Aubrise Privacy Policy

Effective date: 2026-05-01 Last updated: 2026-04-24 Published at: https://aubrise.com/privacy

Plain-language summary (read this first)

All your health data stays on your iPhone. We never see your raw heart rate, sleep, or step data. Our servers only receive short anonymized summaries that we feed to an AI model to write you a friendly morning brief. We never link anything to your name, email, or Apple ID.

If that's all you wanted to know, you can stop reading here. The rest is the formal version.

1. Who we are

Aubrise is operated by Zhen Shao, a sole trader registered in Victoria, Australia.

• Business name: Aubrise (sole trader)
• Operator: Zhen Shao
• ABN: 13 660 422 503
• Registered in: Victoria, Australia
• Contact: privacy@aubrise.com

For postal correspondence (formal notices, legal service), email privacy@aubrise.com first and we will provide a mailing address.

For EU users: we do not have an establishment in the EU; we act as data controller under GDPR through the Aubrise app.

2. What data we handle and where it lives

2.1 Data that stays on your iPhone (never leaves)

• Raw HealthKit readings: resting heart rate, heart rate variability, sleep stages, blood oxygen, step count, exercise minutes, active energy
• Daily and weekly aggregated summaries
• Your wake-time history, notification preferences, voice-playback toggle
• Your subscription receipt (managed by Apple's StoreKit; we receive a transaction identifier, not your Apple ID)

This data is stored in Apple's SwiftData container on your device. It's backed up to your iCloud if you have HealthKit iCloud sync enabled — that's a setting you control through iOS Settings → [your name] → iCloud → Health.

2.2 Data that reaches our server

When you request a daily or weekly brief, the app sends to our Cloudflare Workers backend:

• An anonymous user identifier (a UUID generated on first launch and stored in your iPhone's Keychain — not linked to your Apple ID, phone, or email)
• Numeric summaries: last night's sleep duration and efficiency, resting heart rate average, HRV average, SpO2 average, steps count, exercise minutes
• Your preferred language (en or zh-Hans)
• Your timezone offset

That's it. No timestamps of individual readings, no raw series, no device identifiers, no location.

Our server uses these numbers to build a prompt and calls Anthropic's Claude API to generate the brief text. The generated text is sent back to your iPhone and saved locally. We do not store the brief text on our server.

2.3 Data handled by Anthropic (our AI provider)

We send the data summary described above to Anthropic's Claude API (https://www.anthropic.com/privacy). Anthropic's enterprise API is contracted with zero retention — no training, no logging beyond the immediate response. We are covered under Anthropic's Commercial Terms of Service.

2.4 Data handled by Apple (for payments only)

Subscriptions are processed by Apple through StoreKit. Apple is the merchant of record. We receive a subscription transaction identifier from Apple but do not see your payment information, name, address, or Apple ID.

2.5 Crash reports (opt-in)

If you enable "Share With Developers" in iOS Settings → Privacy & Security → Analytics & Improvements, Apple shares anonymized crash logs with us. You can turn this off at any time.

3. Legal basis (GDPR / UK GDPR)

• Contract: processing the anonymized summary is necessary to provide the service you asked for (generating the brief)
• Consent: HealthKit access — you grant this through iOS's native permission prompt; you can revoke at any time in iOS Settings → Privacy & Security → Health → Aubrise

We do not rely on "legitimate interest" for any processing.

4. Profiling and automated decision-making

Aubrise does not make automated decisions that produce legal or similarly significant effects about you. The morning brief and weekly report are informational only; they are not used to score, rank, or restrict you in any way.

5. Data sharing

We do not sell or rent your data. We share data only with:

• Anthropic (AI brief generation — see §2.3)
• Apple (subscription processing, crash logs if opted in)
• Cloudflare (our backend runs on Cloudflare Workers; Cloudflare handles TLS termination and rate-limiting KV)

We do not share with advertisers, analytics vendors, or data brokers.

6. How long we keep data

• On your iPhone: until you delete the app or clear Aubrise's data in iOS Settings
• On our server: rate-limiting counters expire within 24 hours; no other user data is persisted
• In Anthropic's systems: zero retention beyond immediate API response

7. Your rights

Under GDPR, UK GDPR, Australia's Privacy Act 1988, and California's CCPA, you have the right to:

• Access: email privacy@aubrise.com with your anonymous user identifier (visible in Settings → About → Anonymous ID). We will confirm what aggregated counters (if any) exist for that ID
• Erasure: delete the app, then email us your ID — we will confirm all server-side counters have expired
• Withdraw consent: revoke HealthKit access in iOS Settings
• Data portability: use iOS Health app's built-in export; we don't hold the raw data

We will respond to requests within 30 days.

8. International data transfers

Cloudflare Workers run in the region closest to you (typically AU or US edge nodes). Anthropic's API is hosted in the US. Transfers are covered by Standard Contractual Clauses (SCCs) under GDPR.

9. Children

Aubrise is not directed at children under 13 (US) / 16 (EU). We do not knowingly collect data from children. If you believe a child has used Aubrise, email privacy@aubrise.com and we will purge any associated identifiers.

10. Security

• TLS 1.3 in transit
• Anonymous UUIDs stored in iOS Keychain (hardware-backed)
• No plaintext user data persisted on our server
• Cloudflare Workers sandboxed V8 isolate execution

No system is perfectly secure. If you discover a vulnerability, please email security@aubrise.com — we offer a modest bounty for responsible disclosure.

11. Changes to this policy

We will announce material changes in the app (Settings → About → Privacy policy) and by updating the "Last updated" date above. Continued use after a material change constitutes acceptance.

12. Complaints

If you believe we have mishandled your data, you can complain to:

• Australia: Office of the Australian Information Commissioner (OAIC) — https://www.oaic.gov.au
• EU: your national data protection authority
• UK: Information Commissioner's Office (ICO) — https://ico.org.uk
• California: Attorney General — https://oag.ca.gov/privacy

We'd appreciate you emailing us first at privacy@aubrise.com so we have a chance to make it right.

Aubrise · Zhen Shao, VIC, Australia