted by Apple. We have no access.
  • Ring 1 (your choice): Encrypted care-team bundles, temporarily stored on our servers as ciphertext. You control what's in the bundle, who receives the link, and when it expires.
  • Ring 2 (planned, opt-in): An optional future feature that would let you compare your patterns to anonymous group averages of people with similar conditions and baselines. Only group totals would leave your device; your individual readings never do. A group must include at least 50 people before any number is shared. Not in the current release.

iCloud and Apple

Understory uses iCloud's CloudKit private database to sync your data between your own devices. This is your personal iCloud account, end-to-end encrypted by Apple. Apple's privacy policy governs their handling of iCloud data.

We use Sign in with Apple for authentication. Apple's documentation describes what information is shared during that flow.

Crash reporting

Crash reporting is off by default. If you opt in during onboarding or later in Settings, crash reports are collected via Apple's MetricKit. MetricKit aggregates data on-device before sending it, and the resulting reports contain no personally identifiable health data.

We do not use any third-party crash reporting SDK. There is no third-party code in the app that contacts an external server.

Analytics and tracking

There are none. No usage analytics. No behavioral logging. No A/B test scaffolding. No advertising identifiers. The app does not use any tracking framework, SDK, or service.

The marketing site (this site) also has no trackers. The site does not set cookies, load third-party scripts, or request third-party fonts. Server-side Cloudflare request logs are the only form of aggregate measurement, and they do not include personal identifiers.

Data deletion

From the You tab in the app, you can delete your account and all associated data. Deletion takes effect immediately on your device, propagates to your iCloud within minutes, and revokes all active care-team shares. Any encrypted bundles on our servers are deleted as part of share revocation.

Full data export (a JSON file containing everything the app holds) is available from the same screen at any time, with no questions asked.

Children

Understory is not directed at children. The minimum age to use the app is [MINIMUM AGE : pending legal review]. We do not knowingly collect data from anyone below that threshold. If you believe a minor has created an account, please contact us.

GDPR (European residents)

If you are located in the European Economic Area or United Kingdom, the following applies.

The legal basis for processing data you store locally is the performance of the service you requested. For care-team bundles, the legal basis is your explicit consent. For Sign-in with Apple authentication, the legal basis is the necessity of providing the service.

You have the right to access, correct, or delete your personal data. You also have the right to object to processing and to data portability. These rights are exercised by using the in-app deletion and export features, or by contacting us at the address below.

Data controller: [LEGAL ENTITY NAME AND ADDRESS : pending legal review].

CCPA (California residents)

We do not sell personal information. We do not share personal information with third parties for cross-contextual advertising. California residents have the right to request information about the personal information we hold, to request deletion, and to opt out of any future sale (which we do not currently conduct).

Retention

Data on your device is retained until you delete it or delete the app. Sign-in with Apple identifiers in our authentication system are retained until you delete your account. Encrypted care-team bundles are retained until the expiry date you set or until you revoke the share.

Specific retention windows for authentication logs: [RETENTION PERIOD : pending legal review].

Contact

For privacy questions, data access requests, or to report concerns, contact us at [email protected].

Changes to this policy

If this policy changes materially, we will update the date above and note the changes in the app's release notes. Continued use of the app after a change constitutes acceptance of the revised policy.

This page needs a legal review before launch. Sections on minimum age threshold, GDPR legal basis and data controller details, CCPA specifics, and retention windows contain placeholders that require input from a qualified legal professional. Do not publish this page in final form without that review. Sections marked "[PLACEHOLDER]" or "[pending legal review]" must be completed or removed.