The Privacy Covenant

What never leaves your phone

The premise is simple and the engineering follows from it: the inward-facing material of a practice belongs to the practitioner alone. Hymalayas is built so that the most intimate substance of your Sadhana — the words, the rhythms, the moods, the small self-observations that accumulate over months of Dinacharya, the daily discipline — is generated, processed, and stored entirely on the device in your hand.

• Journal entries, in full, including drafts and edits.
• Mood logs and any tags you attach to them.
• Breathing data: Pranayama session length, cadence, and any heart-rate variability read from a paired Apple Watch.
• Sentiment analysis results derived from your writing by on-device language models.
• Prana scores — the rolling indicator of vitality the app composes from your sessions.
• Wisdom Card history: which cards you have drawn, when, and how you sat with them.

A journal entry is the most obvious case. Every sentence you compose is written into an encrypted local store the moment your finger lifts from the keyboard. There is no draft saved to a remote server while you write, no autosave that travels, no telemetry that summarises the act of writing for someone else to inspect. The entry exists in two places only: the encrypted database on your iPhone, and — if you opt in — an end-to-end encrypted slice of your own iCloud, where Apple itself holds no key.

The same logic governs the other items in the list. Mood logs are tags attached to local entries. Breathing data is recorded against a local session record. Sentiment results, Prana scores, and Wisdom Card history are derived values — outputs of computations run against the local primary data — and they live in the same encrypted store as their inputs. None of these derived signals are forwarded to Hymalayas, summarised for analytics, or used to assemble a profile of you anywhere outside the device.

The covenant, then, is not a promise that we will guard your data carefully on our servers. It is the stronger statement that there are no servers of ours that hold it. There is nothing to guard because there is nothing in our possession.

How on-device processing works

Modern iPhones contain a dedicated piece of silicon called the Apple Neural Engine — a chip designed to run machine-learning models quickly and efficiently without ever sending the input data off the device. It is the same hardware that recognises a face in a photo, transcribes a voice memo, or unlocks the screen by matching your features. Hymalayas uses that chip to do the work that ordinary cloud-based wellbeing apps send to a remote server.

The bridge between the chip and the app is Core ML, Apple's framework for running machine-learning models locally. When you finish a journal entry, Hymalayas hands the text to a small natural-language model that lives inside the app bundle. The model interprets the writing — recognising tone, valence, emotional texture — and returns a structured signal: a mood reading, a set of themes, a contribution to your Prana score. The text and the interpretation never leave the chip on which they are computed.

On-device NLP — natural language processing performed locally — used to be a compromise. Models were small, results were rough, and serious work was sent to the cloud where bigger machines waited. That is no longer true. The neural cores in recent iPhones run models large enough to recognise sentiment in a paragraph of English, classify the dominant emotion in a Hindi mood note, or summarise the arc of a week of entries — all in milliseconds, all without a network request.

The practical consequence for you is invisible by design. The app feels responsive because the work happens locally. The intelligence inside it appears to know your patterns because it does — but the knowing exists only on the device that knows you, and dissolves the moment you delete the app.

What we do not have

A useful way to describe the privacy posture of an app is by the tools it deliberately refuses to install. Hymalayas ships without ad networks, without third-party analytics SDKs, without crash reporters that bundle user behaviour, without anonymised telemetry, and without relationships of any kind with data brokers. Each absence is intentional, and each is worth explaining.

We do not embed advertising SDKs because the entire economic logic of mobile advertising is incompatible with a Sadhana. An ad network pays for the right to observe — to know what you do, how often, in what mood, near which other apps — and to use that observation to decide what to show you next. There is no version of that arrangement that respects the inwardness of a meditation practice, so we have signed no such arrangement.

We do not embed third-party analytics SDKs because most of them quietly catalogue everything: the sequence of screens, the time spent on each, the buttons tapped, the moments of hesitation. A well-instrumented analytics library produces an extraordinarily detailed shadow of a user. We have decided that we do not need such a shadow to build the app well, and that having it would tempt us to study people who came to us for stillness.

We do not embed crash reporters that bundle user behaviour because the popular ones — Crashlytics and its peers — do not merely report stack traces. They send breadcrumbs of user actions leading up to the crash, which often contain personally meaningful state. Hymalayas relies on Apple's own crash reporting, which the operating system aggregates and anonymises before any developer sees it. We never receive a breadcrumb of your behaviour next to a crash.

We do not send anonymised telemetry, because the word anonymised has become a euphemism. Even stripped of obvious identifiers, behavioural traces are notoriously easy to re-attach to a person. The only telemetry that cannot be de-anonymised is telemetry that was never collected. So we collect none.

We have no relationships with data brokers. No transfer agreements, no resale clauses, no embedded SDK that pipes aggregate audience data to a third party. The category of intermediary that buys and sells human attention does not appear anywhere in our supply chain.

Apple Intelligence

When Hymalayas reads the emotional weather of an entry, it is using Apple Intelligence — the umbrella name for the on-device and privately-hosted machine-learning capabilities that Apple exposes to developers. The sentiment work itself runs on the Neural Engine inside your iPhone, against models that ship with the operating system or with the app. The text of your entry is the input; a structured emotional reading is the output; both stay on the device.

What this means in practice is that two parties who are conventionally assumed to see your wellness data — the platform vendor and the app developer — see none of it. Apple does not receive the text, because the inference does not require a server. Hymalayas does not receive the text, because the app has no endpoint to receive it. The result is computed in the space between your screen and your own silicon.

For tasks that exceed the local model's capacity — should we ever introduce them — Apple offers Private Cloud Compute, an architecture in which the request is processed on hardened servers whose memory is wiped after the request and whose software is publicly verifiable. We have not yet needed it, and we will tell you plainly if we ever do. Until then, every line of intelligence in the app runs where your fingerprints already do.

The open privacy manifest

A privacy promise that cannot be inspected is just marketing. Hymalayas publishes, in full, the technical declaration of what the app does and does not do — the frameworks it links against, the entitlements it requests from iOS, the data categories declared in Apple's required PrivacyInfo manifest, and the explanation in plain English of why each line is present.

The full breakdown lives at /on-device-manifest. It is written so that a careful reader without an engineering background can follow the claims, and so that a security researcher can verify them against the binary on disk. The two audiences read the same page. We think that is the right test for honesty in privacy writing: the document a layperson reads should be the document an auditor checks.

We will update the manifest whenever the app changes in a way that touches data handling, and we will note the change in plain language at the top of the page. Privacy is a practice, not a posture. Like any Tapas, it is sustained by daily attention rather than a single declaration.

Questions

Does Hymalayas send my journal entries to the cloud?

No. Journal entries are written, encrypted, and stored on your iPhone. They are never transmitted to a Hymalayas server, never copied to a third-party backend, and never queued for batch upload. The only place a synced copy may exist is your own private iCloud, end-to-end encrypted under your Apple ID, where even Apple cannot read the contents. We have no key, no endpoint, no mirror.

Does Hymalayas use third-party analytics?

No. There is no Mixpanel, Amplitude, Segment, Firebase Analytics, or PostHog inside the app. We do not measure taps, scroll depth, session length, or feature usage through any external SDK. The app ships without a single tracker. We learn how the app is used by reading thoughtful letters from people who choose to write to us, not by surveilling them.

How does Hymalayas analyse mood patterns without seeing my data?

All sentiment analysis runs on the Apple Neural Engine inside your phone. When you write a journal entry, a small Core ML model interprets the words locally and returns a mood signal that stays on the device. Hymalayas, the developer, never receives the entry, the mood signal, or the derived Prana score. The analysis happens inside the same chip that recognises your face to unlock the screen — and stays just as private.

Can Hymalayas employees read my journal?

We physically cannot. There is no admin console, no support tool, no backend dashboard that would let any person at Hymalayas open your entries. Your writing never reaches a server we control. Even if a court order arrived demanding your journal, we would have nothing to hand over — the words live only on your phone, behind your passcode and Face ID.

Does Hymalayas sell data to advertisers?

No. We do not sell, share, license, rent, barter, or otherwise transfer any user data to any advertiser, data broker, marketing platform, or aggregator. The business model is the price of the app. There is no second revenue stream built on your attention or your patterns. There never will be — selling Sadhana data would dishonour the practice the app is meant to support.

What data does Hymalayas collect?

From you, directly: nothing. The app does not require an account, an email address, a phone number, or a profile. Apple's App Store provides us with anonymised aggregate purchase counts and crash signatures stripped of personal identifiers — that is the entire dataset Hymalayas ever sees about its users. Everything you do inside the app stays inside the app.

Is my breathing session data stored in the cloud?

No. Pranayama session length, cadence, heart-rate variability readings from Apple Watch, and any derived breathing scores are written to the local store on your iPhone. If you have iCloud sync enabled for the app, an end-to-end encrypted copy may travel through Apple's infrastructure to your other Apple devices, but Hymalayas operates no breathing-data server and receives no copy.

What happens to my data if I delete the app?

It is gone. Deleting Hymalayas removes the local database, the encrypted journal store, the mood history, and the Wisdom Card record from your device. Because none of it ever existed on a Hymalayas server, there is nothing for us to delete on your behalf and nothing for us to retain. If you also turn off iCloud backup for the app, the deletion is total and immediate.

Does Hymalayas comply with GDPR?

Yes. And we go further. GDPR asks that companies handle personal data lawfully, minimise what they collect, and let users access or erase it. Hymalayas collects no personal data in the first place, so the strongest version of every right GDPR grants — the right to erasure, the right to portability, the right to object — is satisfied by the architecture itself. There is no profile to export, no record to delete, no processor to instruct.

Is the privacy manifest publicly available?

Yes. The full technical breakdown — every framework the app links against, every entitlement it requests, every piece of data Apple's required PrivacyInfo manifest declares — lives at /on-device-manifest. It is written in plain language alongside the raw declarations, so a curious reader and a security auditor can both verify the same claims from the same page.