back to home
/ privacy policy

How we treat your data, in plain words.

Chill is built so that the most sensitive things — your messages, your health data, your private thoughts — never leave your phone in a form we can read.

Last updated · 2026-05-27

Chill is committed to protecting user privacy and complying with privacy best practices and applicable laws. This Privacy Policy describes how we collect, use, and disclose information about you when you use our iOS app, our websites, or interact with us by any other means (together, the "Services").

We may update this Privacy Policy from time to time. We'll update the date at the top of the page, and for material changes we'll notify you through the app or by email.

What we collect

Analytics & diagnostics

We use three third-party tools to understand how Chill is used and to fix things when they break. None of them ever sees the content of your messages, your Health data, or anything inside your end-to-end encrypted flows.

  • PostHog — anonymous product analytics. Counts active users, sessions, screen views, and in-app events (e.g. how often a soundscape is opened). Helps us see which features matter so we know where to invest. Pseudonymous device-scoped identifier, not your name or email.
  • Sentry — crash and error reporting. When something goes wrong, Sentry collects device model, OS version, app version, and a stack trace so we can reproduce and fix the bug. Never the contents of your data.
  • Tenjin— install attribution. When you install Chill after tapping an ad, Tenjin tells us which campaign brought you in so we know where it's worth advertising. It does not profile you or track you across other apps.
  • You can turn analytics and diagnostics off at any time from the app's settings.
  • Their policies: PostHog · Sentry · Tenjin.

Chill account

Creating an account is optional. It unlocks features like inviting friends and earning referral bonuses. Your email address is linked to a unique user ID and a referral code.

Stored online when you have an account:

  • Referral code & referral status
  • Premium subscription state and end date (via RevenueCat)
  • Gem balance, experience points (XP), and level
  • Purchased icons and customizations
  • Moderation flag (only set if a report has been filed against the account)
  • Last-activity timestamps
  • FCM token (so push notifications reach the right device)
  • Your email lives in a managed identity provider. Your password is hashed — nobody has access to it.
  • We never send marketing emails unless you opt in.
  • We never sell your data and we never share it with third parties.

End-to-end encrypted messaging

Chill ships a messenger you can use to talk to friends. We can't read those messages.Your phone and your friend's phone are the only places the plaintext exists.

Only your phones hold the keyshi 👋how are you?AlicePRIVATE KEY · KEYCHAINENCRYPTChill serverRELAY8f3a · b41c · 9d722e09 · ab14 · 7710DECRYPThi 👋how are you?BobPRIVATE KEY · KEYCHAIN
Servers see ciphertext + routing metadata · never plaintext

How it works, in short:

  • Each device generates a private cryptographic key on first launch. That key never leaves your phone's secure storage.
  • When you start a conversation, both devices agree on a shared key without ever sending it over the network.
  • Messages are sealed with that shared key using authenticated encryption, so tampering is detectable.
  • Our servers only ever see scrambled text and routing metadata — never the message itself.

What we keep for routing & safety: sender ID, recipient ID, timestamp, delivery status (sent/delivered/read). This metadata is retained in server logs for 90 days for abuse protection, then automatically deleted.

Health coach

When you opt in, Chill's health coach reads your Health app data (sleep, steps, heart-rate variability, resting heart rate, activity minutes) and your in-app mood entries, and uses an AI model on a secure server to suggest what your body needs. The flow is designed so the result of that analysis lands back on your phone encrypted with a key only your device holds.

Only your phone can read the resultyour health datasleepHours7.4steps8 432hrv45 msrhr62 bpmmeditation15 minmoodcalmYOUR KEYDATA + KEYTLS 1.3 ENCRYPTEDSecure functionIN-MEMORY ONLYAI modelgenerates insightencrypt resultwith your keyCIPHERTEXTTemp storageENCRYPTED BLOB7b1a · 9c43 · 2e878f12 · b3d9 · 44706e05 · ac21 · 183929e6 · d5f7 · 0a4bfa28 · 0e16 · 7c95UNREADABLE · NO KEY HERECIPHERTEXT FETCHED · DECRYPTED LOCALLY · BOTH DELETED
Your metrics are seen once for the analysis · the answer is encrypted before anything is written to disk

Step by step:

  1. Your phone generates a fresh encryption key — one per analysis — and stores it in its secure storage.
  2. Your health data and that key are sent over a secure connection to our server.
  3. The server asks the AI for an insight, then encrypts the answer with your key before saving it. The server then forgets the key — it only lived in memory, never on disk.
  4. Your phone fetches the encrypted answer and decrypts it locally.
  5. Once your phone has the insight, the encrypted copy and the key are both deleted. Nothing related to that analysis stays on our servers.

What we send during a request — only the fields you can see in the diagram above: sleep hours, steps, HRV, resting heart rate, activity minutes (running, walking, yoga, meditation, cycling, workout), and the mood you logged yourself. Nothing more.

We do not send raw audio, GPS traces, or any identifier beyond the account ID needed to attribute the request. Requests are protected against abuse with app-attestation.

HealthKit

Chill uses Apple's HealthKit framework to read the metrics listed above, and to write your in-app meditation minutes back to the Health app. You choose exactly what to share when iOS asks for permission, and you can revoke it from Settings → Privacy & Security → Health at any time.

iCloud (habits, goals, progress)

Your habits, goals, customizations, and progress live in CloudKit— Apple's private database, tied to your iCloud account. CloudKit encrypts your data in transit and at rest, and we have no access to that database.

Because Chill is tied to your iCloud account:

  • One installation = one iCloud account = one user.
  • Each person should use Chill under their own iCloud account.
  • Switching iCloud accounts switches your Chill data with it. Your progress isn't lost — it's attached to the iCloud account it was created under.

Location

Location is optional. If you grant it, Chill uses Apple's WeatherKit to fetch the local weather and quietly adapt the in-app atmosphere — a rainy scene when it's raining outside, a sunny one when it's clear. It's a small touch designed to make the app feel a bit more in-tune with your day.

Your coordinates stay on your device. Only Apple's WeatherKit service receives them (subject to Apple's WeatherKit privacy notice) and Chill never stores or transmits them to its own servers. You can revoke location access at any time from iOS Settings → Privacy & Security → Location Services → Chill; the app falls back to a default scene.

Data retention & deletion

We keep data only as long as needed for the purposes described above, unless a longer period is required by law. To request deletion of your account and any associated server data, email support@fayhe.com, or delete your account from inside the app. CloudKit (habits, goals) lives in your iCloud account — you delete it from iOS Settings → [your name] → iCloud → Manage Account Storage → Chill.

Withdraw consent

Every consent you gave (analytics, HealthKit, location, AI insights) can be revoked from the app's settings or your iOS privacy settings. Revoking is immediate, with no fine print.

Contact

Questions, suggestions, or a data request? Email support@fayhe.com. We read every message.

Fayhe LLC — Delaware, United States.