Privacy Policy
Last updated: 17 June 2026
middle place (“the app”, “we”, “us”) is a private, between-sessions support tool. This policy explains what information the app handles, where it goes, and the choices you have. It is written to be read by a person, not just a lawyer.
The short version: the app is local-first. Your chats, journal, and memory live on your device (and in your own iCloud, if you leave sync on). We don’t make you create an account, we don’t track you, we don’t run ads, and we never sell your data. Data leaves your device only to do a specific thing you asked for — get an AI reply, write a Life Report, or compare notes with a friend — and our backend doesn’t store the content of any of it.
Contents
- Who this applies to
- Information stored on your device
- iCloud sync
- Automatic encrypted backups
- Chat — sent for a reply
- Document import
- Life Report
- Common Ground
- Contacts
- Push notifications
- Bring-your-own-key mode
- Third-party services
- What we do not collect
- Crisis-resource detection
- Retention & deletion
- Your rights
- Children
- Security
- Changes to this policy
- Contact
1. Who this applies to
This policy applies to the middle place app for iPhone, iPad, and Mac, and to the backend service that powers it. The app is a prototype intended for adults seeking a private space for reflection. It is not a medical device, not a substitute for professional care, and not a crisis service.
2. Information stored on your device
Almost everything you create stays on your device, in the app’s local storage. This includes:
- Your chat messages and the assistant’s replies, including the model’s reasoning and tool-activity log;
- Your memory — long-term notes about your struggles, goals, and what helps, plus the lists the assistant maintains (for example people in your life, current struggles, and coping strategies);
- Your journal entries, including any photos, locations, and reflections you add (such as items imported from Apple’s Journaling Suggestions);
- Any documents you choose to import;
- Your Life Report and any Common Ground results you’ve saved;
- App settings and preferences.
This information is not transmitted to us simply by being stored. It only leaves your device in the specific, named circumstances described in sections 4–10.
3. iCloud sync
The app offers optional iCloud sync so your chats, journal, and memory follow you across your own devices. This uses your personal iCloud account through Apple’s CloudKit — there is no separate account to create, and we never see this data. Sensitive fields are stored using CloudKit’s encryption. Your use of iCloud is also governed by Apple’s Privacy Policy.
Sync is a setting you control. You can turn it off at any time, which keeps your data on the local device only and removes the synced copy from your iCloud.
4. Automatic encrypted backups
Separately from live sync, the app can keep periodic snapshots of your conversations and memory so you can restore them if something goes wrong. These backups:
- are written to your own iCloud Drive (you can see the files in the Files app), never to us;
- are encrypted before they’re written, with a key kept in your iCloud Keychain — so a device signed into the same iCloud account can restore them, but the files are unreadable without that key;
- are limited in number (only the most recent snapshots are kept; older ones are pruned automatically);
- can be set to daily or weekly, or restored from, in Settings.
Backups cover your chats and memory (your journal photos, locations, and snippets already live in iCloud via sync). They are encrypted at rest and are never sent to our backend.
5. Chat — information sent for a reply
For the AI to respond, your message — together with the relevant memory context the app assembles — must be sent to an AI model. By default this is done through our backend, which acts as a secure relay:
- What is sent: the text of your message and the system instructions and memory context for that turn.
- What our backend does with it: it forwards the request to the AI provider (Anthropic) and streams the reply back to you. It does not store the content of your messages, your memory, or the AI’s replies, and it does not keep logs of what you wrote.
- What our backend does store: only a minimal abuse-prevention counter — an anonymous identifier with a per-day request count and timestamp. This exists solely to enforce rate limits and cap costs. It contains no message content.
To use the backend, the app signs you in anonymously and uses Apple’s App Attest / App Check to confirm requests come from a genuine copy of the app. Anonymous sign-in creates no profile and is not linked to your Apple ID, name, or email. Your journal is never sent to the model.
6. Document import
If you import a document so the app can fold it into your memory, the text you import — along with the relevant part of your existing notes — is sent to Google’s Gemini model (through our backend, or directly if you use your own key) to extract structured edits. As with chat, our backend relays this and does not store the document or the result; the outcome is saved only in your on-device memory.
7. Life Report
Life Report is an optional feature that composes a warm, reflective summary of where you are right now. Nothing happens until you tap to create it. When you do:
- The app builds a consent-gated snapshot of your memory — your struggles, goals, one-line summaries of the people in your life, and what helps you cope. Medications are deliberately excluded, and anything flagged as crisis content is stripped out before anything is sent.
- That snapshot is sent anonymously to Google’s Gemini model (through our backend, or directly if you use your own key) to compose the report.
- The snapshot is not stored — by us or by the model provider in our flow — it’s used only in the moment to write your report.
- The finished report is saved on your device (and synced via your iCloud if you’ve enabled sync). It isn’t shared with anyone else.
8. Common Ground
Common Ground is an optional, opt-in feature for two people who choose to compare notes — typically in person — to find what they share. It is built to be end-to-end encrypted: our servers handle only ciphertext.
- What you share: a curated profile you can review and edit first — a first name you choose (not pulled from your account), and summaries of your struggles, goals, the people in your life, and coping strategies. A running summary, free-text, and medications are off by default. Crisis content is always removed.
- How it’s protected: the profile is encrypted on your device with a one-time key (AES-GCM). That key travels only inside the QR code or link you share with the other person — it is never sent to our server on its own. The backend stores only the encrypted blobs.
- How the report is made: when both people have uploaded, the function briefly decrypts both profiles in memory to generate a comparison with Google’s Gemini model, then writes back a separate, re-encrypted report for each person. The raw profiles are deleted at that point.
- What you receive: only your own report. Neither person ever receives the other’s raw profile. A summary of what the other person is “working through” is included only if they opted to share it.
- “Unfiltered” mode: an explicit, high-friction choice both people must make for a deeper, more candid read. Choosing it is the consent to a more revealing portrait; crisis content is still removed.
- Lifespan: the encrypted session is automatically deleted on a short timer — about 15 minutes for an in-person comparison, up to 24 hours for a link-based invite. The saved report lives on your device afterward.
- Try a demo: you can preview the experience against a built-in fictional partner; only your own profile is used and nothing is persisted.
9. Contacts
If you choose to link a person in your memory to one of your system contacts (to show their photo or name), the app uses Apple’s contact picker. The linking happens on your device: it stores a contact identifier and the name captured at link time, alongside that person in your memory. No contact data is ever uploaded to us, to the AI, or anywhere else — it’s used only to display the linked person on your own screens. You can decline linking, and the prompt won’t keep asking.
10. Push notifications
Push notifications are off unless you opt in. They serve a single purpose: if you send a friend a Common Ground link invite and they finish later, you get a “your common ground is ready” notification so you can come back and reveal it. If you enable this, a push token for your device is registered with our backend (via anonymous, attested infrastructure). The notification carries no profile content — just a generic prompt. You can turn it off in the app or in iOS Settings at any time.
11. Bring-your-own-key mode
If you prefer not to use our backend, you can provide your own API keys (Anthropic for chat, and Google Gemini for document import, Life Report, and Common Ground) in Settings. When you do:
- Your keys are stored only in your device’s Keychain, on that device, and are never sent to us;
- Requests go directly from your device to the provider (Anthropic or Google), bypassing our backend entirely.
In this mode, your relationship for those requests is directly with the provider, under their terms and privacy policy.
12. Third-party services
We rely on a small number of providers to deliver these features. We do not sell data to anyone, and these providers receive only what is necessary for the function described.
| Provider | What it does | What it receives |
|---|---|---|
| Anthropic (Claude) | Generates the AI replies in your chat. | Your message and the memory context for that turn. |
| Google — Gemini | Composes your Life Report and Common Ground report, and organizes content during document import. | The consent-gated snapshot (Life Report); the two profiles, decrypted in memory only at generation time (Common Ground); or the text you import (document import). |
| Google — Firebase / Cloud (our backend) | Anonymous sign-in, app attestation, the relay service, abuse-prevention counters, the encrypted Common Ground relay, and push delivery. | The request being relayed (not retained), encrypted Common Ground blobs (ciphertext only), an anonymous usage counter, and — if you opt in — a push token. |
| Apple — iCloud / CloudKit | Optional sync and encrypted backups across your own devices. | Your synced content and backups, in your own iCloud account (we have no access). |
Each provider processes data under its own terms: Anthropic, Google, and Apple. These providers operate from, and may process data in, the United States.
13. What we do not collect
- No name, email address, phone number, or account registration.
- No advertising identifiers (IDFA) and no ad networks.
- No analytics, telemetry, crash-reporting, or behavioral-tracking SDKs.
- No selling or sharing of your data for advertising or any other purpose.
- No access, by us, to the content you sync or back up to your iCloud.
- No uploading of your contacts.
14. Crisis-resource detection
To help keep you safe, the app checks your messages on your device for certain words and phrases associated with self-harm. This check happens entirely on the device — the matching is not done on our servers. When it triggers, the app shows crisis resources (such as 988, Crisis Text Line, and 911). This is a safety feature, not monitoring: we do not receive a report when it triggers. Crisis-flagged content is also stripped from anything used for Life Report or Common Ground.
15. Retention & deletion
- On-device and iCloud data: kept until you delete it. You can delete individual items, export your data, or remove the app. Turning off iCloud sync removes the synced copy from your iCloud.
- Backups: only the most recent snapshots are kept; older ones are pruned automatically. You can delete them from your iCloud Drive.
- Common Ground sessions: the encrypted relay is auto-deleted on a short timer (about 15 minutes in person, up to 24 hours for a link invite).
- Backend usage counters: anonymous per-day counters that reset daily and hold no content.
- Push token: removed when you disable notifications; invalid tokens are pruned automatically.
- Provider processing: content sent to AI providers for a reply or report is handled per their retention practices; our backend retains none of it.
16. Your rights
Because the app does not maintain an account or profile about you, most of your data is directly in your control on your device: you can view, edit, export, and delete it yourself at any time. Depending on where you live, you may have additional rights (such as access, correction, deletion, or objection) under laws like the GDPR or CCPA. Since we hold no identifiable profile of you, there is generally nothing for us to look up — but you can contact us with any request and we’ll help where we can.
17. Children
middle place is intended for adults and is not directed to children. We do not knowingly collect information from children. If you believe a child has used the app in a way that requires our attention, please contact us.
18. Security
Data on your device is protected by the operating system’s app sandbox and, where you enable it, an additional Face ID / passcode lock. API keys and the backup encryption key are kept in the Keychain. Backups are encrypted at rest, and Common Ground profiles are end-to-end encrypted so our servers only ever see ciphertext. Connections to our backend and to AI providers use encrypted transport (HTTPS), and requests to our backend are gated by app attestation. No system is perfectly secure, but we aim to minimize what is collected so there is little to expose.
19. Changes to this policy
If we make material changes, we’ll update the date at the top of this page and, where appropriate, note the change in the app. Continued use after an update means you accept the revised policy.
20. Contact
Questions about privacy? Email support@middleplace.app.