Your data, explained
Privacy Policy
What stays on your iPhone, what leaves it, and the choices you control.
Last updated June 22, 2026Who this policy covers
This policy explains how Cortly AI ("Cortly", "we", "us") processes information through the Cortly iOS app, AI Coach backend and this website. Cortly is the data controller for the processing described here. Privacy questions and rights requests can be sent to privacy@cortlyai.app.
This policy does not replace Apple's privacy terms for Apple Health, App Store purchases or your Apple ID.
The short version
Information stored on your device
Cortly uses local SwiftData storage for daily check-ins, sleep and wake entries, perceived stress, caffeine and alcohol logs, workouts, activity confirmations, streaks, preferences, Signal Context settings and saved Coach conversations. This information remains on your device unless a feature described below requires a limited transmission.
Cortly does not sync personal health information through iCloud or CloudKit. Deleting the app may delete local data, subject to iOS backup and device behavior controlled by Apple.
Apple Health and wearable signals
If you choose to connect Apple Health, Cortly requests read-only access to the categories needed for stress and recovery context. Depending on device support and your permissions, these can include sleep, heart rate, HRV, resting and walking heart rate, respiratory rate, blood oxygen, cardio fitness, steps, exercise time, active energy, walking/running distance, stand time, time in daylight, wrist temperature, mindful sessions, State of Mind and workouts.
Permissions are granular and controlled in Apple Health. Cortly processes these signals locally for Stress Load, Recovery Status, data coverage, activity detection and personal trends. We do not write health data to Apple Health, use HealthKit data for advertising, or sell it. You may change access at any time in iOS Settings or the Health app.
Apple explains HealthKit permission and privacy controls in its HealthKit privacy guidance.
AI Coach processing
AI Coach is optional. Before the first Coach request, the app asks for your explicit permission to share Coach data with OpenAI. If you choose "Not now" or close the notice, nothing is sent to OpenAI. You can grant permission later by interacting with Coach. You can stop future processing at any time by not using AI Coach.
After you grant permission and send a message, Cortly transmits your message, recent conversation, a randomly generated device identifier and a compact context summary to our backend. Context may include recent check-ins and lifestyle logs, relevant Apple Health summaries, current Stress Load factors, personal pattern summaries, your first name and optional Signal Context flags.
Our backend sends the request to OpenAI to generate a response. Requests use the OpenAI API with response storage disabled. OpenAI states that API data is not used to train its models by default, although limited abuse-monitoring retention may apply under its API data policy.
For security, rate limits, diagnostics and cost control, Cortly's server stores request metadata plus up to 500 characters from the user request and response. These logs are accessible only to authorized operators and are kept only for the operational period needed for those purposes. Do not include information in Coach that you do not want processed by an AI provider.
Product analytics
Release builds use Mixpanel's European ingestion endpoint to understand a deliberately narrow onboarding funnel. We send app-open and app-background events, onboarding screen names and positions, and onboarding completion. Debug builds do not send Mixpanel events.
We do not send onboarding answers, HealthKit values, Stress Load, lifestyle logs or Coach content to Mixpanel. Mixpanel acts as a processor under its privacy terms. Analytics is used to improve reliability and understand where the product experience is unclear.
Subscriptions and purchase status
Purchases are processed by Apple. Cortly uses RevenueCat to load subscription offerings and verify whether the pro entitlement is active. RevenueCat receives purchase and entitlement information and an app-specific identifier; Cortly does not send HealthKit values, check-ins or Coach conversations to RevenueCat.
Apple controls payment details. RevenueCat describes its Apple platform processing in its App Privacy guidance.
Notifications
Morning reminders, weekly reviews and High Stress Load alerts are scheduled locally with Apple's notification system. Alert text is designed to avoid showing scores or health details on the Lock Screen. Cortly does not use server push to monitor your health.
Website data
This public website is statically delivered and currently does not use advertising cookies, account tracking or a contact-form database. If you email us, we process your email address and message to answer your request and retain the correspondence only as needed for support, security and legal obligations.
Why we process information
Where the GDPR or similar law applies, processing is based on: your consent for Apple Health permissions and optional AI Coach use; performance of the service you request; our legitimate interests in security, reliability, fraud prevention and minimal product analytics; and legal obligations such as purchase and rights-request records.
You may withdraw consent at any time. Withdrawal does not affect processing already performed and may prevent the relevant optional feature from working.
Retention and deletion
- Local app data remains until you delete entries, reset the app or remove the app, subject to Apple-controlled backups.
- Coach usage logs are retained only while needed for security, diagnostics, usage accounting and dispute handling, then deleted or de-identified.
- Subscription records follow Apple and RevenueCat retention requirements.
- Support emails are retained while the request is active and as needed for legal or security records.
You can request deletion of server-side data associated with your Cortly device identifier by contacting us. We may need information from the app to locate the correct record.
Your rights and choices
Depending on where you live, you may have rights to access, correct, delete, restrict, object to or receive a portable copy of personal data. You may also lodge a complaint with your local data protection authority. The European Commission provides a summary of EU data protection rights.
You can also disconnect Apple Health, disable notifications, stop using Coach and manage subscriptions directly through Apple. Send rights requests to privacy@cortlyai.app.
Security, children and changes
We use access controls, encrypted network transport and data minimization, but no system can guarantee absolute security. Cortly is not directed to children under 13. Where local law requires a higher age for digital consent, a parent or guardian must authorize use.
We may update this policy when features, providers or laws change. Material changes will be communicated in the app or on this page, and the updated date will change.