Privacy contract · v1

What we know about you, and what we don’t.

Prism is an emotional product. Your trust is a load-bearing constraint. This is the explicit, event-by-event statement of what telemetry we ship, where it goes, and who sees it.

Revised 2026-06-20 · Governs Prism iOS v1.0 (public, individual-first)

01 — the three questions

What, where, who.

Three questions any privacy posture has to answer. Ours, in one breath each:

What we collect

Anonymous, content-free usage events — tap counts, time on screen, which colours you pick. Never your notes. Never your emotion-words. Never the content of what you feel.

Where it goes

To PostHog’s EU cloud while analytics are on — you can turn them off any time in Settings. No third-party trackers. No ad-tech. No data brokers.

Who sees it, for how long

While analytics are on: the Prism team and PostHog, under their EU privacy contract. No advertisers, no data brokers, no further sharing.

The rest of this page is the long-form version — written for users to read, for clinical advisors to audit, and for future engineers to honour.

02 — what we never collect

The hard line.

Three things never leave your device under any circumstance. These are not preferences; they are commitments encoded in the schema.

Your emotion term. The private word you pick — “humiliated,” “delighted,” “tender” — stays on your device. It’s stored in your archive for you to read; we never see it.
Your note text. Free-form notes are the most sensitive payload Prism produces. We send whether a note exists (a single yes/no) but never what it says. Sharing a note out is a thing you do manually through iOS’s share sheet — it’s never an export-pipeline decision.
Your raw colour coordinate. The exact point you choose on the wheel is coarsened on your device before any analytics event — we see a rough wedge of the wheel, never the precise spot, the word, or the note.

03 — what we collect, exactly

Forty events. Bucketed at source.

Forty named events spread across the surfaces of the app. Each has a frozen payload — we cannot change what a given event reports without shipping a new version of it.

The most sensitive event — compose_committed_v1, fired when you commit a check-in — bucketers your raw colour coordinate before sending. We see octant (which 45° wedge of the wheel) and tertile (low / mid / high saturation, low / mid / high brightness). We never see the raw degree, never see the term, never see the note. The bucketing happens on your device, not on the dashboard.

Example payload of compose_committed_v1:

Key	Type	Example
octant	int 0–7	2
saturation_bucket	string	“mid”
brightness_bucket	string	“high”
variant	string	“liquid”
has_note	bool	true

The other 39 events split across lifecycle (app open, session start), navigation (which tab you’re on), and interaction (you tapped this, you scrubbed that). None of them carry your text, your emotion-words, or your raw coordinate.

Gesture events — wheel_hue_changed, for example — report finer numbers because they describe how you moved your finger, not what state you ended up in. The line is intentional: disclosure is bucketed; gesture is raw.

04 — you control it

One switch, in Settings.

Analytics live behind a single switch in Settings. While they’re on, Prism sends the content-free usage stream described above to PostHog’s EU cloud; the moment you turn them off, events stop leaving your device and subsequent events become no-ops immediately.

Prism uses no advertising identifier and shows no tracking-permission prompt — it does not track you across other apps or websites, ever.

When analytics are off, no events leave your device. Period. There is no “essential telemetry” loophole.

There is no Prism account database holding your inner life — your check-ins, words, notes, and archive stay on your device. The only thing that ever leaves, and only while analytics are on, is the content-free usage stream above. If we change this, it’ll be a versioned update to this page, visible to you.

05 — your identity

A UUID we generate. Not your Apple ID.

Every event carries a userId so retention curves can be drawn. Three properties of that ID:

It’s a UUID we generate the first time you launch Prism. Not your Apple ID, not your IDFA, not anything Apple gave us.
It’s stable across reinstalls (via iCloud Keychain) so retention cohorts join up across the times you wipe and restore your device.
It’s rotated only on explicit account deletion. Sign in / sign out doesn’t change it. A new Apple ID doesn’t change it. The only way to get a new userId is to delete your account and reinstall.

06 — what we will not do

Future commitments.

These are the things that, if they ever change, you’ll see a new version of this contract and a user-visible update first. Not a quiet edit. Never a quiet edit.

We will not log the emotion term or note text.
We will not unbucket the disclosure event — the raw coordinate stays on your device.
We will not add a third-party tracker, advertiser SDK, or data-broker integration.
We will not sell your data, ever.
When the Circle sharing layer arrives, it will be opt-in, and we’ll update this page to say exactly what is shared before it ships.

If a future change would violate any commitment on this page, the change requires a re-publication of this document and a user-visible notice. The contract is the contract.

07 — talk to us

If something here reads off, write.

This document is the contract. If it’s wrong about how the app behaves, the app is wrong — we want to know.

[email protected]