Privacy Policy

Last updated: May 8, 2026

1. Who we are

Retrography is an iOS app developed by Tomas Klinger. This policy covers the Retrography app (the "App") and the website at retrography.app.

2. Data the App reads from your device

With your explicit permission, the App reads the following data from iOS to build your personal timeline. All of this data stays on your device and in your private iCloud container.

Location

• Why: To detect visits to places (home, work, cafés, etc.) and build an automatic timeline.
• How: We use iOS visit monitoring and significant-location changes. "Always" authorization is requested so visits can be logged in the background, even when the app is closed.
• Where it goes: Stored only in your on-device database and your private iCloud container. Never sent to our servers.

Photos

• Why: To display photos from your library alongside places and events on your timeline.
• How: The App reads photos and their metadata (date, location) from your Photos library via the PhotoKit API.
• Where it goes: Photos stay in your Photos library — the App only references them. Metadata is processed on-device. The exception is photos you explicitly attach to an AI chat message — see "AI chat" below.

Camera

• Why: To take photos directly inside an AI chat conversation when you don't want to switch to the Photos app.
• Where it goes: The captured image is shown in the chat and, if you send the message, follows the same path as any attached photo (see "AI chat" below).

HealthKit data

• Why: To show workouts, steps, sleep, stand hours, active energy, and distance on your timeline.
• How: With your permission via HealthKit. The App may also write workout location back to Health when available.
• Where it goes: Health data stays in HealthKit and your on-device database. Never sent to our servers.

Motion & Fitness

• Why: To detect walking, driving, and cycling so the timeline shows how you moved between places.
• Where it goes: Processed on-device only.

Microphone

• Why: To record voice notes for journal entries.
• How: Audio is transcribed on-device using Whisper. The audio never leaves your device.

Bluetooth

• Why: To create event markers when you connect to known devices (headphones, car audio, speakers) so your timeline can show context.
• Where it goes: On-device only.

Reminders

• Why: To show completed Reminders tasks on your timeline.
• Where it goes: Read on-device; never sent off-device.

Notifications, Face ID

Optional. Face ID unlocks Privacy Mode (which hides journal entries, photos, and AI chats). Biometric data never leaves the Secure Enclave.

3. iCloud sync

Retrography uses your private iCloud container to sync data between your own devices. We have no access to this container — it is Apple-managed and encrypted between your devices under your Apple ID. If you delete the app or your iCloud data, it's gone.

4. Data sent off your device

Retrography has no user accounts and no analytics SDK inside the app. The only time data leaves your device is when AI features are enabled — chat, per-entry summaries, or recap summaries — or when you opt in to optional integrations (Last.fm, in-app purchases, "On This Day").

AI chat, per-entry summaries, and recaps

Retrography uses AWS Bedrock to power three AI features. All three follow the same path: the App contacts our authentication proxy on Netlify to get short-lived AWS credentials, then sends the request directly from your device to Amazon Web Services (AWS) Bedrock. The proxy itself never sees the contents of your prompts.

• Per-entry summaries. When the "AI summary on save" toggle in Settings is on, saving a journal entry automatically sends the entry's text to AWS Bedrock for a one-time short summary (~500 characters). The summary is written back into the entry on your device; the model response is then discarded. This runs in the background after you save — there is no separate confirmation per entry. You can disable it at any time in Settings, and existing entries that already have a summary are not re-sent.
• Recap summaries (weekly, monthly, yearly). When the recap features are enabled, the App periodically sends entry text or prior short summaries to AWS Bedrock to generate weekly, monthly, and yearly recap summaries shown in the Journal Explorer. Generation is triggered when you open a period that doesn't yet have a recap, or when an existing recap is older than its source content.
• AI chat. When you ask a question in the chat surface, the request includes: the text of your prompt, the selected context (which you can preview before sending), and any photos you attach — together with each photo's capture date and (if present) GPS coordinates — so the model can describe what's in the photo. Photos you attach to a chat are also written to the App's private Documents folder so they persist in your chat history. That local copy is not synced to iCloud and is not sent anywhere else.

For all three features:

• AWS Bedrock runs Anthropic's Claude language model on AWS infrastructure. Anthropic does not receive your data; AWS hosts the model weights. Per Bedrock's service terms, AWS does not use customer content to train foundation models and does not share it with model providers.
• We do not store the content of your AI prompts, journal text, photos, or model responses on our servers. The only thing our backend retains tied to your install is a per-device entitlement record (current AI Pro subscription state and the most recent transaction IDs for replay protection — described below under "Authentication proxy" and "In-app purchases").
• See: AWS Service Terms (section 50 covers Bedrock) and AWS Privacy.

Authentication proxy

• The proxy exists only to issue short-lived AWS credentials and enforce rate limits. It uses Apple's App Attest service to verify requests come from a genuine copy of the App on a real device.
• It stores a per-install device identifier so AI Pro entitlement and rate limits can be tracked. No personal identifiers, no email, no Apple ID.

In-app purchases

• Apple's StoreKit 2 handles the transaction when you unlock unlimited timeline history or subscribe to AI Pro Monthly.
• The App passes the StoreKit-signed transaction (a JWS issued by Apple) to our server, which verifies the signature against Apple's root certificate and stores only the Apple transaction ID (to prevent double-claiming), the product ID, and the resulting entitlement state. No payment-card data ever touches our server.

Music history (optional)

• Last.fm: If you enter a Last.fm username in Settings, the App calls the public Last.fm API with that username to fetch your scrobbles for the timeline. Last.fm receives only the username you typed. There is no OAuth and no token stored.
• Spotify Extended Streaming History: If you import your Spotify takeout files (the JSON files you can request from Spotify directly), they are parsed entirely on-device. The Spotify takeout files never leave your device.

Public read-only APIs

For the "On This Day" feature on the timeline, the App fetches public articles from Wikipedia, the New York Times Archive, and the Hacker News public API. These calls send only a date — no user data, no identifiers, no location. They are equivalent to opening those websites in a browser.

5. What we don't do

• We don't run user accounts, ask for your email, or collect personally identifying information.
• We don't use third-party analytics SDKs inside the App.
• We don't sell, rent, share, or license your data to anyone.
• We don't track you across other apps or websites.
• We don't have advertising.

6. Children

Retrography is not directed at children under 13 and we do not knowingly collect data from children.

7. Third parties involved

• Apple — iCloud, HealthKit, Photos, StoreKit, App Attest (platform services).
• Amazon Web Services (Bedrock) — processes AI chat/summary requests you voluntarily send. AWS runs the Claude model on its own infrastructure.
• Anthropic — creator of the Claude model used by Bedrock. Anthropic does not receive requests from this app; the model runs inside AWS Bedrock.
• Netlify — hosts the authentication proxy and this website.
• Last.fm (optional) — if you enter a Last.fm username, public listening data is fetched from their API.
• Wikipedia, New York Times, Hacker News — public read-only APIs used for the "On This Day" timeline feature. Date-only queries; no user data sent.
• Umami — privacy-first, cookieless analytics for this website only. No cookies, no personal data, no cross-site tracking. Not used inside the App.

8. Your choices

• You can revoke any permission (Location, Photos, Health, Microphone, etc.) in iOS Settings at any time.
• You can delete all Retrography data by deleting the App — local data is removed, and iCloud data is removed when you delete it from iCloud.
• You can request deletion of the per-install device record held by the authentication proxy by contacting support (see below) with your device ID, which is visible in the App's Settings screen.

9. Security

Data on device is protected by iOS's data-at-rest encryption. iCloud sync uses Apple's encryption under your Apple ID. The authentication proxy uses HTTPS and App Attest to reject requests from anything other than a genuine copy of the App.

10. Changes to this policy

If we change this policy materially, we'll update the "Last updated" date at the top and — when relevant — surface a notice in the App.

11. Contact

Questions or requests: retrographyapp@gmail.com