Privacy Policy

Your data, thoughtfully handled.

Violet is built on a simple promise: we collect only what we need to coach you, we do not sell personal information, and you can export or delete your data at any time. Everything on this page is the fine print behind that promise.

Last updated

The short version. We store the data you give us (workouts, food, health metrics, chats with your coach) on our servers so your coach can remember you across sessions. Your chats are reviewed by automated safety systems to prevent unsafe coaching. We do not sell personal information. We use a defined set of trusted processors — listed below — to run the product. You can export or delete everything by email.

Who we are

This Privacy Policy describes how Violet AI (“Violet,” “we,” “us”) handles information when you use the Violet mobile app, our website at violetai.app, and related services (collectively, the “Service”). Violet is operated by Joshua Howland as a sole proprietorship based in the United States. You can reach us at any time at privacy@violetai.app, or by mail at the address provided on request.

For purposes of the EU and UK GDPR, Violet is the data controller for the personal data it processes in connection with the Service. No data protection officer has been appointed because Violet’s processing does not meet the mandatory designation thresholds of Article 37.

What we collect

We collect information in three ways: what you give us, what you generate by using the Service, and a small amount of technical data your device sends automatically. Under the California Consumer Privacy Act (CCPA) and other US state privacy laws, the categories we collect map as follows:

  • Identifiers — name, email, user ID, device identifiers
  • Customer records / commercial information — subscription tier, purchase history (via Apple or Stripe)
  • Internet or other network activity — app and site usage events, crash reports
  • Sensitive personal information — health and wellness data (workouts, nutrition, sleep, recovery metrics, body measurements, health conditions you disclose in chat), and account credentials
  • Professional or employment-related information — not collected
  • Inferences — derived coaching metrics, training volume trends, recovery indicators, adherence patterns, and memories your coach extracts to personalize future responses

Information you provide

  • Account details: name, email, and authentication credentials (handled by our auth provider)
  • Profile data: age range, weight, height, fitness level, goals, dietary preferences, equipment, injuries, and anything else you tell your coach during onboarding or chat
  • Workout and nutrition logs: sets, reps, meals, weights, and subjective notes you enter or confirm with your coach
  • Progress photos, if you choose to upload them
  • Payment details: handled directly by Apple (App Store) or Stripe (web) — we never receive, store, or see full card numbers. Our payment processors are PCI-DSS Level 1 certified.

Information generated by using Violet

  • Your conversations with your coach, including messages, voice transcripts, and tool calls the coach runs on your behalf
  • Summaries and memories the coach extracts from those conversations to personalize future coaching
  • Derived fitness metrics like training volume trends, macro adherence, and recovery indicators

Information your device sends

  • Device type, operating system version, app version, and preferred language
  • Crash reports and performance metrics (anonymized where feasible)
  • Health data from Apple Health, only the categories you explicitly grant permission for, and only while the app is running

Legal bases for processing (EU and UK users)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data under the following Article 6 legal bases:

  • Performance of a contract (Art. 6(1)(b)) — to create and maintain your account, deliver the coaching Service you subscribed to, process your payments, and provide customer support.
  • Legitimate interests (Art. 6(1)(f)) — to secure the Service, detect fraud and abuse, run safety checks on coach output, and improve product quality using aggregated, de-identified metrics. You can object to processing based on legitimate interests at any time.
  • Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, and law-enforcement obligations.
  • Consent (Art. 6(1)(a)) — for any marketing communications and, where required, for cookies or device-based identifiers.
  • Explicit consent for special category (health) data (Art. 9(2)(a)) — when you grant Apple Health permissions, enter health information in chat, or upload progress photos, you are giving explicit consent for Violet to process that health data for the purpose of providing personalized coaching. You can withdraw consent at any time in iOS Settings (for Apple Health) or by deleting your account.

Automated decision-making and AI coaching

Violet’s coaching responses are generated by large language models based on your profile, chat history, and extracted memories. This constitutes automated processing within the meaning of GDPR Article 22. The coaching suggestions are informational only — they do not produce legal effects and are not intended to produce effects that would significantly affect you in a legal sense. You retain full discretion over whether to act on any suggestion, and you can always ask your coach to explain its reasoning, change its approach, or stop making recommendations in a particular area.

You have the right to contest any automated coaching output, request human review (contact safety@violetai.app), and express your point of view. We review flagged coaching output manually to improve the product and prevent harm.

How we use your information

We use your information to coach you, nothing more ambitious. Concretely that means:

  • Running the coaching loop. Your profile and history feed into the prompts that shape every message your coach sends.
  • Personalizing recommendations. Training volume, recovery, and nutrition adherence inform what your coach suggests next.
  • Remembering you across sessions. Without persisted data, your coach would meet you as a stranger every time. The memory system is the product.
  • Safety. We run automated checks on coaching output to prevent unsafe advice (for example, never pushing through acute pain, never diagnosing medical conditions). A small number of flagged conversations may be reviewed by a human operator for quality and safety purposes.
  • Billing. To process subscriptions via Apple or Stripe and grant the right tier of access.
  • Product improvement. Aggregated, de-identified usage metrics help us find bugs and improve coaching quality.

We configure each of our LLM providers to use API endpoints and settings that do not retain your inputs or outputs for model training. Your chats and personal data are not used to train foundation models.

Who we share data with

We share data only with processors that make the Service work. Each of them operates under a data processing agreement that limits what they can do with your information. We have executed or accepted data processing agreements with every processor below.

  • Supabase (United States) — database, authentication, and file storage
  • Railway (United States) — application hosting for our API
  • Moonshot AI (Kimi), OpenAI, and Anthropic — large language model inference for coach responses. Messages sent for inference are not retained by these providers for training under the enterprise / opt-out endpoints we use.
  • RevenueCat — subscription management and entitlement tracking
  • Apple App Store / Stripe — payment processing (both PCI-DSS Level 1 certified)
  • Apple Push Notification service — delivery of push notifications to your device
  • Google Sign-In and Apple Sign-In — if you choose to use them to sign in
  • Mixpanel — product analytics (event metadata only; no raw chat content)
  • Langfuse — observability for coach response quality (prompt and response metadata for debugging and evaluation)
  • Expo / EAS (United States) — mobile build, distribution, and release management
  • Cloudflare — content delivery and DDoS protection for the website
  • GitHub Pages — static hosting for the marketing website

We do not sell or share personal information with advertisers, data brokers, or third parties for cross-context behavioral advertising. We have never accepted such payment and we have no plans to introduce advertising.

International data transfers

Most of our processors are located in the United States. If you are in the EU, UK, or Switzerland, your personal data is transferred to the US for storage and processing. We rely on the following transfer mechanisms under Chapter V of the GDPR:

  • Standard Contractual Clauses (SCCs) — with US processors that have executed the European Commission’s 2021 SCCs
  • EU–US Data Privacy Framework — where the processor is certified
  • Your explicit consent (Art. 49(1)(a)) — for LLM inference requests routed to providers located outside the EEA, including Moonshot AI (China). When you send a chat message, the message is forwarded to the selected LLM provider for inference. You consent to this transfer by using the Service after being informed of it in this policy.

A list of the transfer mechanisms in effect for each processor is available on request at privacy@violetai.app.

Health data

Health data is a special category of personal data under Article 9 of the GDPR and “sensitive personal information” under CCPA. Violet is not a medical device, is not a HIPAA covered entity or business associate, and does not diagnose, treat, or prevent disease. Health data you share with Violet is not protected by HIPAA. If you connect Apple Health, you choose exactly which categories to share, and you can revoke access at any time in iOS Settings.

Health data you share with Violet is used solely to inform your coaching. It is stored on our servers in the same way as your other coaching data, encrypted in transit (TLS 1.2+) and at rest. We do not share health data with analytics or advertising providers. We process health data under your explicit consent (GDPR Article 9(2)(a)) for the purpose of providing the Service you signed up for.

Your rights

Regardless of where you live, you can ask us to:

  • Export a copy of the data we hold about you
  • Correct anything that’s wrong
  • Delete your account and all associated personal data
  • Restrict or object to certain processing
  • Withdraw consent you previously gave (e.g. for Apple Health integration)
  • Opt out of non-essential analytics

Email privacy@violetai.app with your request. We will respond within 30 days (or the shorter period required by applicable law, including 45 days under CCPA with one 45-day extension possible).

Identity verification: Before fulfilling any rights request, we verify that the requester is the account holder. We confirm the request came from the email address on file for the account. For sensitive requests (deletion of all data, transfer of data to a third party) we may request additional verification such as confirmation of recent account activity.

State-specific rights (United States)

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Delaware, or any other US state with a comprehensive privacy law, you have rights to know, access, correct, delete, and obtain a copy of your personal information, subject to exceptions provided by law. You also have the right to opt out of sale or sharing of personal information and of profiling that produces legal or similarly significant effects. Since we do not sell or share personal information and do not engage in such profiling, there is no opt-out action required. The rights above apply to a 12-month lookback period for California residents.

To submit a request, email privacy@violetai.app. You can also appeal a denied request by replying to our response — we will review appeals within 45 days.

California residents may also designate an authorized agent to submit requests on their behalf. Agents must provide written authorization signed by the consumer.

European and UK rights

If you are in the EEA, UK, or Switzerland, you additionally have the right to lodge a complaint with your local supervisory authority. In the UK, that is the Information Commissioner’s Office. In the EU, you can find your country’s supervisory authority via the European Data Protection Board directory. We encourage you to contact us first so we can address your concern directly.

Data retention

We keep different categories of data for different periods, based on why we collected them:

  • Account identifiers (email, user ID, profile basics) — while your account is active; deleted within 30 days of account deletion
  • Chat content and coaching history — while your account is active; deleted within 30 days of account deletion
  • Extracted memories and derived insights — while your account is active; deleted within 30 days of account deletion
  • Payment and billing records — retained for seven (7) years after the transaction to comply with IRS recordkeeping and accounting requirements, even if you delete your account
  • Safety audit logs — retained for two (2) years after creation to support ongoing safety monitoring and regulatory response
  • Backups — rolled out within 90 days. Deletion requests against live systems do not require rewriting historical backups; those backups are not restored except in a disaster-recovery scenario, after which any deletion requests are re-applied.
  • Customer support correspondence — retained for 3 years after the last contact

We may retain data longer where required to comply with legal obligations, establish, exercise, or defend legal claims, or enforce our Terms of Service.

Children

Violet is not directed to children under 13 in the United States, or under 16 in the European Union and United Kingdom. We do not knowingly collect personal information from children in these age groups without verifiable parental consent. If you believe a child has provided us with personal information, email privacy@violetai.app and we will delete it.

Security

We protect your data with industry-standard practices:

  • Encryption in transit (TLS 1.2+) and encryption at rest for all stored data
  • Access to production systems restricted to authorized personnel, authenticated via hardware security keys
  • Automated monitoring for unauthorized access and abnormal usage patterns
  • Annual review of security controls and third-party processors

Violet has not yet completed an independent SOC 2 or ISO 27001 audit. We intend to pursue SOC 2 Type II certification as the company scales. In the meantime, we rely on the certifications of our underlying processors (Supabase SOC 2 Type II, Stripe PCI-DSS Level 1, etc.).

No system is perfectly secure. If we become aware of a personal data breach affecting your data, we will notify the relevant supervisory authorities within 72 hours where required by law and notify affected users without undue delay via email and in-app notice.

Cookies and tracking on the website

violetai.app uses a small number of cookies and local-storage tokens to run the site and, with your consent, to understand how visitors use it. We distinguish between:

  • Strictly necessary cookies (for example, session and authentication state) — used on all visits. No consent required under ePrivacy / GDPR.
  • Analytics cookies (Mixpanel on the website) — used only with your consent. EU visitors are asked to consent on their first visit; you can change your choice at any time via the footer link.

The Violet mobile app does not use cookies but does use device-based identifiers for analytics and push notifications, which you can opt out of in iOS Settings.

Changes to this policy

We’ll update this page if our practices change. The “Last updated” date at the top always reflects the current version. For material changes, we’ll notify you in the app before the new policy takes effect and, where legally required, will seek fresh consent.

Contact

Privacy questions, deletion requests, or general concerns: privacy@violetai.app

For EU/UK data protection inquiries specifically, you can also use the same address — we monitor it for GDPR rights requests and supervisory authority correspondence.