Privacy Policy

Section 1Summary

The short version, in plain English:

Local by default. Your journal entries, moods, custom topics, and emotion labels are stored on your device using Apple’s SwiftData. We do not run a server that holds your journal, and we cannot read what you write.
AI is opt-in. The “Personalize” feature uses Anthropic to generate a single reflective prompt. It only runs after you accept an in-app consent screen, and you can turn it off anytime.
Your writing is never used to train AI models. Anthropic does not train on your inputs or outputs.
We don’t collect your name, email, phone number, IP logs, advertising IDs, or location. Analytics use an anonymous install ID and never include journal content.
You’re in control. Delete the app to wipe local data. Revoke AI consent to stop all AI processing. Email us anytime for GDPR/CCPA requests.

A note on what Mulu is. Mulu is a wellness journaling app, not a medical device or healthcare service. Mulu does not provide medical, psychological, or psychiatric advice, diagnosis, or treatment, and is not a substitute for care from a qualified mental-health professional. We are not a HIPAA covered entity, and the data we handle is not Protected Health Information under HIPAA. If you are in crisis, please reach a local emergency line or a crisis service (for example, 988 in the US, 116 123 Samaritans in the UK, or 112 in the EU).

Section 2What We Collect, Where It Goes, and Why

2.1 On Your Device (the Default)

The following stay on your iPhone and are never uploaded to a server we operate:

Journal entries (text and any voice-dictated text)
Daily mood values, custom topics, emotion labels, and any name you enter
App settings and preferences
Voice dictation audio. Mulu forces Apple’s on-device speech recognition (requiresOnDeviceRecognition = true), so audio is transcribed locally and the audio itself never leaves your phone

If you delete the Mulu app, this data is erased with it.

2.2 Data That Leaves Your Device (Only in Specific, Narrow Cases)

Each of the services below is described in its own section.

Service	When it’s used	What’s shared
Anthropic, PBC	Only if you opt into AI “Personalize”	Up to 5 recent journal entries + moods
RevenueCat, Inc.	If you have a paid subscription	Anonymized install ID, purchase events, status
PostHog, Inc.	Anonymous product analytics & A/B tests	Event names, install UUID, onboarding answers, mood numbers, experiment variant (no journal text)
Apple CloudKit	Only if you post on Feature Requests	Title, description, votes, anon record name
Apple Health	Only if you opt in	Daily mood written to “State of Mind”

2.3 Identifiers

We do not collect: your email (unless you write to support), your real name (if you enter one during onboarding it stays on-device), your phone number, IP address logs, advertising identifiers (IDFA), location, biometrics, contacts, or photos.

We do collect, narrowly:

An anonymized install UUID, used by PostHog so we can count distinct installs without knowing who you are.
An anonymous CloudKit user record name, only if you post on the Feature Requests board, so duplicate votes can be prevented.

Section 3AI & Data (the “Personalize” Feature)

Mulu’s optional “Personalize” feature can generate one short, reflective journaling prompt based on your recent entries. This is the only feature in Mulu that sends any journal content off your device, and it only runs after you turn it on.

3.1 Who Processes the Request

We use Anthropic, PBC as our AI sub-processor. Anthropic operates the Claude models we send the request to, and acts under a data processing agreement with us — they are a processor, not an independent controller of your data. Specifically, Mulu sends Personalize requests to the Claude claude-haiku-4-5 model via Anthropic’s Messages API.

3.2 What Is Sent

When you tap to generate a Personalize prompt, the request can include:

Up to your last 5 journal entries
The mood values associated with those entries
Today’s mood, if available

You can turn off historic-entry sharing in Settings → AI & Data. With that toggle off, only today’s mood (no journal text) is sent.

3.3 What Anthropic Does With It

Not used for training. Anthropic does not use your inputs or outputs to train its models.
Short retention. Anthropic retains inputs and outputs for no longer than 30 days, solely for safety and abuse monitoring, after which they are deleted.
No advertising use. Your data is not used for ads, profiling, or sold to anyone.

3.4 Consent and Revocation

Before any AI request can be made, you must read and accept the in-app “AI Privacy & Data” consent screen. You can revoke that consent anytime in Settings → AI & Data. Once revoked, Mulu stops making AI calls. You can also tap “Delete AI cache” in that screen to remove any AI prompts cached locally on your device.

This section is provided in line with Apple’s App Review Guideline 5.1.1(ix), which requires apps using third-party AI to process personal or health-related data to disclose it clearly and obtain consent. It also forms part of the information we give you under GDPR Article 13.

Section 4Apple Health

Apple Health integration is opt-in and write-only. If you enable it, Mulu writes your daily mood (after you’ve journaled) into Apple Health’s State of Mind data type, so it lives alongside your other wellbeing data on your device. The value we write is a valence derived from your 1–10 mood slider, with the kind set to dailyMood. Nothing else is written.

Mulu never reads your Apple Health data. iOS still surfaces a read permission in the system sheet because the platform requires it to grant write access — we ask for the minimum we need to write, and we use none of what we could read. This is also disclosed in Mulu’s NSHealthShareUsageDescription string (“Mulu does not read your Health data…”) and NSHealthUpdateUsageDescription string.

You can revoke Health permissions at any time, either from inside Mulu under Settings → Apple Health, or from iOS Settings → Privacy & Security → Health → Mulu. Past samples written by Mulu remain in your Apple Health database under your control.

Section 5Screen Time (Family Controls)

Mulu’s gentle “pause apps” feature uses Apple’s Family Controls / Screen Time API. If you enable it, you choose which apps to pause and at what time. Apple gives Mulu only opaque tokens for the apps you select — we cannot see the names of the apps you’ve chosen, and no Screen Time data leaves your device.

Section 6Subscriptions (RevenueCat)

If you subscribe to a paid plan, billing and entitlements are handled by Apple’s App Store and managed in our app via RevenueCat, Inc. RevenueCat receives:

An anonymized install ID
Purchase and subscription events (e.g. trial started, renewed, cancelled)
Your current subscription status

RevenueCat does not receive any journal content, mood values, or AI inputs/outputs. Your payment details are handled by Apple, not by us or RevenueCat. See RevenueCat’s privacy policy for their practices.

Section 7Analytics (PostHog)

We use PostHog, Inc. to understand which features people use, so we can improve Mulu. PostHog receives:

Event names tied to in-app behaviour (e.g. onboarding_step_viewed, journal_completed, paywall_viewed, paywall_purchased, paywall_restored)
An anonymized stable install UUID, persisted on your device so funnel rows stay tied to one user across launches
Self-reported onboarding properties: age range, gender, daily-screen-time bucket, the goals you picked, the barriers you flagged, the deeper struggles you flagged, and your commitment level
Lightweight install metadata: the date you first launched the app, the app version you first installed on, and your current in-app language preference — used to size cohorts (e.g. “users who installed in March”) and to know which translation is being used most
The numeric mood values (1–10) you record at the start and end of a journal entry, plus the entry’s word count and calculated mood shift — sent with the journal_completed event so we can measure whether journaling changes mood at a population level. The text of your journal entry is not sent.
Aggregate timing from onboarding: how long a screen was on display, total time in the onboarding flow, and (when you leave mid-flow) whether the cause was dismissing the app or backgrounding it — used to find slow or confusing screens
The variant of the onboarding A/B test you were assigned to (see section 7.1)

What PostHog never receives: the text of your journal entries, your custom topics, the title or text of your AI “Personalize” prompts, or any AI inputs or outputs. Analytics events are about behaviour in the app, not about what you write. Apple’s automatic screen-view capture is also explicitly disabled (captureScreenViews = false), and the install UUID is never linked to your name, email, IP address, IDFA, or any device-level identifier.

7.1 A/B Tests & Feature Flags

We use PostHog’s feature-flag system to run product experiments — for example, to compare different orderings of the onboarding flow and find the clearest one. On first launch, PostHog assigns you to a stable variant of an active experiment (e.g. onboarding_steps_v1 → control or variant_a), and that variant name is attached as a property on the analytics events listed above so we can compare outcomes between groups.

The assignment is purely anonymous — it’s tied to your install UUID, not to you as a person. Required parts of the experience (the subscription paywall, the Screen Time authorization step, and the app picker) are guaranteed to appear in every variant; experiments cannot be used to disable safety information or the consent screens described elsewhere in this policy.

Section 8Feature Requests (CloudKit)

Mulu has a community Feature Requests board, where you can suggest and vote on ideas. This board uses Apple’s CloudKit public database in your iCloud environment. If you choose to post or vote, CloudKit stores:

The title and description you wrote
Vote counts
An anonymous CloudKit user record identifier, used only to prevent duplicate votes and to let you delete your own posts

Nothing from your journal touches the Feature Requests board. You can delete posts you’ve made at any time.

On first launch, Mulu also seeds eight “Mulu Team” roadmap items into this public database (for example, “Daily affirmations” or “Breathing exercises”), so the board isn’t empty. These Mulu Team posts are part of our public roadmap and cannot be deleted by users.

Section 9Children’s Privacy

Mulu is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us with information, please contact us and we will delete it. In jurisdictions where the relevant age is higher (for example, parts of the EU under GDPR), the equivalent local age threshold applies.

Section 10Your Rights

10.1 For Everyone

Erase local data: delete the Mulu app from your device. All journal entries, moods, and settings stored on-device are erased.
Stop AI processing: revoke consent in Settings → AI & Data. Use “Delete AI cache” to clear cached AI responses on-device.
Stop Health writes: turn off Mulu’s permission in iOS Settings → Privacy & Security → Health.
Delete a Feature Request post: tap delete on your own post.

10.2 EEA, UK, and Switzerland (GDPR)

Under the General Data Protection Regulation, you have the rights to:

Be informed about the processing of your data (Article 13) — this policy is our notice.
Access the data we hold about you (Article 15).
Erasure of your data, where applicable (Article 17).
Portability — receive your data in a structured, commonly used format (Article 20).
Rectification, restriction, and the right to object to processing.
Lodge a complaint with your local supervisory authority.

Because most of your data lives only on your device, the fastest way to exercise access, portability, and erasure is on the device itself. For anything we hold off-device (analytics events keyed to your install UUID, AI request retention with Anthropic, RevenueCat subscription records, Feature Requests posts), email us and we will help.

Legal bases. We rely on your consent for the AI feature, Apple Health writes, Screen Time access, and Feature Requests posting. We rely on legitimate interests for low-level anonymized analytics used to improve the app, and on performance of a contract for subscription management.

10.3 California (CCPA / CPRA)

Under the California Consumer Privacy Act and CPRA, you have the rights to:

Know what personal information we collect and how it’s used (§1798.100)
Delete personal information we hold about you (§1798.105)
Opt out of the sale or sharing of personal information (§1798.120)
Correct inaccurate information and limit use of sensitive information.
Be free from discrimination for exercising these rights.

We do not sell your personal information, and we do not share it for cross-context behavioural advertising.

10.4 How to Exercise These Rights

Email support@alexanderosso.com with your request. We may need to verify it relates to your install (for example, by asking you to send a request from within the app). We aim to respond within 30 days.

Section 11Changes to This Policy

If we change this policy, we’ll update the Last updated date at the top. For changes that materially affect how your data is handled — for example, a new sub-processor, a new data type sent off-device, or a change to AI retention — we’ll also notify you in the app before the change takes effect, so you have a chance to review and, if you wish, revoke your consent.

Section 12Contact

Questions, requests, or concerns about your privacy? We’re here for it.

Email: support@alexanderosso.com
Developer: Aleksandr Borisov
App: Mulu
Location: Argentina

We aim to respond within 30 days.

Mulu is made with care for quieter days.