Tether

Privacy Policy

Last Updated: July 10, 2026

One sentence, before the legal detail: Tether is built so that your own AI can read your health data — and we never can. Everything below is the technical and operational consequence of that single design decision.

1. The Architecture Is the Policy

Tether uses a zero-knowledge, end-to-end encrypted (E2EE) architecture. Your health data is encrypted on your iPhone before it ever leaves the device, using keys that only exist on your devices. Our cloud stores and routes ciphertext only. We — the developers — hold no decryption keys, operate no decryption capability, and cannot read your health data even if asked to. This is not a promise we keep by discipline; it is a property of the system's design.

Decryption happens in exactly two kinds of places, both chosen by you: (a) your own devices and your partner's device (if you opt in to sharing), and (b) a computer you own and explicitly pair, where your personal AI agent runs (see Section 5).

2. Health Data We Process (Always Encrypted)

With your explicit permission via Apple HealthKit, and depending on which features you enable, Tether can read the following data types. Every one of them is encrypted on-device before upload:

  • Sleep — sleep analysis (stages, in-bed time), sleep heart rate, respiratory rate.
  • Activity — steps, active energy, exercise minutes, stand hours, walking/running distance.
  • Heart — resting heart rate, heart rate variability (HRV).
  • Body — weight (body mass).
  • Cycle tracking — menstrual flow records, if you enable cycle tracking.
  • Symptoms — the HealthKit symptom types (e.g. headache, cramps, fatigue), if you enable symptom tracking.
  • Wrist temperature — from Apple Watch, if available.
  • Workouts & mindfulness — workout sessions and mindfulness minutes.
  • Water intake & notes — entered manually in the app (not read from HealthKit).

HealthKit write access: the only data Tether ever writes to Apple Health is a weight entry you type in yourself (so your Health app stays your source of truth). Nothing else is written.

Motion & Fitness:if you use Tether without an Apple Watch, the app can ask for Motion & Fitness permission to infer sleep from periods of phone inactivity. This inference runs entirely on your device; raw motion data never leaves your iPhone.

In line with Apple's HealthKit rules: we never use HealthKit data for advertising or marketing, never sell it, never share it with data brokers, and never use it for any purpose other than the features you see in the app.

3. A Note on Cycle & Symptom Data

We treat menstrual and symptom data as the most sensitive category in the app. It is protected by the same E2EE pipeline as everything else, which has a concrete consequence worth stating plainly: our servers physically store only ciphertext, so there is no readable cycle data on our side to disclose, leak, or hand over.Sharing cycle data with your partner — and separately, allowing your partner's AI to read it — are individual opt-in toggles that only you, the data owner, can switch, and you can turn them off at any time.

4. How the Encryption Works

  • Each record is sealed on your iPhone with AES-GCM-256 under a random data key.
  • That data key is wrapped per recipient using Curve25519 (X25519 ECDH + HKDF-SHA256) — one sealed envelope for you, one for your partner (if sharing), one for your paired AI machine (if paired).
  • Your private identity key is generated on-device and stored in your personal iCloud Keychain (end-to-end encrypted by Apple, synced across your devices). It is never sent to our servers.
  • The cloud (our Supabase-hosted backend) stores ciphertext blobs and wrapped envelopes. It cannot open either.

5. Your AI Agent (Local MCP Access)

Tether's defining feature is that your health data can be read by an AI agent you run — a Claude Code instance, a personal server, your own computer — via the Model Context Protocol (MCP). Here is exactly how that works, privacy-wise:

  • You pair a machine by scanning a QR code it displays. Pairing mints a credential for that specific machine and registers its public key.
  • From then on, your iPhone seals an additional envelope for that machine. The machine downloads ciphertext from our cloud and decrypts it locally, on your hardware.
  • No AI model runs in our cloud. No plaintext health data flows through us on its way to your agent — we only ever relay ciphertext.
  • What your agent does with the decrypted data happens on your machine, under your control, outside our systems.
  • You can revoke a paired machine at any time in Settings; revocation deletes its envelopes so it can no longer decrypt anything new.

6. Partner Sharing

  • Sharing is opt-in and starts only when you exchange an invite code with your partner.
  • You control exactly which categories are shared (sleep, cycle, water, weight, …) — per-category toggles, changeable any time.
  • Some categories (activity, heart, workouts, mindfulness, wrist temperature) are personal-only and are never shared with a partner.
  • Ending the partnership deletes the envelopes that let your ex-partner decrypt your data. Already-delivered data on their device cannot be remotely erased — that is a physical property of E2EE, stated here so there are no surprises.

7. Non-Health Data We Keep (the Minimum to Run the Service)

To route ciphertext between your devices, we store a small amount of non-health metadata:

  • Your account identifier from Sign in with Apple (we receive no password; email is whatever you chose to share via Apple).
  • Device records, invite codes, partner-relationship status, and sharing settings.
  • Public keys and hashed (never plaintext) machine credentials.
  • Security metadata such as rate-limit counters.

8. Analytics & Diagnostics

We use PostHog (hosted in the EU) to understand app usage and diagnose bugs — events like "sync succeeded", "screen viewed", or error types. These events are engineered to carry no health values: numbers are bucketed (e.g. "sync took 1–3s"), text inputs and images are masked in session replays, and identifiers are internal. Your sleep hours, cycle dates, weight, and symptoms never appear in analytics. Analytics data is not sold or shared with advertisers; there is no third-party advertising SDK in the app.

9. Data Retention & Deletion

  • Encrypted health blobs are kept so your history can sync across your devices, until you delete them or your account.
  • Deleting your account removes your encrypted blobs, envelopes, device records, and relationships from our systems.
  • Dissolved partnerships and expired security records are garbage-collected automatically on a fixed schedule.
  • Data you keep locally (on your iPhone, or on a machine you paired) is yours and outside our reach — deleting your account does not reach into your own hardware.

10. What We Never Do

  • No selling of any data, health or otherwise.
  • No advertising, no ad SDKs, no data brokers.
  • No AI training on your data — we could not even if we wanted to; we only have ciphertext.
  • No reading your health data for "service improvement", "research", or any other purpose.

11. Children

Tether is not directed at children and is not intended for use by anyone under the age of 13 (or the equivalent minimum age in your jurisdiction).

12. Changes to This Policy

If we change this policy, we will update this page and the date at the top. A change that weakened the E2EE architecture described above would be a different product — treat the architecture in Sections 1–5 as the contract.

Questions? Contact us at support@tetherme.app or open an issue in our community repository.