Privacy Policy

01Who we are

Seuil is an iOS application that helps couples share emotional and physical context with each other in a quiet, passive way. You can reach us at privacy@seuil.app.

02Information we collect

Information you provide directly

Display name. Your first name or chosen name, shared with your paired partner.
Household profile. Voluntary information such as age ranges, general work situation, and relationship context. This is used to personalize AI-generated briefings.
Signal content. Your gauges, what you need, and any optional notes you choose to include. This is the core content of the app.
Diary entries. Optional personal notes you write for yourself. The diary is on-device only, retained for 90 days, never synced, and never seen by your partner. If you ask Seuil to surface patterns from your diary, that LLM analysis happens at your explicit request and is framed as "for you alone."
Therapist code. An optional code linking your pair to a therapist account, if you choose to use that feature.

Health data (HealthKit)

With your explicit permission, Seuil reads the following data from the Apple Health app on your device:

Heart rate variability (HRV, SDNN)
Sleep analysis (duration and stages)
Workout detection (whether a workout occurred)

This data is read on-device with your permission and processed entirely on your device. Raw HealthKit values are never transmitted to Seuil or any external service, and are never shared as raw data with your partner. The app converts them into general descriptive terms (for example, "low HRV, recovery likely needed") that are used only to enrich the briefing's "why" as a derivative, not a raw number. This derived context is not stored long-term. Seuil does not write any data back to Apple Health.

In compliance with Apple's HealthKit guidelines, Seuil will not use HealthKit data for advertising, will not sell HealthKit data, and will not disclose it to third parties without your permission except as necessary to provide the app's core features as described in this policy.

Calendar data (EventKit)

With your permission, Seuil reads calendar event density to estimate how busy your day is. No event titles, locations, descriptions, or attendees are read. Only a count of events in a time window is used, processed on-device.

Motion data (CoreMotion)

Seuil uses on-device motion data to estimate commute or travel stress as part of passive context. This data is never stored or transmitted.

Microphone and speech (optional)

If you attach a voice note to a signal, the audio blob is encrypted on-device and delivered to your paired partner alongside the signal. Voice notes are deleted with the signal at the 6-hour expiry. If you use the voice entry feature for transcription, your voice is transcribed on-device using Apple's Speech framework, and the audio for transcription is never sent to any server.

Ambient sound analysis (optional)

Seuil may analyze ambient sound on-device to provide tone context. No audio is recorded or transmitted.

Device and technical data

iCloud account identifier. Required for pairing and syncing signals between partners. We do not have access to your Apple ID or iCloud credentials.
Apple Push Notification token. Used to deliver silent push notifications when your partner submits a signal. Not used for marketing.

03How we use your information

Purpose	Data used
Delivering signals and briefings to your partner	Encrypted payload via iCloud, 6-hour expiry
Generating AI evening briefings	Descriptive summaries only (see Section 5)
Personalizing passive context	On-device HealthKit, calendar, motion data
Processing your subscription	Apple handles all billing via StoreKit
Pairing with a partner	Invite code, iCloud record ID, display name

We do not use your information for advertising, profiling, or any purpose beyond operating the app as described.

04Data storage and security

On-device storage

The following data is stored only on your device and is never synced to the cloud:

Diary entries (encrypted with AES-256-GCM)
HealthKit-derived context
Motion and calendar data
Cryptographic keys (stored in the Keychain, hardware-backed, non-migratable)

Local files are protected with iOS Data Protection (complete file protection), meaning they are inaccessible when the device is locked.

iCloud (CloudKit)

Signals and paired partner information are synced through your personal iCloud account using Apple's CloudKit infrastructure. Before any signal is uploaded, it is encrypted on your device using AES-256-GCM with a relationship-specific key derived from a random salt using HKDF-SHA256. Only your paired partner, who holds the same derived key, can decrypt your signals. Apple cannot read the contents of your signals.

Signals and the briefings produced from them are automatically deleted from iCloud 6 hours after submission. Voice notes attached to a signal are deleted at the same 6-hour expiry. A small local manifest of your own check-in metadata (timestamps and counts only) persists on your device for graduation calculation.

Your household and personal profiles are also encrypted before being stored in CloudKit.

Encryption summary

Signal payloads: AES-256-GCM, end-to-end encrypted
Profile data: AES-256-GCM
Key derivation: HKDF-SHA256 with per-relationship 32-byte random salt
Keys: stored in iOS Keychain with complete device binding (non-migratable)

05Artificial intelligence and third-party processing

Seuil uses the Anthropic Claude API to generate optional evening briefings that summarize your partner's signal for you. The following describes exactly what is and is not sent to Anthropic.

What is sent to Anthropic

Only descriptive, non-identifying summaries are transmitted:

Your partner's display name
A mapped presence description (for example, "carrying something heavy," not a raw slider value)
Your partner's selected need (a category label)
A passive context note (a text summary such as "low HRV, recovery likely needed; 4.8 hours of sleep")
Household context (age ranges as text buckets, general work descriptor)
Language register preference
Optional diary digest (last 7 days of tag summaries and truncated notes, only if enabled by you)

What is never sent to Anthropic

Raw HealthKit data (no HRV numbers, no sleep stage timestamps, no workout records)
Calendar event titles, descriptions, or attendees
Audio, voice recordings, or transcripts
Your iCloud identity or any device identifier
Your diary entries, unless you explicitly enable the diary digest feature

Anthropic's data practices

By using the AI briefing feature, your summarized signal data is processed by Anthropic under their privacy policy and API terms. Anthropic does not use API inputs or outputs to train their models by default. You can review Anthropic's privacy policy at anthropic.com/privacy.

Briefing requests are cached on-device and are not re-sent if the same context has already produced a response, minimizing the data transmitted.

You can use Seuil fully without enabling AI briefings.

06Data sharing

We do not sell, rent, or share your personal information with third parties for their own purposes.

Data is shared only in these limited circumstances:

Your partner. Signal content you submit is end-to-end encrypted and delivered to your paired partner only.
Anthropic. Summarized, non-identifying context is sent when you use the AI briefing feature (see Section 5).
Apple. iCloud infrastructure carries encrypted signal data. Apple cannot read the contents. Apple processes subscription payments through StoreKit.
Legal compliance. We may disclose information if required by law or to protect the rights and safety of users. Because we have no server infrastructure holding your unencrypted data, we have no meaningful ability to provide it even if compelled.

07Subscriptions and billing

Seuil offers monthly ($3.99/month per partner) and annual ($26.99/year per partner) subscriptions with a 3-day free trial, processed entirely by Apple through StoreKit 2. We do not receive or store your payment card information. Subscription management, refunds, and cancellations are handled through your Apple ID settings. After graduation, you may step down to a free tier (gauges and optional inputs only, no briefing, no charge).

08Analytics and crash reporting

Seuil does not include any third-party analytics SDKs, crash reporting services, or advertising networks. We do not collect behavioral analytics or track how you use the app.

09Screenshot and screen recording protection

The app prevents screenshots and screen recordings while it is active, to protect sensitive signal content from being captured unintentionally.

10Children's privacy

Seuil is not directed to children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided information through the app, please contact us at privacy@seuil.app and we will take steps to delete it.

11Your rights and choices

Accessing and deleting your data

On-device data (including diary entries and cryptographic keys): delete the app. All local data, including Keychain entries, is removed.

iCloud data: deleting the app removes your CloudKit data. You can also manage iCloud data through your iPhone Settings under your Apple ID.

AI briefing data: we do not retain briefing inputs after generation. Contact Anthropic directly for questions about their data retention.

Because Seuil uses iCloud for identity rather than a separate account system, there is no separate account to delete. Uninstalling the app severs all connections.

Revoking permissions

You can revoke HealthKit, Calendar, or Motion access at any time through your iPhone Settings. Revoking access disables the corresponding passive context features without affecting core signal functionality.

To request data access or deletion, contact us at privacy@seuil.app.

12California residents (CCPA)

If you are a California resident, you have rights under the California Consumer Privacy Act, including the right to know what personal information we collect, the right to delete it, and the right to opt out of its sale. We do not sell your personal information and do not share it for cross-context behavioral advertising. For requests related to your CCPA rights, contact us at privacy@seuil.app.

13European users (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have rights under applicable data protection law, including the right to access, rectify, erase, restrict processing of, and port your personal data.

Our legal bases for processing are:

Contractual necessity. Delivering core app functionality (signals, pairing).
Legitimate interests. Security and fraud prevention.
Consent. HealthKit, Calendar, and Motion access, granted through iOS permission prompts.

To exercise your rights, contact us at privacy@seuil.app. You also have the right to lodge a complaint with your local data protection authority.

14Data retention

Data type	Retention
Signals and briefings (CloudKit)	6 hours after submission, then auto-deleted
Voice notes	Deleted with the signal at the 6-hour expiry
Diary entries	On-device only, 90-day retention, never synced
Local check-in manifest (own metadata for graduation)	Until you unpair or delete the app
Relationship and profile records	Until you unpair or delete the app
AI briefing inputs	Not retained by us after the API call completes
Health, calendar, and motion data	Read on-device with permission, used as derivatives only, not persisted long-term
Pairing invite codes	6-character code, 10-minute TTL, then expired

15Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the "Last updated" date at the top and, where feasible, notify users within the app. Continued use of the app after changes are posted constitutes acceptance of the revised policy.

16Contact

Questions or concerns about this privacy policy or how your data is handled:

privacy@seuil.app

We will respond to privacy inquiries within 30 days.