Legal · Privacy Policy
Privacy Policy
This Privacy Policy explains how Vaely (“Vaely”, “we”, “us”, or “our”) handles information when you use the Vaely mobile application (“the App”) for iPhone and Apple Watch, and the Vaely website at vaelyai.web.app (collectively, the “Service”).
We have designed Vaely so that your health information stays on your device. The App does not transmit your journal entries, symptoms, medications, voice recordings, AI-generated summaries, doctor reports, or any other personal or health information to Vaely’s servers, because Vaely does not operate any servers that receive your data. We have no third-party analytics, advertising, tracking, or telemetry SDKs in the App. The plain-English summary below states the same thing in shorter form. The detailed sections that follow describe the limited information that is processed locally on your device, the limited information collected through our website, your rights, and how to exercise them.
1. Plain-English Summary
If you only read one section, read this one.
- The App does not send your health data anywhere. Every entry, every voice recording, every AI summary, every doctor report stays on your device. We cannot read your data because we do not receive it.
- No analytics in the App. No crash reporting, no event tracking, no third-party SDKs that observe your behavior, no advertising identifiers.
- AI runs on your device. When you log a symptom, the AI that turns “took 400mg ibuprofen at 6pm, head pain 7” into structured data is Apple’s on-device language model. Apple does not see your text, and neither do we.
- Apple Health stays on your device. When the App reads your sleep, heart rate, or HRV, that data is read locally from Apple’s HealthKit and never leaves your phone.
- Subscriptions go through Apple. When you subscribe to Vaely Pro, your payment is processed by Apple. We never see your card number, billing address, or your name as it appears on your card. Apple sends us only what we need to confirm your subscription is active.
- Caregiver sharing is peer-to-peer. When you share a report with a family member or caregiver, it goes directly from your phone to theirs via AirDrop, iMessage, or another method you choose. It does not pass through our servers.
- The website (vaelyai.web.app) collects very little. Our hosting provider logs basic technical data (such as IP address and browser type) for security and reliability. If you submit our contact form, we collect what you choose to write to us. We do not use cross-site advertising trackers.
- You have rights. Depending on where you live, you have the right to know what we have about you, request a copy, request deletion, and object to processing. Because we have so little to begin with, exercising these rights is usually instant: delete the App, your data is gone.
If anything in the detailed sections that follow appears to contradict this summary, the detailed section governs. If you spot a contradiction, please tell us at tezaapps@gmail.com — we will fix it.
2. Who We Are and How to Reach Us
Operator: Vaely. We are the developer of the Vaely application, distributed through the Apple App Store.
Contact for privacy questions and data subject requests: tezaapps@gmail.com
For the purposes of the European Union General Data Protection Regulation (GDPR) and the United Kingdom GDPR, Vaely is the controller of the limited personal data processed in connection with the website and the limited operational data described in this Policy. Because the App does not transmit user content to us, Vaely is not a controller of the on-device data created by your use of the App; you remain in control of that data on your device.
EEA, UK, and Swiss users may contact us at tezaapps@gmail.com for any GDPR or UK GDPR request, including requests directed to a controller representative.
3. Scope of This Policy
This Policy covers:
- The Vaely iPhone application and its on-device data handling.
- The Vaely Apple Watch application and its on-device data handling.
- The Vaely website at vaelyai.web.app, including any subdomains.
- Any communications you have with us by email, the website contact form, or other written means.
This Policy does not cover:
- Apple Inc.’s collection and processing of data in connection with App Store transactions, App Store analytics provided to developers, push notification delivery, Apple ID account services, iCloud, HealthKit, Siri, Apple Foundation Models, or any other Apple service. Those activities are governed by the Apple Privacy Policy at apple.com/legal/privacy. We do not control Apple’s processing.
- Third-party services, websites, or applications you may launch from the App or the website. Their privacy practices are governed by their own policies.
4. Information We Process
We separate the App and the website because their data practices are different.
4.1 The App (iPhone, Apple Watch)
4.1.1 Data created on your device, stored only on your device
When you use the App, the following information is created and stored locally on your device. It is not transmitted to Vaely. We do not have access to it.
- Journal content you create, including written entries, voice recordings (transcribed locally), severity ratings, free-text notes, mood, energy, sleep notes, location of pain, and any other content you choose to log.
- Medications you record (name, dose, schedule, route, side effects).
- Symptoms and conditions you select during onboarding or add later.
- Custom tracking metrics you create (Pro feature), including the metric name, type, units, and recorded values.
- AI-generated outputs produced by the on-device language model, including structured extractions, weekly and monthly summaries, pattern observations, pre-visit briefings, and post-visit debriefs.
- Doctor reports and personal summary PDFs you generate.
- Streaks, badges, and health-score values computed by the App for engagement features.
- Settings and preferences, including notification preferences, display preferences, accessibility preferences, and your Reduced Rate self-identification if any.
- App lock state (whether Face ID, Touch ID, or passcode lock is enabled).
- Encrypted local backups that you generate manually using the Backup feature. Backup files are encrypted on your device using a key generated on your device. The encryption key is intentionally not synced to iCloud Keychain (this is enforced in our code) so that a backup file copied off your device cannot be opened without the key you also export.
We do not transmit any of the above to Vaely, our website, or any third party.
4.1.2 Data the App reads from Apple Health (HealthKit)
If you grant the App permission to read Apple Health data, the App reads the following categories from HealthKit on your device:
- Sleep analysis
- Heart rate and resting heart rate
- Heart rate variability (HRV)
- Step count and activity (used to display alongside your journal)
This data is read locally on your device through Apple’s HealthKit framework. It is not transmitted to Vaely. The App uses it to display alongside your journal entries and to provide context to the on-device AI when summarizing patterns.
4.1.3 Data the App writes to Apple Health (HealthKit)
If you grant the App permission to write to Apple Health, and only when you explicitly initiate a write-back action, the App writes your logged symptoms, headaches, and related health samples to HealthKit on your device. This makes your Vaely entries visible in the Apple Health app alongside your other health data. Write-back is opt-in and is performed per export. The App does not perform write-back without your initiation.
4.1.4 Voice and Siri
If you log entries by voice, transcription is performed by Apple’s Speech framework. When Apple’s on-device speech model is installed on your device, transcription happens entirely on-device; when it is not, Apple may transcribe the audio in its cloud. Either path is governed by Apple’s privacy practices for dictation and Siri under the Apple Privacy Policy. Vaely does not record, store, or transmit raw audio of your voice to our servers, because we have no servers that receive audio.
If you use the “Log my headache” Siri shortcut or any other Vaely App Intent, the parameters you speak are processed by Apple’s on-device intelligence and passed to the App locally. Vaely does not receive a copy of the audio.
4.1.5 Face ID / Touch ID
If you enable App Lock, the App uses Apple’s LocalAuthentication framework to verify your face or fingerprint. This authentication happens entirely on your device using Apple’s Secure Enclave. Vaely never receives biometric data, biometric templates, or images. We are told only whether authentication succeeded or failed.
4.1.6 Notifications
The App schedules local notifications on your device for medication reminders, daily-log nudges, and similar features. These notifications are scheduled by iOS on your device. We do not operate a push-notification server, and we do not send remote notifications.
4.1.7 Apple Watch and WatchConnectivity
If you use the Vaely Apple Watch app, data is exchanged between your iPhone and your Watch over Apple’s WatchConnectivity framework, which uses Bluetooth and local Wi-Fi. This is a peer-to-peer transfer between your own devices and does not pass through our servers.
4.1.8 Subscriptions and in-app purchases
Subscriptions to Vaely Pro and the Reduced Rate plan are processed by Apple through StoreKit 2. Apple processes your payment, your billing address, and your purchase history. We receive only the minimum information Apple provides to confirm your subscription status: an obfuscated transaction identifier, the product identifier, and the entitlement period. We do not receive your name, payment method, billing address, or full purchase history.
If you request a refund or cancel a subscription, you do so through Apple. Vaely cannot issue refunds or change billing on your behalf.
4.1.9 Caregiver and family sharing
When you share a report or a journal export with a caregiver, family member, or healthcare provider, the App generates an export file (PDF, encrypted backup, or research export) on your device and hands it to a system share sheet. You then choose how to deliver it: AirDrop, iMessage, email, Files, or another app. The transfer goes directly from your device to the recipient by the channel you choose. The export does not pass through Vaely’s systems, and we do not retain a copy.
4.1.10 Diagnostics
The App does not implement custom analytics or crash reporting. If you have opted in to share App Analytics with developers under Settings → Privacy & Security → Analytics & Improvements, Apple may share aggregated, anonymized diagnostic information with us. This is governed by Apple’s privacy policy and your iOS settings, not by Vaely. You can revoke this consent at any time in your iOS settings.
4.2 The Website (vaelyai.web.app)
The website is hosted on Google’s Firebase Hosting service. The website is informational. It does not require an account. It does not personalize content based on identifiable data.
4.2.1 Information collected automatically
When you visit the website, our hosting provider receives certain technical information automatically as part of standard internet traffic:
- IP address (used by the hosting provider to deliver the page and to mitigate abuse; typically retained by the hosting provider for a short period in aggregate logs).
- User-agent string (browser, operating system, device type).
- The URL you requested and the URL that referred you (if any).
- Approximate geographic region inferred from IP address.
These logs are generated and managed by the hosting provider for security, reliability, and abuse prevention. We do not use them to build profiles of individual visitors.
We use Cloudflare Web Analytics to count page views and understand which articles are useful. Cloudflare Web Analytics does not set cookies, does not track you across websites, and does not collect data that identifies you (no IP-address logging into the analytics record, no fingerprinting, no cross-site identifiers). If you would prefer no analytics at all, your browser’s “Do Not Track” or “Global Privacy Control” signal is honored: when we detect either signal, we suppress analytics for your visit.
4.2.2 Information you provide to us
If you submit our contact form, send us email, or otherwise correspond with us, you provide:
- Your email address (so we can reply).
- Optionally, your name (if you choose to include it).
- The content of your message, which may contain whatever you choose to share.
We use this information solely to respond to you and to keep a record of the correspondence. We retain support correspondence for up to 24 months from the last message in the thread, after which it is deleted unless we are required by law to keep it longer (for example, if it relates to an unresolved legal claim).
If you submit a Data Subject Request (see Section 9), we collect the information necessary to verify your identity and fulfill the request. We retain records of fulfilled requests for as long as required by applicable law (typically 24 months) so we can demonstrate compliance.
4.2.3 Cookies and similar technologies on the website
The website uses only essential storage required for the page to function (for example, remembering whether you have dismissed a banner). It does not use advertising cookies, social-media tracking pixels, or cross-site retargeting tags. A separate Cookie Notice at /legal/cookies lists every storage item the website may set.
4.3 What We Do Not Collect
To prevent ambiguity, we do not collect:
- Your name (unless you tell us in correspondence).
- Your address, phone number, or government identifiers.
- Your payment information.
- Your contacts, photos, or files outside of what you explicitly attach to a support email.
- Your precise location.
- Your IP address by means of the App. (Your hosting provider may see your IP when you visit the website, as described above.)
- Any biometric data.
- Any health data from third-party services other than Apple HealthKit, and even HealthKit data stays on your device.
- Any data for the purpose of advertising. We do not advertise. We do not sell or share data with advertisers.
- Any “tracking” data within the meaning of Apple’s App Tracking Transparency framework. Vaely does not track you within the App or across other companies’ apps and websites. The App does not call requestTrackingAuthorization because we have nothing to track.
5. How We Use Information
We use the limited information we receive only for the purposes described below.
5.1 Operating the Service
We use technical website-traffic data (Section 4.2.1) to deliver the website pages you request, to keep the site available, and to mitigate denial-of-service and abuse.
5.2 Responding to you
We use the contents of your contact-form submissions and emails to answer your questions, fix bugs you report, and resolve support issues.
5.3 Subscription confirmation
We use the limited subscription metadata Apple provides (Section 4.1.8) to confirm that you are entitled to Pro features inside the App. This processing happens on your device.
5.4 Legal compliance
We use information as needed to comply with applicable law, respond to lawful government requests, and enforce our Terms of Service. Because we do not have your data, the great majority of legal requests directed at Vaely will return no responsive records.
5.5 Safety reminders inside the App
The App detects, on your device, certain words that may indicate a medical emergency or self-harm risk (for example, words signaling severe distress) and can present a safety reminder suggesting that you contact emergency services, a crisis line, or a trusted person. These reminders are produced entirely on your device by keyword matching and do not constitute a clinical assessment. No data leaves your device as a result of a safety reminder being shown.
6. Legal Bases for Processing (EEA, United Kingdom, Switzerland)
If you are in the European Economic Area, the United Kingdom, or Switzerland, GDPR (or the UK GDPR or the Swiss FADP, as applicable) requires us to identify a lawful basis for each processing activity. Our bases are:
| Processing activity | Lawful basis |
|---|---|
| Delivering the website to your browser; security and abuse mitigation logs | Article 6(1)(f) — legitimate interest in operating a secure, available website |
| Cookieless analytics that count page views without identifying you | Article 6(1)(f) — legitimate interest in understanding aggregate usage |
| Responding to support emails and contact-form submissions | Article 6(1)(b) — performance of pre-contractual / contractual steps at your request; Article 6(1)(f) — legitimate interest in providing customer service |
| Confirming your subscription entitlement using Apple-provided metadata | Article 6(1)(b) — performance of contract |
| Storing health-related content on your device at your direction | The App acts as a tool; we do not process this data as a controller. Where processing is implicated, the basis is Article 9(2)(a) — your explicit consent, given when you actively log content. The App does not process health data on our behalf because we do not receive it. |
| AI-assisted features in the App that operate on health-related content | Article 9(2)(a) — your explicit consent, given when you opt in to AI features at first run; processing is performed on your device, not by us |
| Compliance with legal obligations | Article 6(1)(c) — compliance with a legal obligation |
| Responding to data subject requests | Article 6(1)(c) — compliance with a legal obligation |
You can withdraw your consent at any time by disabling the relevant feature in the App, by revoking HealthKit access in iOS Settings, or by deleting the App. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
We carry out a Data Protection Impact Assessment (DPIA) for processing activities that are likely to result in a high risk to your rights and freedoms. Because the App does not transmit your data to us, the principal DPIA covers website operations and any processing involving your data subject requests.
7. Disclosure of Information to Others
We do not sell your personal information. We do not share your personal information with third parties for cross-context behavioral advertising. We do not share your health information, ever, except as described below.
We may disclose information in the following limited circumstances:
- To service providers (data processors) we use to operate the website, listed at /legal/subprocessors. These providers act on our behalf under written contractual data-protection commitments and may not use your data for their own purposes. As of the effective date, our website service providers are limited to: Google LLC (Firebase Hosting and ancillary Firebase services used by the website only), and the operator of our cookieless analytics provider. We do not use third-party processors in the App.
- To comply with law or legal process, including court orders, subpoenas, or governmental requests, but only after independent verification of the request and only where we have responsive data. Most such requests will be returned with a notice that we have no responsive records.
- To protect rights, property, and safety of Vaely, our users, or the public, where we reasonably believe such disclosure is necessary.
- In connection with a corporate transaction (such as a merger, acquisition, or asset sale), in which case any successor will be bound by this Policy or will provide notice and an opportunity to object before terms change in any material way.
We have not, in the past, and we do not, today, sell personal information or share it for cross-context behavioral advertising within the meaning of the California Consumer Privacy Act (as amended by the California Privacy Rights Act) or any other applicable state law.
8. International Data Transfers
The App processes your data on your device. There is no cross-border transfer of your App data because we do not receive it.
For the website, our hosting provider operates a global content delivery network. Routine website-traffic data may be processed in data centers in jurisdictions outside your country of residence. Where personal data is transferred from the EEA, the United Kingdom, or Switzerland to a country not deemed adequate by the European Commission, the UK Government, or the Swiss Federal Data Protection and Information Commissioner, transfers are made under the European Commission’s Standard Contractual Clauses (or the UK Addendum, or the Swiss equivalent) and supplementary measures where required.
9. Your Rights
This section describes the rights you have over personal information we hold about you. Many of these rights apply only to specific jurisdictions; we have noted where this is the case. To exercise any right, write to tezaapps@gmail.com with the subject line “Privacy Request” and a description of what you would like us to do. We will acknowledge your request within 10 business days and respond fully within the timelines required by your jurisdiction (typically 30 to 45 days, with one extension where permitted).
We will verify your identity before fulfilling a request. For email-based requests, we will normally verify by replying to the email address from which the request was sent. If a request cannot be verified, we will tell you and ask for additional information.
We do not charge a fee for verified requests, except where the law permits a reasonable fee for excessive or repetitive requests. We do not discriminate against you for exercising any right.
9.1 Rights for everyone, regardless of jurisdiction
Even where the law does not require it, we extend the following to all users:
- The right to ask what personal information we hold about you.
- The right to request deletion of personal information we hold about you.
- The right to opt out of any non-essential analytics on the website (which we do not perform if you send a Do Not Track or Global Privacy Control signal).
- The right to a clear answer.
For the App: most of your data is on your device. To exercise the equivalent of an access request, open the App; the data is yours to read directly. To exercise the equivalent of a deletion request, delete the App from your device; iOS removes its sandboxed data. (You may also wish to revoke any HealthKit permissions you granted, by going to iOS Settings → Privacy & Security → Health → Vaely.)
9.2 European Economic Area, United Kingdom, Switzerland
If you are located in the EEA, the UK, or Switzerland, you have the following rights under GDPR (or the UK GDPR or the Swiss FADP, as applicable):
- Right of access (Article 15) — to obtain confirmation of whether we are processing your personal data and a copy of that data.
- Right to rectification (Article 16) — to have inaccurate data corrected.
- Right to erasure (Article 17), the “right to be forgotten.”
- Right to restriction of processing (Article 18).
- Right to data portability (Article 20).
- Right to object (Article 21), including to processing based on legitimate interests.
- Right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects (Article 22). We do not make such decisions about you.
- Right to withdraw consent at any time, where consent is the basis for processing.
- Right to lodge a complaint with a supervisory authority, including your local data protection authority. A list of EU supervisory authorities is available at edpb.europa.eu. UK residents can complain to the Information Commissioner’s Office at ico.org.uk.
9.3 California — CCPA/CPRA
If you are a California resident, you have the rights under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020:
- Right to know what categories of personal information we have collected, the sources from which we collected it, the purposes for collecting it, and the categories of third parties to whom we have disclosed it.
- Right to access a copy of personal information we have collected about you in the preceding 12 months (or longer, at your option).
- Right to deletion, subject to statutory exceptions.
- Right to correct inaccurate information.
- Right to opt out of the sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising. You can confirm this at our “Do Not Sell or Share My Personal Information” link below.
- Right to limit the use of sensitive personal information. We do not use sensitive personal information for purposes beyond those permitted under California Civil Code 1798.121.
- Right to non-discrimination for exercising any of the above.
Do Not Sell or Share My Personal Information — see /legal/do-not-sell.
For purposes of California law, the categories of personal information we collect, as defined in California Civil Code 1798.140(v), are limited to:
- Identifiers: only the email address you provide if you write to us, and the IP address logged by our hosting provider for security.
- Internet or other electronic network activity information: the website pages you request, browser type, and approximate region; this is described in Section 4.2.1.
- Inferences drawn from the above: none of substance, because we do not build profiles.
We do not collect, in connection with the App or the website: characteristics of protected classifications, commercial information, biometric information, geolocation data (precise), audio or visual recordings of you, professional or employment-related information, education information, or financial information about you.
We do not knowingly collect or sell the personal information of consumers under 16 years of age.
You may designate an authorized agent to make a request under California law on your behalf. We will require written proof of authorization from you.
9.4 Washington — Consumer Health Data (My Health My Data Act)
If you are a Washington resident, the Washington My Health My Data Act gives you specific rights with respect to “consumer health data.” Because the App does not transmit consumer health data to us, the rights in this Section primarily relate to information you submit through our contact form, our DSAR process, or our website if it could be inferred to relate to your health (for example, if you describe a symptom in an email to us). A separate, dedicated Consumer Health Data Privacy Policy at /legal/consumer-health-data-privacy describes the seven elements required by RCW 19.373 in the format the law requires. Your rights under that statute include:
- The right to confirm whether we are collecting, sharing, or selling your consumer health data.
- The right to access your consumer health data.
- The right to obtain a list of all third parties and affiliates with whom we have shared or sold your consumer health data, along with active contact information for each.
- The right to withdraw consent for collection and sharing.
- The right to have your consumer health data deleted.
We will respond to verified requests within 45 days of receipt, with one 45-day extension where reasonably necessary.
We do not, and we will not, sell consumer health data or share it for advertising purposes.
9.5 Other US states with comprehensive privacy laws
Residents of Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia have rights under their state laws that closely parallel those in Sections 9.2 and 9.3. These typically include rights of access, correction, deletion, portability, and opt-out of targeted advertising, sale, and certain profiling. To exercise any state-law right, write to tezaapps@gmail.com.
Connecticut residents: as of 1 July 2026, “neural data” is treated as sensitive data under the Connecticut Data Privacy Act and processing requires opt-in consent. Vaely does not collect or process neural data.
Texas residents: under the Texas Data Privacy and Security Act, you have rights of access, correction, deletion, portability, and opt-out of sale, targeted advertising, and certain profiling. Texas’s law applies to us regardless of revenue or volume thresholds.
9.6 Brazil — LGPD
If you are in Brazil, you have the rights set out in Article 18 of the Lei Geral de Proteção de Dados (LGPD), including confirmation, access, correction, anonymization, portability, deletion, information about sharing, and revocation of consent. To exercise these rights, write to tezaapps@gmail.com.
9.7 Canada — PIPEDA, Quebec Law 25
If you are in Canada, you have the rights set out in PIPEDA, including access and correction. Quebec residents have additional rights under Law 25, including data portability and the right to be informed about automated decision-making (which we do not perform about you).
9.8 Appeals
If we deny your request and you are a resident of a state that grants an appeal right, you may appeal our decision by replying to our denial email with the word “Appeal” in the subject line. We will respond to appeals within 60 days. If you remain dissatisfied, you may contact your state attorney general.
10. Health Data Specifics
We collect this section because Apple’s App Review and global health-data laws require it.
- The App is not a medical device, and Vaely is not a healthcare provider. The App is a personal wellness journal. It does not diagnose, treat, cure, or prevent any disease. AI-generated content is a summary of your own journal entries. See the Health Disclaimer at /legal/health-disclaimer.
- HIPAA. Vaely is not a Covered Entity or Business Associate under the United States Health Insurance Portability and Accountability Act of 1996 (HIPAA). We do not provide healthcare services, we do not receive Protected Health Information from a Covered Entity, and we do not transmit PHI to insurers, providers, or healthcare clearinghouses on behalf of a Covered Entity. The information you log in the App is your personal health information, kept on your device, and is not “PHI” within the meaning of HIPAA in our hands because we never come into possession of it.
- GDPR Article 9 — special category data. Health data is special category data under Article 9 GDPR. We rely on your explicit consent (Article 9(2)(a)) for any health-data-related processing implicated by your use of the Service. You can withdraw consent at any time, as described in Section 9.
- Apple HealthKit. HealthKit data accessed by the App is governed by Apple’s HealthKit Guidelines and stays on your device. The App does not use HealthKit data for advertising, does not share HealthKit data with third parties, and does not write HealthKit data to Vaely’s servers (we do not operate any).
- No advertising use. We will not use your health data, or any data, for advertising. We do not run advertising. We do not share data with advertisers.
- No sale. We will not sell health data to any party for any purpose.
- Doctor reports and exports. When you export a doctor report or backup, the export is generated on your device. You decide where it goes. We do not retain a copy.
11. AI-Enabled Features
This section is provided pursuant to Article 50 of the European Union Artificial Intelligence Act (Regulation (EU) 2024/1689), which requires that natural persons interacting with an AI system be informed of that interaction.
The App includes features that are powered by artificial intelligence. You are interacting with an AI system when:
- You use natural-language logging, and your device supports Apple Intelligence. When Apple Intelligence is enabled, the App uses Apple’s on-device language model (Apple Foundation Models) and Apple’s NaturalLanguage framework to convert your text or transcribed speech into structured journal entries (symptom, severity, medication, dose, mood). The structured output is shown to you for review before it is saved. On devices that do not support Apple Intelligence, or where it is not enabled, this AI extraction step is skipped and your entry is saved as the plain text you wrote or spoke. The speech-to-text step itself is performed by Apple’s Speech framework (see §4.1.4) and is not the AI inference described in this section.
- You use weekly or monthly summaries, pattern observations, pre-visit briefings, or post-visit debriefs. These are AI-generated summaries of your own previously logged entries.
- You ask conversational questions about your own data (“Why am I worse on Mondays?”). The on-device language model retrieves your prior entries and produces a summary that references them.
- You see safety reminders triggered by certain words. The matching is rule-based, not generative.
The AI system is provided by Apple (Apple Foundation Models, NaturalLanguage). Vaely is the deployer of the AI system within the meaning of the EU AI Act. The AI system runs on your device. No data is transmitted to Apple, to Vaely, or to any other party in the course of AI inference.
The AI is not a medical professional, does not provide medical advice, and does not perform diagnosis. AI outputs are framed as summaries of your own journal, not as independent analyses. We have implemented internal guardrails, including system-prompt design that favors plain language over clinical terminology and that triggers safety reminders for severe-distress keywords. These guardrails cannot be disabled.
On devices that support Apple Intelligence, you can opt out of AI-enabled features at first launch or later in Settings. With AI features disabled, voice and text logging continue to work; only the structured-field extraction, summaries, and pattern observations are turned off, and entries are saved as written. On devices that do not support Apple Intelligence, AI-enabled features are unavailable by default; logging by voice or text still works and saves the entry as written.
Vaely’s AI features fall within the EU AI Act Article 6(3) exemption for AI systems that perform “a narrow procedural task” and that “improve the result of a previously completed human activity”: the AI structures content you have already written, summarizes journal entries you have already saved, and never substitutes for a human assessment. The features are not high-risk AI systems within the meaning of Annex III, do not perform biometric categorisation, do not infer emotion, and do not generate deepfake content. Further detail is provided at /legal/ai-disclosure.
12. Children
The App is intended for adults aged 18 and over. The App is not directed to children under 13 (or under 16 in jurisdictions where that age applies, including the EEA member states that have set 16 as the digital age of consent under GDPR Article 8). We do not knowingly collect personal information from children. If you become aware that a child has provided personal information to us through the website contact form or otherwise, please contact us at tezaapps@gmail.com and we will delete that information.
A separate Children’s Privacy Notice at /legal/childrens-privacy provides further detail.
13. Retention
Because the App does not transmit data to us, retention by Vaely of App content is zero by design. The data on your device is retained until you delete it, delete the App, or reset your device.
For the limited information we receive through the website:
| Data category | Retention period |
|---|---|
| Hosting access logs (IP, user-agent, URL) | 30 days, then aggregated and de-identified |
| Cookieless analytics (aggregate counts only) | Indefinite in aggregate, but never tied to an individual |
| Contact form and email correspondence | 24 months after the last message in the thread |
| Records of fulfilled DSAR requests | 24 months from fulfillment, to demonstrate compliance |
| Subscription confirmation metadata cached in App | While you remain a subscriber, plus the period required by Apple for receipt verification |
We will retain information longer where required by law (for example, for tax or legal-claim purposes).
14. Security
We protect information using measures appropriate to the sensitivity of the data and the state of the art:
- Architectural privacy. The single most important security control is that your health data is never sent to us. An attacker who compromised every Vaely-controlled system would not gain access to your journal, because we do not store it.
- On-device encryption. Your data is stored within the App’s iOS sandbox, protected by iOS data protection class
NSFileProtectionCompleteUntilFirstUserAuthenticationor stronger. If you enable Face ID / Touch ID lock, sensitive data is protected byNSFileProtectionComplete(encrypted while the device is locked). - Encrypted backups. Manual encrypted backups are encrypted on your device using a key generated on your device. The encryption key is intentionally not synced to iCloud Keychain.
- TLS for all network communication. Communication with our website uses TLS 1.2 or higher.
- Vendor due diligence. We work only with reputable processors with documented security programs.
- Minimization. We collect only what is necessary. We do not collect what we do not need.
No system is perfectly secure. If we ever discover a personal-data breach that affects you and is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware (where required by GDPR Article 33) and notify affected individuals without undue delay where required by Article 34 or applicable state breach-notification statute.
15. Cookies and Similar Technologies
Detailed in /legal/cookies. Briefly: the website uses no advertising cookies, no social-media tracking pixels, and no cross-site retargeting. The website may use a small amount of essential storage to remember interface preferences (for example, light/dark mode) and the cookieless analytics provider’s anonymous identifier. The App does not use web cookies.
16. Subprocessors
A current list of service providers (subprocessors) is maintained at /legal/subprocessors. As of the effective date, we use:
- Google LLC (Firebase Hosting) — for hosting the website at vaelyai.web.app.
- Cloudflare, Inc. (Cloudflare Web Analytics) — for aggregate page-view counts, with no cookies and no cross-site tracking.
We use no subprocessors for the App. The App does not communicate with subprocessors.
We will update the subprocessors list before adding any new processor that handles personal data. Continued use of the Service after a subprocessors update constitutes your acceptance, except where applicable law requires more specific notice or consent, in which case we will provide it.
17. Changes to This Policy
We may update this Policy from time to time. When we do, we will:
- Update the “Effective date” and “Version” at the top of this document.
- Maintain a permanent archive of prior versions of this Policy on the website, so you can compare what changed across versions.
- For material changes, post a notice on the website at least 14 days before the change takes effect, and where required by law, request renewed consent.
Continued use of the Service after the effective date of a change constitutes acceptance of the updated Policy, except where applicable law requires affirmative consent.
18. Apple App Privacy Label
Apple requires every app on the App Store to disclose its data practices through a “Privacy Nutrition Label.” The label for Vaely declares “Data Not Collected” because the App does not collect data linked to your identity for transmission off your device. The detailed mapping is available at /legal/app-privacy-labels and corresponds exactly to the technical reality described in this Policy.
19. How to Contact Us
For privacy questions, data subject requests, or to report a concern, write to:
Please put “Privacy Request” or the relevant statute (for example, “GDPR Access Request” or “MHMDA Deletion Request”) in the subject line. We will acknowledge within 10 business days and respond fully within the timelines required by the applicable law.
20. Defined Terms
- “App” means the Vaely mobile application for iPhone and Apple Watch.
- “Service” means the App, the website at vaelyai.web.app, and related communications.
- “Personal data” has the meaning given to it by GDPR Article 4(1) or, in the United States, the equivalent term under the applicable state law (including “personal information” under the CCPA and “consumer health data” under the MHMDA).
- “Process,” “processing” has the meaning given to it by GDPR Article 4(2).
- “Sale” and “share” have the meanings given to them by California Civil Code 1798.140.
- “Consumer health data” has the meaning given to it by RCW 19.373.010(8).
Effective 2 June 2026. Version 1.0.2. Changes from 1.0.1: corrected the supported-device description to iPhone and Apple Watch (the iPad device family was removed from the App). No change to Vaely’s data practices. Previous — Version 1.0.1 (14 May 2026), changes from 1.0.0: §4.1.4 clarified that Apple’s Speech framework may transcribe audio in Apple’s cloud when the on-device speech model is not installed; §11 clarified that AI extraction runs only on devices where Apple Intelligence is enabled, and that voice and text logging continue to work without AI on devices where Apple Intelligence is unavailable or disabled. No change to Vaely’s practices — Vaely still does not receive any audio, transcript, or extracted content.
The architecture is the point.
The legal documents above describe what we do, what we never do, and the rights you have. The proof is in the App Store privacy label and the source code, not the paragraphs.