Stone

Stone — Privacy Policy

Last updated: 2026-05-27. Policy version 2026-05-27.

Stone is a workout log and training assistant. This policy describes what Stone does and does not collect, where data lives, and the controls you have.

We've tried to write this in plain English. Where a paragraph intentionally has no marketing varnish, that's by design.

At a glance

What we collect — and where it lives

Always local on your device, unless you turn on iCloud Sync

When iCloud Sync is on, this same data is mirrored to your private CloudKit container under your iCloud account. Apple, not Stone, operates iCloud and applies its own iCloud privacy terms.

Apple Health (HealthKit) — when you turn it on

Apple Health integration is off by default. If you turn it on in Settings ▸ Apple Health, Stone can:

Per Apple's HealthKit terms: Health and fitness data is processed by Stone solely in accordance with your consent, used only to provide and improve the app's functionality, and is not shared with any third party for advertising or data-broker purposes.

You can revoke any HealthKit permission at any time via the Health app → Sharing → Apps → Stone. When write permission is revoked, Stone surfaces a specific error if you try to log body weight through the in-app sheet, rather than silently failing.

Sent to Stone's backend only when you've opted in

The request passes through a privacy-preserving proxy (hosted on Cloudflare) to Stone's AI provider, xAI. The proxy does not store the request body; Cloudflare retains only metadata (timestamps, status codes, byte counts) to monitor cost and abuse, per its own gateway documentation.

Sent to xAI

xAI receives the model input and produces the response. As of the policy version stamped above:

xAI's terms apply directly to API data sent on Stone's behalf: see x.ai/legal.

Third-party processors

Stone uses the following third-party services to operate. Each processes data on Stone's behalf only for the purposes described.

Processor Purpose Data they see Their policy
Apple (iCloud + CloudKit) Optional encrypted backup of your workouts The same fields as your local store, if you turn on iCloud Sync. Encrypted in transit and at rest by Apple. Apple Privacy
Apple (Sign in with Apple) Optional sign-in for elevated cloud-AI quota Your Apple ID's stable per-app subject identifier, optionally a relay email Apple Sign in with Apple
Apple (device-integrity check) Proves a cloud call came from a real Stone install A non-correlatable cryptographic token — no personal identifier Apple Developer Docs
Cloudflare Proxy hosting + request routing Request metadata (timestamps, status, byte counts); never the request body Cloudflare Privacy
xAI LLM provider for parsing + recommendations Model input (categorical training summary + freeform notes / photos when you Quick Log) xAI Legal

We do not transfer your data to any party other than those listed above.

What we do not collect

Automated decision-making

Stone's Cloud AI generates recommended workout sessions and parses your freeform Quick Log notes. These are decisions made by an automated system (xAI Grok via Stone's backend).

Data retention

Data Where stored Retention
Workouts, training profile, custom exercises Your device (+ optional iCloud mirror) Until you delete them via Settings ▸ Privacy or by deleting the app
AI memories Your device (+ optional iCloud mirror) Until you tap Forget AI memories or Delete all my data
AI request audit log Your device Until you tap Forget AI memories or Delete all my data
Quick Log learned aliases Your device Until you tap Delete all my data
Proxy metadata (never the request body) Cloudflare Per Cloudflare's gateway retention defaults
xAI inference data xAI A limited period per xAI's API policy at the time of the call
Device-integrity record Stone's backend Until you tap Delete all my data, which clears the server-side record
Sign in with Apple subject identifier Stone's backend (only if you signed in) Until you sign out + tap Delete all my data

Sign in with Apple

Sign in with Apple is optional. If you sign in:

If you sign out of Sign in with Apple inside Stone, the credential is removed from this device. Apple's record of the sign-in stays under your iCloud account settings — Apple, not Stone, controls that.

Your rights and controls

Stone gives you direct in-app controls for every right described below. You don't need to email us to exercise them — but if you prefer, see "Data requests" below.

Rights under GDPR (EU users)

Rights under CCPA / CPRA (California users)

Concrete controls

Data requests

For data-subject requests not covered by the in-app controls (rare — the in-app controls already give you everything in your local, iCloud, and server-side data), use the contact method in Settings ▸ About (see Contact below).

Changes to this policy

We'll update the version stamp at the top of this file when this document changes. Each AI request audit row preserves the policy version that applied at the time of that request, so historical data stays interpretable even after the live policy moves. Material changes that broaden what we collect or send to third parties will also be surfaced as an in-app notice on next launch.

Children

Stone is not directed to children under 13 within the meaning of the Children's Online Privacy Protection Act (COPPA). If you believe we have inadvertently collected information from a child, contact us and we will delete it.

Governing law

This policy and your use of Stone are governed by the laws of the State of California, United States, without regard to conflict-of-laws principles. EU users retain the rights described in the "Rights under GDPR" section regardless of governing-law choice.

Contact

During the TestFlight beta, reach the developer through TestFlight feedback — the reply-to on your TestFlight invite reaches us directly. A dedicated privacy contact address ships with the public release and will appear in Settings ▸ About and on the App Store listing.