Now on the App Store
Privacy Policy

The shortest privacy policy you'll ever read.

Last updated: May 17, 2026

TL;DR
  • Your health data never leaves your device.
  • We don't have accounts, so we don't have your email.
  • We collect anonymous usage stats - opt out anytime.
  • We never sell or share anything. There is nothing to sell.
  • The AI Assistant runs entirely on your phone. We cannot see your messages or the replies.

What Veil is

Veil is a period and cycle tracking mobile app published by Veil ("we", "us", "our"). All your health data is stored locally on your device and never transmitted to any server we operate. This privacy policy explains exactly what is and isn't collected, why, and how you can control it. It covers both the Veil mobile app and the marketing website at veiltrack.app.

Information you create

Period dates, flow intensity, symptoms, mood, notes, water, weight, temperature, sex, tags, and any other entries you make in the app are stored exclusively on your device. This includes contraceptive method events (IUD insertion / strings check / removal, implant insertion / removal) for users tracking long-acting reversible methods. In production builds, local storage is encrypted with a key stored in the OS keychain.

This information is never sent to us, never sent to a third party, and never leaves your phone unless you explicitly export it yourself.

Information we never collect

Optional anonymous analytics

To understand how features are used and to fix bugs, Veil uses Aptabase, an EU-hosted, privacy-first analytics service. Aptabase is GDPR-compliant by design: no cookies, no fingerprinting, and no personally identifiable information.

Anonymous analytics is enabled by default but can be turned off at any time in Settings → Analytics. When disabled, no data is sent at all.

What is sent (when enabled)

What is NEVER sent - even with analytics enabled

You can review the complete list of events that may be sent, with descriptions, in the app at Settings → Analytics → Events sent.

Notifications

Veil sends local notifications (period reminders, ovulation alerts, daily log reminders, and more) using your device's notification system. These are scheduled and delivered entirely on-device. We never see them.

Backups and exports

You can export a full backup of your data as an encrypted file. You choose where it goes via your phone's share sheet - Files, AirDrop, Messages, email, or any other destination your device supports. Veil does not host backups for you.

When you create an encrypted backup, Veil uses AES-256 encryption with a password you set. We don't know the password and cannot recover it. If you forget it, the backup is unrecoverable.

Third-party services

The third-party services Veil uses are:

That's it for the mobile app. No Google Analytics, no Firebase Analytics, no Facebook Pixel, no advertising SDKs, no crash reporting that sends user data, and no third-party fonts loaded at runtime. (The marketing website at veiltrack.app uses Google Analytics with consent-mode-denied-by-default - see "Website analytics" below for the details.)

Anonymous feedback and AI response reports

Veil has two places that open an external feedback form: Settings → Send feedback and the Report this reply flag icon on every AI Assistant message. Both forms are hosted by Tally.so, a privacy-focused, EU-friendly form service.

Both forms are pre-filled with a small set of diagnostic context as hidden fields, so we can triage submissions without you having to type any of it:

Veil does not pre-fill anything else. We do not include your cycle data, period dates, symptoms, predictions, weight, sleep, BBT, notes, tags, app-lock state, subscription status, or any identifier of you or your device. Whatever you type into the form is up to you. Email is an optional field for follow-up only - leave it blank to stay fully anonymous.

Tally is configured for these forms with IP address collection disabled and no reCAPTCHA, so the submission carries no automatic fingerprint of you. Tally still receives the form contents you submit, plus the URL parameters listed above. Their handling of that data is governed by Tally's own privacy policy.

Both flows are entirely user-initiated: nothing is sent unless you tap the button, confirm the second-step prompt, and press Submit on the form in your browser. Neither button does anything in the background.

Payment processing

When you subscribe to Veil Plus, the payment is processed by Apple (App Store) or Google (Google Play) as the merchant of record - they know who you are because that's how in-app subscriptions work.

To validate the receipt and track your subscription state across devices and reinstalls, we use RevenueCat, a third-party subscription management service. RevenueCat receives only:

RevenueCat never receives your Apple ID, Google account, name, email, IDFA, IDFV, or any health data from Veil. Their privacy policy is at revenuecat.com/privacy.

The free tier of Veil never touches a payment processor at all.

Website analytics (veiltrack.app)

The marketing website at veiltrack.app uses Google Analytics 4 to understand how visitors find and read the site. This is the only place anywhere in Veil that uses Google Analytics - it loads only on the marketing website, never inside the mobile app.

We use Google Consent Mode v2, which means tracking is denied by default for every visitor. On your first visit, a banner asks whether to allow analytics. Until you click Accept, no analytics events are sent and no analytics cookies are written to your browser. If you click Decline, the choice is saved locally and you are not tracked across pages or visits.

If you accept, Google Analytics processes the standard set of pageview signals: the URL of the page you visited, the referrer that brought you there, an anonymized country derived from your IP, and your browser/OS family and screen-size bucket. Google Analytics may set cookies in your browser to recognize repeat visits in the aggregate. We never send any health data, personal identifiers, email addresses, or content from inside the app to Google Analytics under any circumstance.

Google Analytics is operated by Google LLC; visitor data may be transferred to the United States. For visitors in the EU/EEA, the transfer is covered by Google's Standard Contractual Clauses and the EU-US Data Privacy Framework. Google's own privacy policy is at policies.google.com/privacy.

You can revoke consent at any time by clearing the veil-consent entry in your browser's local storage for veiltrack.app, or by using your browser's site-data controls to clear cookies for the domain. The consent banner will then reappear on your next visit.

Washington MHMD and Nevada CHDP (US state health-data laws)

Two recent US state laws were written specifically for apps that handle reproductive and sexual-health data: Washington's My Health My Data Act (RCW 19.373, "MHMD") and Nevada's Consumer Health Data Privacy Law (SB 370, "CHDP"). Both restrict how "consumer health data" can be collected, sold, or shared, and both require explicit consent for most processing.

Veil structurally complies with both laws by design:

These same principles apply to residents of any other US state with similar consumer-health-data legislation, regardless of whether it is named here. The architecture of the app - on-device storage, no accounts, no health data on any server - is the compliance mechanism.

Your rights (GDPR, CCPA, and elsewhere)

Because we don't have your data, most "data subject rights" are already satisfied by default:

If you want us to confirm in writing that we have no data about you, email feedback@veiltrack.app. We will be happy to confirm exactly that.

Children

Veil is intended for users aged 13 and older. We do not knowingly collect any information from children under 13. Because we don't have accounts and don't transmit health data, the app is structurally safe for younger users - but parental guidance is recommended for those between 13 and 16.

If you are a parent or guardian and you become aware that your child has provided personal information to us, please contact us at feedback@veiltrack.app. If we discover that a child under 13 has used our app, we will not be able to identify or remove their data - because we don't have it - but we will assist however we can.

International data transfers

The only data that ever leaves your device is:

None of these transfers contains personally identifiable information or health data. If you are located in the EU and you subscribe to Plus, the receipt transfer to RevenueCat in the US is covered by their Standard Contractual Clauses, the standard GDPR mechanism for international transfers. Aptabase and Tally process within the EU.

The free tier of Veil never transfers anything to RevenueCat. If you also disable analytics in Settings → Analytics and never submit a feedback form, no data ever leaves your device at all.

Note: the above lists only data that leaves the mobile app. If you visit veiltrack.app and accept analytics on the consent banner, your pageview data is sent to Google Analytics (US-based) - see the Website analytics section above for the details.

Data breach notification

Because we don't store your data on any server, the traditional concept of a "data breach" doesn't really apply to Veil. There is no central database to compromise, no user accounts to hack, no health records to leak.

That said, if we ever become aware of a security vulnerability in the app itself (for example, in the local encryption layer or in our optional analytics integration) that could put your data at risk, we will:

Security

Veil takes the security of your data seriously, even though it never leaves your device. Specifically:

Your right to lodge a complaint

If you believe we have violated your privacy rights under the GDPR or another applicable data protection law, you have the right to lodge a complaint with your local data protection authority. You can find your local authority via the European Data Protection Board: edpb.europa.eu.

We would, however, appreciate the chance to address your concerns directly first. Please email feedback@veiltrack.app and we will respond as quickly as we can.

AI Assistant (Veil Plus)

All AI inference runs on your phone. No prompt, no context drawn from your cycle data, and no generated response is ever sent to Veil, to any AI provider, or to any server. Veil does not call OpenAI, Anthropic, Google's Gemini API, or any other cloud AI service. We cannot read your messages or the assistant's replies because they never leave the device.

Veil Plus includes an optional on-device AI Health Companion that uses an open-source language model (Gemma, released by Google DeepMind under the Apache 2.0 license) running locally on your phone via the open-source llama.rn engine. The model file runs in your phone's memory the same way any other on-device library runs - no Veil server, no third-party AI server, and no network call is made when you send a message.

On-device AI is still an emerging technology. Not every phone has the RAM or CPU headroom to run it smoothly, and even supported devices may occasionally experience slowness or crashes. Veil's AI Companion works best on recent flagship phones (iPhone 15 Pro or newer, or Android phones with 8 GB of RAM or more).

What we cannot see when you use the AI Assistant

Because every part of the model runs on your phone and no network call is made when you chat, we have no way to know:

What runs on-device

To personalize answers, the Assistant builds a short plain-English summary of your own locally stored data (recent cycle stats, logged symptoms, profile basics) and hands it to the model as context. The text of your free-form notes is never passed to the model - only a count of how many notes you wrote in a given window. By default this context is a condensed summary; you can opt in to a longer full-history context in AI Assistant settings. The summary is cached locally on your phone, AES-256 encrypted, and never transmitted off-device.

A topic guardrail keeps the Assistant focused on cycle, symptom, and reproductive-health questions. Off-topic requests get a short, polite refusal in your language.

You can disable the whole feature from Settings → AI Assistant. When disabled, no model loads, no context is built, and the tab is hidden.

What is downloaded

The Gemma model file is downloaded once, on demand, from a public open-source model library (currently HuggingFace). Each model file is pinned to a specific immutable upstream revision, so the bytes we download cannot silently change between app releases. We may move these files to our own server in the future; if we do, we'll update this page. The download only happens after you tap Install inside the app. Depending on which model your phone can run, this takes about 1 GB to 5 GB of storage.

Once installed, the model file is stored inside the app's own storage and excluded from device backups - it can always be re-downloaded, so there's no reason to back it up.

The download host (currently HuggingFace) sees only what any web request shows - your IP address and a request timestamp. No Veil account, no device identifier, and no health data are attached. Any logging by the host is governed by its own privacy policy.

What Aptabase receives

When analytics is enabled (the default opt-out setting), the AI Assistant sends a small set of counter-only events to Aptabase. These follow the same strict rules as all other Veil analytics: counters only, never values, never content. We do not track that you sent a message, how often you chat, what you asked, or what the assistant replied. The events are:

The content of any message, prompt, or AI response is never sent to Aptabase or anywhere else. Disable analytics in Settings → Analytics to stop all Aptabase events, including these.

Chat history retention

Chat history is off by default. When it's off, conversations live only in the app's memory while you're using it and vanish as soon as you close the tab - nothing is written to disk.

If you opt in to chat history, conversations are saved locally on your phone, encrypted with AES-256, using a key that is generated on your device and never leaves it. The saved file is excluded from device backups, so your chats won't appear in iCloud or Google backups and won't transfer to a new phone when you restore one. Uninstalling the Veil app wipes both the chats and the key.

You can delete all saved conversations at any time from Settings → AI Assistant inside the app.

If your Veil Plus subscription lapses, the Assistant tab goes back behind the paywall, but your downloaded model file and any saved chats are not deleted - you own your local storage. The chat-history and full-context toggles are reset to their default (off) values.

Model licensing

The Gemma models are released by Google DeepMind under the Apache License 2.0. Use of Gemma models is also subject to Google's Gemma Terms of Use and Gemma Prohibited Use Policy.

Not medical advice

Veil is a self-tracking aid, not a medical device. Features such as PMDD severity scoring, amenorrhea detection, symptothermal ovulation confirmation, oral-contraceptive mode, and health alerts are provided for informational and self-tracking purposes only. They are not intended to diagnose, treat, cure, or prevent any disease or condition, and should not be used as a method of contraception or fertility planning. All predictions are derived exclusively from your own locally stored data. Please consult a qualified healthcare provider for medical decisions.

Changes to this policy

If we ever materially change how analytics work, what we collect, or which third parties we use, we will update this page and the "Last updated" date at the top. Significant changes will also be highlighted in the app.

Contact

Questions, concerns, or just want to chat about privacy? Email us at feedback@veiltrack.app.