Privacy Policy
The short version
- Your health, sleep, training, and nutrition data never leaves your iPhone. The overnight engine — readiness score, Focus Index, morning briefing, and the semantic knowledge graph — runs locally during deep sleep on your device. The architecture is required by patent IPOS 10202601003R to be on-device; it's not a marketing choice.
- We do not sell your data. Ever.
- We do not use third-party analytics, advertising SDKs, or trackers. No Meta SDK, no Google Analytics, no Mixpanel, no AppsFlyer. No App Tracking Transparency prompt because we don't track.
- The only data that touches our systems is your sign-in identity (so you can recover your account) and Apple-handled subscription receipts. Both are described in §2 below.
1. Who we are
sovv is an iOS application that processes training, recovery, sleep, and nutrition data on your device to deliver a personalised morning briefing. The application is published by Mustafar Ltd. ("we", "us", "our"), operating under the brand sovv at sovv.health, and we are the data controller for any personal data described in this policy.
Contact for privacy matters: privacy@sovv.health.
2. The data we receive
2.1 Account information (sign-in)
When you create an account we store one of the following depending on which sign-in method you use:
- Email + password — your email address and a Firebase-managed password hash (we never see your plaintext password).
- Sign in with Apple — Apple's private-relay email and the opaque Apple user identifier. We do not see your real email unless you choose to share it.
- Sign in with Google — your Google email and basic profile (display name + avatar URL).
This data is held by Firebase Authentication (a Google service) acting as our processor under the controller-processor model. It is the only personal data we hold on our servers.
2.2 Subscriptions
If you subscribe to sovv Pro, Apple processes the transaction through StoreKit and provides us a receipt indicating that you are entitled to Pro and which SKU (monthly or annual). We do not see your name, billing address, card number, or other payment information — Apple holds all of that. See Apple's Media Services policy for how Apple handles your purchase data.
2.3 Health, sleep, training, and nutrition data
sovv reads the following from Apple Health on your device:
- Sleep stages, including N3 (deep) sleep
- Heart rate variability (HRV, SDNN)
- Resting heart rate
- Workouts and active energy
- On iOS 18 or later with a compatible Apple Watch, the Apple Sleeping Breathing Disturbances signal
You explicitly grant sovv permission to read these types via the Apple Health permission sheet during onboarding. You can review and revoke that permission at any time in the iOS Settings app under Health → Data Access & Devices → sovv.
This data is read, processed, and stored only on your device. It is never transmitted to our servers, to any cloud, or to any third party. The patent that protects sovv's core technology (Intellectual Property Office of Singapore application 10202601003R) is structured around on-device offline processing — the design itself prevents network transmission. This is verifiable: every cycle of the overnight engine runs with iOS's requiresNetworkConnectivity = false constraint enforced at the operating-system level.
2.4 Data you log inside sovv
Workouts you build, meals you log, race targets you set, station goals, briefings the engine generates, and the insights it derives are stored locally in the app's SwiftData container on your device. None of this is uploaded.
3. What our systems see
The narrowest possible set:
- Your sign-in identity (see §2.1).
- Subscription receipts validated against Apple (see §2.2).
- iOS push-notification tokens, used only to deliver your morning briefing notification.
Server logs at our hosting provider may briefly record IP address and request metadata for routine network-operations reasons. These are not joined to your identity and are aged out in line with our hosting provider's defaults (typically 30 days).
4. On-device crash and performance diagnostics
iOS sends sovv an anonymous daily digest of crashes, hangs, and excess CPU / disk events via Apple's MetricKit framework. We persist this digest locally so a developer (or you) can review it for bug reports. sovv does not upload these diagnostics anywhere. You can view, export, or wipe them at any time from Profile → Diagnostics inside the app.
5. What we don't do
- No third-party analytics SDKs (no Mixpanel, Segment, Amplitude, GA4, Heap, Adjust).
- No advertising identifiers — and no
ATTprompt because we don't track. - No social-media SDKs.
- No selling, renting, or licensing of your personal data.
- No training of third-party machine-learning models on your data.
- No location collection.
- No microphone or camera access except when you explicitly open the barcode scanner inside the meal-logger.
6. Legal bases for processing (GDPR / UK GDPR)
If you are in the EU, UK, or another jurisdiction with comparable rules, our legal bases for the limited processing we perform are:
- Performance of a contract — for account creation, sign-in, and subscription management. Without these we cannot provide the Service.
- Legitimate interests — for security logs (preventing fraud and abuse), narrowly scoped and balanced against your rights.
- Consent — for HealthKit access. You grant it explicitly in the iOS permission sheet; you can withdraw it at any time in the iOS Settings app.
7. Your rights
You can:
- Export your data — Profile → Privacy & Data → Export my data. Generates a JSON file with every record sovv holds on your device.
- Delete your account and wipe local data — Profile → Privacy & Data → Delete account & wipe data. Removes your Firebase account and erases every on-device record.
- Manage your subscription — iOS Settings → Apple ID → Subscriptions.
- Revoke Health permissions — iOS Settings → Health → Data Access & Devices → sovv.
If you are in the EU or UK you also have the rights granted by the GDPR / UK GDPR (access, rectification, erasure, restriction, objection, portability, and the right to lodge a complaint with a supervisory authority). To exercise any of these, write to privacy@sovv.health. We will respond within 30 days.
If you are in California, CCPA / CPRA grant you the right to know, delete, correct, and limit use of personal information, plus the right not to be discriminated against for exercising those rights. We do not sell or share personal information as those terms are defined by California law.
8. International transfers
Firebase Authentication is provided by Google LLC and may store sign-in records in data centres outside your country of residence. Google relies on the EU Standard Contractual Clauses and equivalent UK and Swiss safeguards for international transfers. By signing in you authorise this transfer to the limited extent it is necessary to provide the Service.
9. Children
sovv is intended for adult athletes. It is not directed at children under 13 (or 16 in the EU), and we do not knowingly collect personal information from them. If you believe a child has provided us with personal data, please contact privacy@sovv.health and we will delete it promptly.
10. Security
Health and training data never leaves your device; protecting it is the device's job, and we rely on iOS Data Protection (your device passcode plus Secure Enclave hardware encryption) for at-rest protection. The narrow set of data on our servers is protected by Firebase's TLS-in-transit and at-rest encryption.
11. Retention
| Category | Retained for |
|---|---|
| Account record (Firebase) | For as long as your account is active. Deleted within 30 days of you using "Delete account & wipe data". |
| Subscription receipts | For as long as required by Apple's developer agreements and applicable tax law (typically 7 years). |
| On-device health, training, nutrition data | Until you delete the app or use "Delete account & wipe data". |
| MetricKit diagnostic digests | Up to 100 entries on-device; wiped when you tap "Clear all diagnostics" or delete the app. |
| Server access logs | ~30 days, per our hosting provider's defaults. |
12. Changes to this policy
If we change anything that affects the data we collect or how we use it, we will update the "Last updated" date at the top of this page and surface the change in-app on next launch. Material changes will be announced at least 30 days before they take effect.
13. Patent & technology disclosure
sovv's overnight processing engine is protected by Intellectual Property Office of Singapore patent application 10202601003R. The architecture's offline, on-device design is required by the patent claims — it is not a marketing choice. This is the legal mechanism that backs the privacy promises above.
14. Contact
Mustafar Ltd.
Privacy enquiries: privacy@sovv.health
Customer support: support@sovv.health
Legal: legal@sovv.health