Stone — AI Disclosure
Last updated: 2026-05-10. Policy version 2026-05-10.
This page is the long-form companion to Settings ▸ AI Use inside the app. The in-app surface shows the per-call audit; this page describes the system end-to-end so you know what to expect before you opt in.
When does AI run?
Stone uses three tiers for Quick Log parsing, in this order:
- Cloud AI (xAI Grok via Cloudflare AI Gateway). Every Quick Log save when Cloud AI is on in Settings. Also used to refine the Today recommendation and to propose entries on the Learned screen.
- Apple Foundation Models (on-device). Falls back here when the cloud call fails silently — offline, timeout, schema mismatch — on Apple Intelligence-supported hardware. No data leaves your device when this tier handles a call.
- Local deterministic parser. Guaranteed-offline floor when
both AI tiers are unavailable. Handles common inputs like
Bench 185x8with no network and no model. Slower than the AI tiers' quality on ambiguous notes, but always works.
Manual confirmation surfaces only when even the deterministic floor produced an ambiguous result.
If you have Cloud AI turned off in Settings, every save skips straight to the on-device tier (or the deterministic floor when the device doesn't support Apple Intelligence).
What gets sent
The exact bytes are pinned per call. Settings ▸ AI Use shows the data shape of every cloud call:
- Workout Parse — sends the freeform note you typed in Quick Log.
- Session Recommendation — sends a compact training summary: number of recent workouts, a humanized movement-balance string ("pressing-heavy", "leg-light"), your goal / equipment / preferred session length, and (when you've accepted any) up to three of your highest-confidence Learned memories. Never raw set-by-set detail.
- Memory Update — sends summaries of the last few workouts + the current focus and (optionally) the existing memories you've accepted, so the model can refine without repeating itself.
Who sees the data and how long they keep it
| Hop | Sees | Retention |
|---|---|---|
| Your iPhone | Everything — it's the source of truth. | Until you delete it. |
| Cloudflare AI Gateway (Stone's worker) | The full request, in transit only. | The Worker sets cf-aig-collect-log-payload: false per call, so the gateway does not store the request body. Cloudflare retains metadata (timestamps, status codes, byte counts) for cost and abuse monitoring. |
| xAI (Grok) | The request body Stone sent. | xAI's published API policy on 2026-05-10: requests are not used for training by default; deletion within ~30 days on request. ZDR available at enterprise tier; Stone's developer key is not currently ZDR-enabled. |
When this policy version changes, the AI Use audit row stays pinned to the version that applied when the call was made — your historical record doesn't get rewritten by a later xAI ToS change.
What gets returned
For Quick Log, a structured workout the deterministic parser couldn't produce on its own. For Recommendations, a session title, training load, duration, and rationale bullets. For Memories, candidates with evidence pointing back at specific workouts in your history.
Every response runs through Stone's server-side safety validator before it reaches your device. The validator scrubs:
- Hype words like "crush" / "dominate" / "destroy".
- Shame words like "lazy" / "weak" / "pathetic".
- Diagnostic phrases ("you have a rotator cuff tear" — that's a doctor's job, not Stone's).
- Medical advice ("take ibuprofen").
- Prompt-injection echoes ("ignore previous instructions").
When your input mentions pain or injury, the safety validator forces a more conservative training-load suggestion and inserts a safety note pointing you at a qualified clinician. Stone never tries to diagnose.
Your controls
- Cloud AI is off by default. You opt in once at onboarding; toggle in Settings any time.
- Forget AI memories only clears the audit log + every AI memory. Your workouts stay.
- Delete all my data wipes local + iCloud + Worker-side state including the rate-limit and safety counters keyed to your device and account.
- AI Use in Settings shows the full per-call audit: timestamp, endpoint, provider, data shape, retention copy, ZDR status, and the policy version that applied at the time.
What Stone will never do
- Use your data to train a third-party model. (Stone doesn't train any model. xAI's stated policy is they don't either.)
- Send your data to any provider you didn't opt into.
- Show motivational hype, shame language, or medical claims — enforced server-side regardless of what the model proposes.
- Collect HealthKit data in this version of the app. (Future versions may; if so, opt-in, summarized on-device before any cloud call.)
Open questions / honest limits
- Apple App Attest registration + per-call assertion verification
is currently scaffolded but not active in the build labelled
com.betty.alloy.dev. The dev-bypass header is used on the simulator and during beta. The full attestation flow ships before the public release. - Token refresh when your Sign-in-with-Apple credential expires (~10 minutes after sign-in) currently surfaces a "Refresh credential" button rather than auto-refreshing silently.
- Foundation Models on-device parsing is wired but only works on Apple Intelligence-supported hardware. On unsupported devices the pipeline falls through to manual confirmation.