Feature III  ·  Where your data lives

We never see what you write.
Not because we promise. Because we built it that way.

Most privacy claims are policies. A paragraph promising not to misuse data the app does collect. Vaely's claim is architectural. The app collects nothing that leaves your phone because it is built without the components that would collect anything. The difference matters during a flare, during an appointment, during a subpoena, and during the next health-app data breach in the news.

Where your data goes. And does not.

A diagram, in two halves.

A. Your phone — everything happens here
Voice or text input
Apple Foundation Models · 3B params
NLEmbedding · 512-dim vectors
SQLite + sqlite-vec storage
Confirmation review
Doctor PDF generation
Encrypted backup
Every operation in the app runs on your device. None requires a network connection. The app works in airplane mode.
B. The cloud — where your data does not go
  • No third-party AI APIs
  • No analytics SDKs
  • No crash-reporting telemetry
  • No advertising identifiers
  • No iCloud sync of journal data
  • No backup-key sync to iCloud Keychain
  • No server that receives, stores, or forwards your entries
The components above are absent from the app's binary. Auditable. Verifiable. Not a promise.

A panel of verifiable facts

What you can check. What we cannot fake.

  1. F-01

    Zero third-party SDKs.

    The iOS app contains no third-party SDK other than the open-source on-device vector index SQLiteVec. No Firebase, no Mixpanel, no Sentry, no AppsFlyer, no Adjust. Apple's App Store review process can verify this against the binary. Anyone with the source can verify this against the import statements.

  2. F-02

    Zero network calls in the app code.

    The app makes no outbound HTTP requests. There is no URLSession in the inference path, no analytics endpoint, no telemetry stream. Inference, retrieval, storage, and PDF generation all run locally. Network monitoring on a real device returns nothing.

  3. F-03

    The backup encryption key is not synced to iCloud Keychain.

    When you generate an encrypted backup, the key is created on your phone and stored locally. The decision to exclude it from iCloud Keychain is recorded as a code-level comment in BackupKeyStore.swift: a future refactor cannot silently flip it back on without a code review.

  4. F-04

    The App Store privacy label reads Data Not Collected.

    Across every category — Contact Info, Health & Fitness, Sensitive Info, Identifiers, Usage Data, Diagnostics, Location — Vaely declares "None." Apple verifies the label against the app's actual behavior. Mismatches between label and behavior are an App Store violation that gets the app pulled. Ours match because they describe the truth.

Technical detail, in plain language

What actually runs on your phone.

Apple Foundation Models
A 3-billion-parameter language model that ships with iOS 26+ on A17 Pro and A18 hardware. Vaely uses it via the LanguageModelSession API, with a system prompt designed to keep outputs framed as summaries of your own entries. Inference happens on the device's Neural Engine. No request reaches Apple's servers as part of running the model.
Apple NLEmbedding
The framework that produces 512-dimensional sentence vectors for retrieval. Available on every iPhone since iOS 14, fully on-device. Vaely uses it to find related past entries when you ask "Why am I worse on Mondays?" — the answer is built from your own logged data, retrieved by similarity.
SQLite + sqlite-vec
The local database. SQLite is the most-deployed database in the world and is built into every iOS device. The sqlite-vec extension adds vector similarity search. Both are open-source. Both run entirely on your device.
StoreKit 2
Apple's subscription framework. When you subscribe, Apple processes the payment. Vaely receives only an obfuscated transaction identifier and the entitlement period. We do not see your card, your billing address, or your name.

A sentence about trust

The trust is already where it needs to be.

Patients who would never send their health data to OpenAI or Google trust Apple's on-device models because they already trust Apple with their fingerprint, their face, their location, their messages. Vaely inherits that trust without earning it independently. The same chip that runs the most private feature on your phone runs Vaely.

EU AI Act  ·  The two relevant articles

Article 50, and Article 6(3).

50

Transparency disclosure.

Article 50 requires that you, the natural person interacting with an AI system, be informed of that interaction. You are interacting with an AI system when Vaely turns your speech into a structured entry, when it produces a weekly summary, when it surfaces a pattern observation. Vaely is the deployer; the AI system is Apple's; it runs on your device. We tell you, here, in the privacy policy, and on our dedicated AI disclosure page.

6(3)

Exemption from high-risk classification.

Article 6(3) exempts AI systems that perform a narrow procedural task and improve the result of a previously completed human activity. Vaely's AI structures text you wrote (narrow procedural task) and refines a journal entry you started (previously completed human activity). It does not diagnose, predict, perform biometric categorization, infer emotion, or generate deepfakes. The exemption applies. Vaely is not a high-risk AI system within the meaning of Annex III.

A dispassionate citation

Mozilla Foundation evaluated the leading symptom tracker in their Privacy Not Included series and rated it "a little creepy." Their researcher discovered Facebook trackers running in the app without explicit user consent, and noted the gap between what users formally authorize at signup and what the app actually does. The full evaluation is at mozillafoundation.org/en/privacynotincluded/bearable.

We cite this not to attack a competitor — every privacy-claiming app deserves the same scrutiny, including ours. We cite it because the gap between policy claims and architectural facts is the gap that Vaely was built to close. Evaluate us in the same way. Apple's review of the binary is the first checkpoint. Network monitoring is the second. The source code is the third.

Your health data can never be subpoenaed from our servers,
because it was never on our servers. — Vaely's promise, written as architecture, not as policy

Questions about the architecture

The plain answers.

Can you really not see what I write?

We have no servers that receive your journal. The natural-language extraction runs on Apple's Foundation Models framework, which performs inference on your device. The retrieval system uses Apple's NLEmbedding to generate vectors locally, stored in a local SQLite database. The encryption key for backups is generated on your phone and never synced to iCloud Keychain. None of these choices are reversible at our end. We could not see your data even if we wanted to.

What about Apple? Do they see it?

Apple Foundation Models inference runs on your device using Apple's on-device hardware. Apple does not receive your input or output as part of running the model. Apple's privacy policy governs Apple's handling of HealthKit, Siri, and any other Apple service you use; we link to it from our policy. Vaely is not part of any data exchange with Apple.

How is this different from Bearable or other privacy-claiming health apps?

Most claims of privacy are policy-based: a paragraph promising not to misuse data the app does collect. Vaely's claim is architectural: the app collects nothing because it is built without the components that would collect anything. Mozilla Foundation, in its Privacy Not Included evaluation, found the leading symptom tracker shipped with Facebook trackers active without explicit user consent. We do not have the equivalent risk because we do not have the equivalent components.

What if I lose my phone?

Two safety nets. Apple Health write-back keeps your entries in the system you already trust — if you ever delete Vaely, your record survives there. The encrypted local backup file is yours to move; you can AirDrop it, save it to Files, store it on iCloud Drive, or hand it to a relative on a USB-C drive. The encryption key is yours; without it, the backup is unreadable.

Is this an EU AI Act high-risk system?

No. Vaely's AI features perform a narrow procedural task — structuring text the user wrote — and improve the result of a previously completed human activity (the journal entry). They do not perform diagnosis, biometric categorization, emotion recognition, deepfake generation, or any of the other Annex III high-risk activities. Article 6(3) exemption applies. Article 50 transparency disclosures are made on this page, in the privacy policy, and in our dedicated AI disclosure document.

How can I verify this myself?

Three ways. First, Apple's App Store privacy label — Apple has the binary and verifies the label against the app's behavior. Second, network monitoring — install a network monitor on your phone, use the app, observe that it makes no outbound calls in inference. Third, code-level review — we are happy to walk through the architecture with anyone serious enough to ask. The verifiability is the point.

A health app that
cannot betray you by mistake.

The architecture forecloses the possibility. The free tier proves the architecture in practice.

Download on the App Store