Privacy Policy

Effective Date: February 2, 2026

            Summary: During calibration, your health data is transmitted to our servers and processed entirely in ephemeral memory. No health data is written to disk or persistent storage. Once your personalized model is trained and delivered to your device, all health data is immediately purged from server memory. Your model then runs entirely on your device—we never see your ongoing health data.
        

1. Introduction

Pharo ("we," "our," or "the App") is committed to protecting your privacy. This Privacy Policy explains what data we collect, how we process it, with whom we share it, and your rights regarding your data.

By using Pharo, you consent to the practices described in this policy.

2. Data We Collect

2.1 Health Data (from Apple HealthKit)

With your explicit permission, we access the following from Apple HealthKit:

Heart rate (resting and active)
Heart rate variability (HRV)
Respiratory rate
Sleep analysis (duration, stages)
Step count and activity minutes

This data is stored locally on your device. During calibration, this data is transmitted to our servers for processing as described in Section 3.2.

2.2 Labels You Create

Any labels you create (e.g., "bad day," "good day," or any other text) and the dates you assign them to. These are transmitted during calibration to train your personalized model.

2.3 Account Information

Email address (for account identification and communication)
Apple ID identifier (an anonymous token used for Sign in with Apple)
Subscription status
Device type and iOS version (for compatibility)

2.4 What We Do NOT Collect

Your name (unless you provide it voluntarily)
Location data
Contacts or photos
Data from other apps

3. How We Use Your Data

3.1 Email Address

Your email address is used for:

Account identification and authentication
Service-related communications (calibration status, subscription updates)
Responding to support requests
Important privacy or security notifications

We do not use your email for marketing purposes without your explicit consent. Your email is stored securely in our account database and is never shared with third parties except as required to provide the service.

3.2 On-Device Processing (Default)

After calibration, all operations happen entirely on your iPhone:

Calculating your personal baseline statistics
Displaying trends and patterns
Running your trained model for daily insights

For these ongoing operations, no data leaves your device.

3.3 Calibration (Requires Data Transfer)

When you request model calibration (a Pro feature), your health data is transmitted to our servers for processing. Here is exactly what happens:

Your Device → Our Servers (ephemeral memory) → Your Device

1. Health data and labels transmitted via encrypted connection (TLS 1.3)
2. Data loaded into server memory for model training
3. Personalized model trained using your data
4. Trained model file transmitted back to your device
5. All health data immediately purged from server memory

No health data is written to disk or persistent storage at any point.

3.4 Data Sent During Calibration

Data Type	What's Sent	Purpose
Heart Rate	Daily values, timestamps	Feature extraction for model training
HRV	Daily values, timestamps	Baseline deviation calculation
Respiratory Rate	Daily values, timestamps	Pattern correlation analysis
Sleep	Duration, efficiency per night	Recovery pattern analysis
Activity	Daily step counts, active minutes	Activity pattern analysis
Labels	Dates and label text	Training target definition

4. Third-Party Data Sharing

Important: During calibration, we share limited statistical information with a third-party AI service (Anthropic) to orchestrate the model training process. This section explains exactly what is shared.

4.1 AI Service (Anthropic)

We use Anthropic's Claude AI to orchestrate the calibration process. The AI determines which experiments to run and how to optimize your model.

What is sent to Anthropic:

High-level statistical summaries (e.g., "45 days of data, 3 labeled episodes")
Aggregated feature statistics (e.g., "mean RHR deviation: 2.3 bpm")
Experiment results and model performance metrics
Your label text (the words you chose for your labels)

What is NOT sent to Anthropic:

Raw health data values
Individual daily readings
Your email address or Apple ID
Any data that could identify you personally

Anthropic's data handling:

Data is processed transiently for the API request only
Anthropic does not use API data to train their models (per their enterprise data policy)
No data is retained by Anthropic after processing completes

See Anthropic's privacy policy: anthropic.com/privacy

4.2 Cloud Infrastructure (AWS)

Our servers run on Amazon Web Services (AWS). AWS provides the computing infrastructure but does not access or process your data directly. All data is encrypted in transit using TLS 1.3.

4.3 No Other Sharing

We do not sell, rent, or share your data with any other third parties, including:

Advertisers
Data brokers
Analytics companies
Social media platforms
Insurance companies
Employers

5. Data Retention

5.1 Ephemeral Processing Model

We employ an ephemeral processing architecture for calibration:

Health data exists only in server memory during active processing
No health data is written to databases, file systems, or persistent storage
Upon calibration completion (success or failure), all health data is immediately purged from memory
Server processes are stateless—no health data persists between requests

5.2 Data Retention Summary

Data Type	Storage Location	Retention Period
Health data (during calibration)	Server memory only	Purged immediately upon completion
Trained model file	Your device + encrypted backup	Backup deleted after 30 days or upon request
Email address	Encrypted database	Until account deletion
Account metadata	Encrypted database	Until account deletion
Calibration metadata	Encrypted database	Job ID, timestamps, cost (no health data)

5.3 On Your Device

Data stored on your device remains until you delete the App or clear its data. You have complete control over this data through iOS Settings.

5.4 One-Time Processing

Calibration is a discrete, one-time process. We do not continuously upload, sync, or monitor your health data. Each calibration is an independent event. After your model is delivered, we have no ongoing access to your health information.

6. Data Security

We implement comprehensive security measures:

Encryption in transit: All data transfers use TLS 1.3 with certificate pinning
Ephemeral processing: Health data never written to persistent storage
Memory isolation: Each calibration runs in an isolated process
Access controls: Strict authentication and authorization for all systems
Audit logging: All system access is logged (without health data)
Minimal data principle: We collect and process only what is necessary
Secure deletion: Memory cleared using secure overwrite procedures

7. Your Rights

You have the following rights regarding your data:

7.1 Access Your Data

Request a copy of all data we hold about you. Note: Due to our ephemeral processing model, we do not retain your health data after calibration completes.

7.2 Delete Your Data

Request deletion of your account and all associated data, including:

Any stored model backup files
Account metadata and calibration history
Any processing data (if calibration is in progress, it will be terminated)

7.3 Revoke HealthKit Access

You can revoke HealthKit permissions at any time via iOS Settings → Privacy & Security → Health → Pharo. This immediately stops the App from accessing any health data.

7.4 Export Your Data

You can export your labels, settings, and model configuration from within the App.

7.5 Opt Out of Calibration

You can use the free tier indefinitely without ever transmitting data to our servers. Server-based calibration is entirely optional.

7.6 Data Portability

Your trained model file is stored on your device in a standard format. You own this model and can delete it at any time.

8. Children's Privacy

Pharo is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us immediately for deletion.

9. International Users

Our servers are located in the United States. By using Pharo, you consent to the transfer of data to the US for processing. We comply with applicable data protection laws, including:

GDPR for users in the European Economic Area
CCPA for California residents
PIPEDA for Canadian users

Our ephemeral processing model minimizes data exposure regardless of jurisdiction.

10. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of material changes via the App or email. Your continued use of Pharo after such changes constitutes acceptance of the updated policy.

11. Contact Us

For privacy questions, data access requests, deletion requests, or concerns:

Email: privacy@pharo.app

We aim to respond to all privacy inquiries within 30 days.

12. Summary Table

Question	Answer
Is health data transmitted to your servers?	Yes, during calibration only
Is health data stored on your servers?	No—processed in memory only, never written to disk
How long do you have my health data?	Only during active calibration (minutes), then immediately purged
Where does my model run?	Entirely on your device after calibration
Do you see my ongoing health data?	No—after calibration, we have no access
Is data shared with third parties?	Limited statistics to Anthropic during calibration only
Can I use the app without sending data?	Yes, free tier is fully on-device
Do you sell my data?	No, never
Can I delete everything?	Yes—contact privacy@pharo.app