Privacy Policy

Last updated: 13 April 2026

Vessel is a meditation app for iOS that generates bespoke sessions tailored to how you feel in the moment. This policy explains what data Vessel collects, how it is used, and the choices you have. We keep collection to what is necessary to deliver the product and do not sell or rent your data.

The short version. Your session history, check-ins, and preferences live on your device. When you start a session, a small amount of context (how you're feeling, how long you have, optional free text) is sent to Vessel's backend to generate a personalised session. That context is processed by third-party AI services (Anthropic and ElevenLabs) via our server and is not used to train their models. Anonymous analytics are collected in production builds only. You can delete your data by uninstalling the app.

1. Who we are

Vessel is operated by the developer of the Vessel iOS app. In this policy, "we", "us", and "Vessel" refer to us, and "you" refers to the person using the app.

You can contact us at [email protected] for any questions about this policy, to request your data, or to exercise any of the rights described below.

2. What we collect

Stored on your device only

The following information is stored locally on your iPhone and is not transmitted to us in a way that identifies you:

Profile collected during onboarding: preferred name, age range, gender, occupation, primary goals (what brought you to the app), tone register preference, preferred voice.
Session history: the sessions you've completed, including the session's desired state (e.g. calm, focus, sleep), duration, technique used, pre- and post-session mood ratings, and any debrief text you chose to write.
App state: onboarding completion, subscription status cache, any preferences you set in Settings.

This data is stored in your device's user defaults and app sandbox. It is not synced to a cloud service. Uninstalling the app deletes it.

Sent to our backend to generate a session

When you start a session, the app sends the following to our Cloudflare Worker backend, which forwards it to an AI model to produce a personalised session:

Check-in data: the desired state you selected (e.g. calm, focus, sleep), the duration you picked (2, 5, or 10 minutes), the optional focus technique you chose (e.g. breathwork, body scan), and any free text you wrote in the "What's on your mind?" field.
Profile context: a subset of your profile (age range, occupation, primary goals, tone register preference, and optional free text from onboarding) so the generated session reflects your context.
Anonymous device identifier used solely to enforce a per-device daily session limit.

We do not attach your name, Apple ID, email address, IP address (beyond standard request logging), or any persistent personal identifier to this data.

Anonymous usage analytics

In production builds of the app downloaded from the App Store, Vessel captures anonymous events through PostHog to understand how the product is used and where to improve it. Examples of events captured:

Which screen you're viewing
Whether you completed onboarding and which goals you selected
When you start, complete, or escape a session, along with the session's desired state category, duration, and technique
Your pre- and post-session mood ratings on a 1–5 scale (as category values, not identifying data)
When the paywall is shown, dismissed, or results in a purchase

These events are not linked to your name, email, or Apple ID. Development and internal testing builds do not send events at all — analytics is fully disabled in those builds to keep dev data out of the production dataset.

Subscription and purchase data

Subscription status is managed by RevenueCat on top of Apple's in-app purchase system. RevenueCat receives an anonymous RevenueCat-generated user identifier and Apple's purchase receipt data. It does not see your name, email, payment method, or Apple ID. Apple handles the actual payment; we never see your payment details.

3. How we use your data

To generate your session. The check-in data and profile context are used by the AI model to produce a session that matches your current moment.
To deliver the session. Parts of the session are synthesised into audio by ElevenLabs and delivered back to your device.
To enforce fair use. The anonymous device identifier is used to limit how many sessions a single device can generate per day.
To keep the product working. Cloudflare's edge network serves our backend; standard request logs exist for reliability and abuse prevention.
To improve the app. Anonymous analytics help us understand which features are used and where users drop off. We use this to fix bugs, improve onboarding, and prioritise development.

4. Who we share data with

Vessel uses the following third-party processors to operate. Each is contractually limited to processing your data solely for the purposes described below:

Anthropic (AI session generation). Your check-in data and profile context are sent to Anthropic's Claude API via our Cloudflare Worker backend. Anthropic processes this data to generate a session plan and does not use the content of API requests to train its models. See Anthropic's privacy policy.
ElevenLabs (text-to-speech). Text for any bespoke audio snippets in your session is sent to ElevenLabs for synthesis into audio. ElevenLabs does not use API input to train its models. See ElevenLabs' privacy policy.
Cloudflare (backend hosting). Our backend runs on Cloudflare Workers. Cloudflare processes request traffic at its global edge network. See Cloudflare's privacy policy.
RevenueCat (subscription management). See RevenueCat's privacy policy.
PostHog (analytics). See PostHog's privacy policy.
Apple (payments, app delivery, and optional services). Apple handles all in-app purchase transactions. See Apple's privacy policy.

We do not sell or rent your data to anyone. We do not share your data with advertisers or use it for advertising purposes. We do not combine Vessel data with data from any other source to build profiles about you.

5. How long we keep data

On-device data (profile, session history, debrief text): stored locally until you uninstall the app.
Session generation requests: retained by Anthropic and ElevenLabs for their standard abuse-monitoring window (typically 30 days) after which they are deleted.
Bespoke audio: cached on our Cloudflare backend for 5 minutes while your session is being prepared, then automatically deleted.
Session cap counters: stored for 48 hours then automatically expire.
Analytics events: retained by PostHog according to our PostHog plan's retention window.
Subscription records: retained by RevenueCat for as long as your subscription is active plus an additional period for tax and accounting purposes.

6. Your rights

Depending on where you live, you may have some or all of the following rights:

Access a copy of the data we hold about you.
Correct data that is inaccurate.
Delete your data. Most data lives on your device — uninstalling the app removes it entirely. Data held by processors can be deleted on request.
Object to processing based on legitimate interest (this includes our analytics).
Withdraw consent for anything you previously consented to.
Complain to a data protection authority if you are in the EU or UK.

To exercise any of these rights, email [email protected]. If you want us to delete data held by our processors (for example, to have your anonymous session requests removed from Anthropic's or ElevenLabs' retention windows), include enough context (approximate dates, device type) that we can identify which records to remove.

7. Lawful basis (for users in the UK, EU, and similar jurisdictions)

Where GDPR or a similar law applies, we process your data on the following lawful bases:

Contract: to deliver the core session generation feature you requested when you start a session.
Legitimate interest: to run anonymous analytics (PostHog) in order to measure feature usage, improve the product, and diagnose issues. You can object to this processing by contacting us.
Legal obligation: to respond to valid legal requests where we are required to.

Event properties like desired_state or mood_rating are sent as broad categories in the context of a wellness product and are not tied to identifying data. If you prefer not to participate in analytics at all, contact us to request analytics opt-out.

8. Children

Vessel is not directed to children under 13. We do not knowingly collect data from children under 13. If you believe a child has used the app, contact us and we will take appropriate steps, including deletion of any applicable data.

9. Security

Communication between the app and our backend is encrypted over HTTPS/TLS. Data cached on our backend is held on Cloudflare's infrastructure and expires automatically. No internet-connected system is perfectly secure; we do our best to protect your data and will notify affected users if we become aware of a data incident that affects them.

10. International transfers

Our processors (Anthropic, ElevenLabs, Cloudflare, RevenueCat, PostHog, Apple) operate globally. Your data may be processed in the United States, the European Union, or other jurisdictions depending on the processor and your location. Each processor maintains its own safeguards for international transfers, typically via Standard Contractual Clauses or equivalent.

11. Changes to this policy

We may update this policy when we add features, change processors, or clarify how we handle data. The "Last updated" date at the top of this page reflects when the current version took effect. Material changes will be announced in the app or by email where we have one.

12. Contact

For any questions about this policy, to exercise your rights, or to report a concern, email [email protected].