Pruvit Privacy Policy

Effective Date

Effective Date: 2026-05-23

The effective date is the ISO 8601 calendar date on which this content first became publicly available.

Who We Are

Pruvit is an iOS app for personal device management, intended for adult self-directed focus. A single device owner uses the app on their own device to apply blocks to apps and websites of their choosing, and to unlock those blocks when they submit photo or video evidence that they completed the tasks they previously set for themselves.

Pruvit is operated by the legal entity publishing the app on the Apple App Store. Pruvit is not a parental control product, not a clinical product, and is not affiliated with any party other than the device owner. The device owner is the only user of the system.

Contact for privacy questions: justin.sc.chen+pruvit@gmail.com.

What Data Pruvit Processes

Photo and video evidence captured live in-app. The user submits a photo or video as evidence that a task they previously described to the app is complete. Evidence is always captured live in-app for verification flows; evidence is never selected from the photo library for verification purposes.
Behavioral history: the user's todo completions, verification verdicts (approved or rejected), approval and rejection patterns over time, and the textual content of tasks the user described to Pruvit in their own words.
Anonymized crash and performance telemetry: app stability and performance signals with no personally identifying information.
StoreKit subscription receipts: the cryptographically signed receipt that Apple issues to the device when the user purchases or renews a Pruvit subscription.

__LIST__

The list above is exhaustive for v1. Pruvit does not collect or process any other categories of data on the user.

Data Flow Diagram

Per PRIV-04, the data flows are documented explicitly here as text. Each of the four data types is shown as source → processor → destination → retention.

Flow 1 — Photo and video evidence


[User's iPhone camera]
       │  user-captured live image or video; library-pick is disabled for verification
       ▼
[On-device frame extraction]
       │  AVFoundation extracts at most 5 keyframes from a submitted video; for photos this stage is a passthrough.
       │  Raw video file never leaves the device.
       ▼
[Pruvit backend — Cloudflare Workers]
       │  App Attest assertion gates the request. Backend forwards the keyframes to the LLM verification provider.
       │  No keyframe is persisted at rest in the backend.
       ▼
[Anthropic Claude API — commercial tier]
       │  Inputs are NOT used to train Anthropic's models. This is Anthropic's default published policy
       │  for commercial-API customers (see § AI Disclosure). Training is disabled by default; no toggle is required.
       │  Anthropic returns a verdict (approve or reject) with a short text rationale.
       ▼
[Pruvit backend]
       │  Returns verdict to the device. Discards the keyframes immediately after the response is delivered.
       ▼
[User's iPhone]
       │  Verdict and rationale displayed to the user. Verdict is recorded in local behavioral history.
       ▼
[End of flow — raw evidence is gone from every system except the user's own device, where the
 original media remains in the user's own photo library if the user chose to keep it]

Retention: keyframes are not persisted beyond the duration of a single verification request (seconds). The original photo or video remains under the user's control in their own iOS photo library or is discarded by the user.

Flow 2 — Behavioral history


[User's iPhone]
       │  user completes a todo, submits evidence, receives a verdict.
       ▼
[On-device SQLite database, inside the Pruvit App Group container]
       │  Behavioral history is written locally and stays locally.
       │  No CloudKit sync is implemented in v1.
       │  No backend uploads behavioral history.
       ▼
[Never leaves the device. Period.]

Retention: until the user invokes the in-app "delete all" action (irreversible) or uninstalls the app.

Flow 3 — Crash and performance telemetry


[User's iPhone]
       │  app crash, performance metric, or runtime signal is captured by the iOS frameworks
       │  (MetricKit for performance, MetricKit + custom for crashes).
       ▼
[TelemetryDeck SDK on device]
       │  TelemetryDeck strips personally identifying information by design.
       │  No IDFA, no advertising identifier, no precise location, no user-typed text.
       ▼
[TelemetryDeck servers (EU-based hosting)]
       │  Anonymous aggregate signals are stored for the operators to use for crash investigation
       │  and performance regression detection.

Retention: subject to TelemetryDeck's data retention defaults. Pruvit does not store telemetry server-side independently.

Flow 4 — StoreKit subscription receipt


[Apple App Store payment]
       │  user purchases a Pruvit subscription via Apple In-App Purchase.
       ▼
[StoreKit 2 on device]
       │  Apple issues a cryptographically signed receipt to the device.
       │  Pruvit reads the receipt locally to determine entitlement state.
       ▼
[Device-local cache only. No server-side storage of the receipt in v1.]

Retention: as long as the user has the app installed. No backend mirror.

Third Parties

Pruvit shares data with the following third parties only in the limited ways described above. No other third parties receive any Pruvit user data.

Anthropic (https://anthropic.com) — LLM verification provider. Receives photo and video keyframes for verification. Per Anthropic's published commercial-API policy, inputs and outputs are NOT used to train Anthropic models. See § AI Disclosure for the exact quote and source URL.
TelemetryDeck (https://telemetrydeck.com) — anonymous crash and performance telemetry receiver. No personally identifying information is transmitted.
Apple StoreKit (https://developer.apple.com/storekit/) — subscription receipts are issued by Apple and read locally; this is intrinsic to using the Apple In-App Purchase system.

__LIST__

That's it. No other third parties. No advertising networks, no analytics platforms, no data brokers, no resellers, no affiliates.

What We Do NOT Do

This section is an explicit negative list. The items below are commitments, not aspirations.

No advertising. Pruvit shows no ads, contains no ad SDK, and shares no data with any ad network.
No cross-app tracking. Pruvit does not use IDFA, does not request ATTrackingManager authorization, and does not correlate user behavior across apps or websites.
No sale of behavioral data. Pruvit does not sell, lease, rent, or barter user behavioral data to any party for any consideration.
No social or leaderboard features. No shared streaks, no public commitments, no accountability partners, no friend feeds, no scoreboards. (Deferred to v1.5+ at the earliest, gated by a separate review of the entitlement narrative.)
No parental control features. Pruvit uses Family Controls .individual authorization only, never .child. The product is for the device owner managing their own device.
No profile aggregation across devices. Behavioral history stays on the device that generated it. There is no v1 sync, no v1 cloud account, no v1 backend per-user profile.

__LIST__

In the words required to mirror Apple's Family Controls distribution entitlement form: we do not share device or usage data beyond the individual device owner.

User Rights

Delete all data. A single in-app action irreversibly deletes the local SQLite database containing behavioral history and clears the App Group container. Once invoked, behavioral history is unrecoverable.
Withdraw consent. Uninstalling the app removes the local database and revokes the Family Controls authorization.
Export. Behavioral history export as JSON is a forward-declared user right that lands in Phase 4 per requirement INSGT-04. Until then, the practical user right is delete-all (above). Apple's standard data portability tools also apply to App Store account data, which Apple manages independently of Pruvit.
Contact the operator. Reach justin.sc.chen+pruvit@gmail.com with any privacy question.

__LIST__

AI Disclosure

Pruvit submits photo and video keyframes (extracted from user-submitted evidence) to an LLM verification provider (Anthropic, via the Anthropic API) so the LLM can assess whether the evidence matches what the user said they would do. This is the core verification loop of the product.

Per Anthropic's published commercial-API policy, these inputs are not used to train Anthropic's models. The published commitment, verbatim from https://privacy.claude.com/en/articles/7996868-is-my-data-used-for-model-training (snapshot 2026-03-16), reads:

"By default, we will not use your inputs or outputs from our commercial products (e.g. Claude for Work, Anthropic API, Claude Gov, etc.) to train our models."

This default applies to Pruvit's use of the Anthropic API. No opt-in toggle, no contract amendment, and no per-request flag is required to obtain this protection. Pruvit's evidence for this commitment, including the source URL, snapshot date, and the operator's Tier 1 account screenshot, is recorded in docs/compliance/llm-provider-commitment.md in the Pruvit source repository.

Changes to This Policy

When this policy materially changes, the new version replaces this content at https://pruvit-privacy.pages.dev/ and the EFFECTIVE_DATE is updated. Material changes will be noted in the in-app change log on the next app launch. Prior versions remain accessible in the Pruvit source repository git history.

Non-material changes (typo fixes, link cleanups, clarifying language that does not alter the substance of any commitment) do not bump the effective date and are not announced separately.

Contact

Questions about this privacy policy, requests to exercise the rights listed above, or notices of suspected violations should go to:

justin.sc.chen+pruvit@gmail.com

The mailbox is monitored by the operator. Apple App Store account questions should go to Apple directly; this policy covers only Pruvit's own data handling, not Apple's role as the App Store operator and StoreKit issuer.

Pruvit — Personal device management. Self-management product for adult users.