Privacy contract · v1

What we know about you, and what we don’t.

Prism is an emotional product. Your trust is a load-bearing constraint. This is the explicit, event-by-event statement of what telemetry we ship, where it goes, and who sees it.

Locked 2026-04-25 · Governs Prism iOS v1.x

01 — the three questions

What, where, who.

Three questions any privacy posture has to answer. Ours, in one breath each:

What we collect

Anonymous usage events — tap counts, time on screen, which colours you pick. Never your notes. Never your friends’ names. Never your emotion-words.

Where it goes

Either nowhere (the default) or to PostHog’s EU cloud (if you’ve opted in). No third-party trackers. No ad-tech. No data brokers.

Who sees it, for how long

If you’ve opted in: the Prism team and PostHog under their EU privacy contract. 90-day retention ceiling. No further sharing.

The rest of this page is the long-form version — written for users to read, for clinical advisors to audit, and for future engineers to honour.

02 — what we never collect

The hard line.

Three things never leave your device under any circumstance. These are not preferences; they are commitments encoded in the schema.

Your emotion term. The private word you pick — “humiliated,” “delighted,” “tender” — stays on your device. It’s stored in your archive for you to read; we never see it.
Your note text. Free-form notes are the most sensitive payload Prism produces. We send whether a note exists (a single yes/no) but never what it says. Sharing a note out is a thing you do manually through iOS’s share sheet — it’s never an export-pipeline decision.
Your friends’ names and IDs. When you send a Pulse, we log that a Pulse was sent. The recipient gets reduced to a 16-character HMAC hash that’s unforgeable on any other device — including ours. We can see “this user pulses one friend frequently”; we cannot see who.

03 — what we collect, exactly

Forty events. Bucketed at source.

Forty named events spread across the surfaces of the app. Each has a frozen payload — we cannot change what a given event reports without shipping a new version of it.

The most sensitive event — compose_committed_v1, fired when you commit a check-in — bucketers your raw colour coordinate before sending. We see octant (which 45° wedge of the wheel) and tertile (low / mid / high saturation, low / mid / high brightness). We never see the raw degree, never see the term, never see the note. The bucketing happens on your device, not on the dashboard.

Example payload of compose_committed_v1:

Key	Type	Example
octant	int 0–7	2
saturation_bucket	string	“mid”
brightness_bucket	string	“high”
variant	string	“liquid”
has_note	bool	true

The other 39 events split across lifecycle (app open, session start), navigation (which tab you’re on), and interaction (you tapped this, you scrubbed that). None of them carry your text, your friends’ names, or your raw coordinate.

Gesture events — wheel_hue_changed, for example — report finer numbers because they describe how you moved your finger, not what state you ended up in. The line is intentional: disclosure is bucketed; gesture is raw.

04 — local-first by default

Off is the default.

When you install Prism, telemetry is off. Events are written to your device’s local log (iOS Console.app can show them to you on a Mac if you’re curious) and never go anywhere else.

If you opt in — via the App Tracking Transparency prompt during onboarding, or the Analytics toggle in Settings — events go to PostHog’s EU cloud. You can flip the toggle off at any time; subsequent events become no-ops immediately.

If you’ve opted out, no events leave your device. Period. There is no “essential telemetry” loophole.

There is no Prism-run server. No middle ground between “local” and “PostHog with consent.” If we ever change this, it’ll be in a versioned update to this contract, and the change will be visible to you.

05 — your identity

A UUID we generate. Not your Apple ID.

Every event carries a userId so retention curves can be drawn. Three properties of that ID:

It’s a UUID we generate the first time you launch Prism. Not your Apple ID, not your IDFA, not anything Apple gave us.
It’s stable across reinstalls (via iCloud Keychain) so retention cohorts join up across the times you wipe and restore your device.
It’s rotated only on explicit account deletion. Sign in / sign out doesn’t change it. A new Apple ID doesn’t change it. The only way to get a new userId is to delete your account and reinstall.

06 — what we will not do

Future commitments.

These are the things that, if they ever change, you’ll see a new version of this contract and a user-visible update first. Not a quiet edit. Never a quiet edit.

We will not log the emotion term or note text.
We will not unbucket the disclosure event — the raw coordinate stays on your device.
We will not add a third-party tracker, advertiser SDK, or data-broker integration.
We will not ship the raw friend ID or name outside the HMAC scheme.
We will not extend retention beyond 90 days without re-publishing this contract.

If a future change would violate any commitment on this page, the change requires a re-publication of this document and a user-visible notice. The contract is the contract.

07 — talk to us

If something here reads off, write.

This document is the contract. If it’s wrong about how the app behaves, the app is wrong — we want to know.

privacy@prismapp.ca