Trust & Privacy
Privacy is a product feature
in Elvera
Your data is organized into three clear classes. Each class has its own rules for storage, encryption, visibility, and AI access. Nothing is hidden behind vague promises.
Effective March 19, 2026
Class A — Local Vault
Most sensitive. Never leaves your device.
Your deepest reflections, voice recordings, and raw identity model stay encrypted on-device. They are excluded from any sync, cloud backup, or server-side processing unless you explicitly export them.
- Prompt responses and written reflections
- Voice recordings (captured and processed on-device)
- Raw identity model, facets, and contradictions
- App preferences and settings
- Hardware-backed encryption via the device Secure Enclave
- Biometric lock available (Face ID / Touch ID)
- Excluded from cloud sync by default
Class B — Governed Sync
Powers key flows. Encrypted in transit and at rest.
Some content must move between devices or services to deliver Elvera's core features (portrait generation, witness delivery, legacy sharing). This data is encrypted and scoped by service and role.
- Anonymized text sent to AI for synthesis (PII stripped)
- External witness contributions (in transit to your device)
- Portrait and photo data when used in governed flows
- Legacy packets shared with designated recipients
- Subscription status via Apple StoreKit
- Access scoped by service and role — no blanket access
- TLS encryption for all transmissions
Class C — Public Card
Tiny subset. Explicit opt-in only.
If you choose to make part of your identity findable or shareable, only the specific fields you select become visible. You preview before publishing, and you can revoke at any time.
- Only fields you explicitly select are published
- Full preview before anything goes live
- Revoke or edit any public card field at any time
- Public cards reveal only what the owner allows
- No background indexing or hidden data exposure
- Opt-in only — nothing is public by default
Who We Are
Elvera ("the App") is developed and operated by Elvera / Future Enterprises. "We," "us," and "our" refer to Elvera / Future Enterprises. "You" refers to you, the user of the App.
How AI Uses Your Data
Elvera uses AI to generate identity synthesis, portrait insights, and sentiment analysis. AI access is governed by your permissions and the data class system above.
- Synthesis: When you trigger a synthesis, anonymized text (Class B) is sent to a large language model provider. Personally identifiable information is stripped before transmission. Your name, email, and account identifiers are not included.
- Sentiment analysis: AI helps interpret emotional patterns and thematic threads across your reflections, based on your permissions. Some content may be processed securely to deliver the product.
- No model training: We do not use your data to train AI models. Our LLM provider is bound by a data processing agreement that prohibits retaining or reusing your data.
What is optional
Synthesis and AI-powered insights are opt-in. You choose when to trigger a synthesis. You can use Elvera's reflection tools without ever sending data to an AI provider. Sentiment analysis only runs when you interact with features that require it.
Witness Contributions
Elvera allows you to invite trusted people ("Witnesses") to contribute observations about you. Witness data is handled precisely as follows:
- Internal witnesses submit observations within the app. Their contributions are stored locally on your device (Class A) once received.
- External witnesses submit via a web form. Their responses are delivered to your device through an encrypted channel (Class B in transit), then stored locally (Class A at rest). Submissions are not retained on our servers after delivery.
- You control which witness contributions are incorporated into your identity model.
- Witnesses are informed that their contributions will be visible to you.
- You can delete any witness contribution at any time.
Witness visibility rules
Witnesses see only the prompts you share with them. They do not have access to your identity model, other witness contributions, or your reflections. Visibility rules apply: your trusted circle sees only what you explicitly allow.
Sentiments
Sentiments are emotional and thematic patterns that Elvera identifies across your reflections over time. They help surface what matters to you.
- Sentiments are derived from your Class A data (local reflections) and generated on-device or via anonymized Class B processing.
- Sentiment data is stored locally (Class A) and governed by the same encryption and access rules.
- AI helps interpret sentiment patterns based on your permissions. You can review, dismiss, or remove any sentiment the system surfaces.
- Sentiments are never shared externally unless you explicitly include them in a legacy packet or public card.
Portrait & Photo Data
Your portrait is a synthesized representation of your identity, which may include visual elements and photos you provide.
- Photos you upload are stored locally on your device (Class A) by default.
- When portrait generation requires processing, photo data may be transmitted securely (Class B) to generate visual outputs. This is encrypted in transit and not retained after processing.
- You choose whether any portrait element appears in your public card (Class C). Nothing is published without your explicit opt-in and preview.
- You can delete any photo or portrait element at any time. Deletion is immediate for Class A data.
Voice Recordings
Voice recordings captured within Elvera are processed and stored on your device (Class A). Audio remains in the Local Vault and is not transmitted to our servers or any third-party service. You may delete any recording at any time.
What We Do Not Collect
- No tracking pixels, cookies, or fingerprinting
- No third-party analytics (no Google Analytics, Mixpanel, or equivalents)
- No advertising identifiers or ad networks
- No server-side storage of your Class A personal content
- No location data
Delete, Export, and Revoke
You have full control over your data at every level:
- Delete: You can delete all local data (Class A) at any time from within the App. Because this data lives on your device, deletion is immediate and permanent. For Class B data that has been transmitted, we do not retain copies after delivery or processing.
- Export: You can export your identity model, reflections, and other data via legacy packets, giving you full data portability. Exported files are yours to store wherever you choose.
- Revoke: You can revoke any public card (Class C) at any time. Revocation removes the data from public visibility immediately. You can also revoke witness invitations, removing their ability to submit further contributions.
- Access: All your data is visible and accessible within the App at all times. There is no hidden data layer.
Server-side data
Because we do not maintain a server-side user database for your Class A content, there is no server-side personal data to request deletion of. Your device is the primary source of truth for your most sensitive information.
Data Security
Class A data benefits from Apple's built-in device encryption, Secure Enclave hardware-backed key storage, and optional biometric lock. Class B transmissions use TLS encryption in transit and are encrypted at rest where applicable. We recommend keeping your device passcode enabled and your iOS version up to date.
Children's Privacy
Elvera is intended for users aged 13 and older. We do not knowingly collect information from children under 13. If you believe a child under 13 has used the App, please contact us and we will assist with any necessary steps.
Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated through the App or on our website. Continued use of the App after changes take effect constitutes acceptance of the updated policy.
Contact
If you have questions about this Privacy Policy, your data, or how any of the classes above apply to you:
privacy@elvera.app