Privacy Policy (iOS App)

Openly by North Tumbleweed LLC · Last updated April 25, 2026

This page covers the Openly iOS app specifically. The general Privacy Policy covers the same Service end to end. The two documents say the same thing — this one restructures the disclosures the way Apple expects them so reviewers can confirm what we collect (and what we don’t) at a glance.

1. Overview

North Tumbleweed LLC (“we”, “us”) publishes the Openly iOS app, an AI chat client that routes your messages through a Cloudflare Worker proxy to a curated set of open-source language models (DeepSeek V4, DeepSeek V4 Pro, Kimi K2.6, Qwen 3.6, GLM 5.1).

Openly is built around a no-log architecture. We do not store the content of your prompts, the content of model replies, or your IP address on our servers. The only data we keep is what is strictly required to enforce a monthly fair-use cap on your paid subscription. This page details what that means on iOS.

2. Data We Collect

2.1 Per-Device Anonymous Identifier

When the app launches, it derives a pseudonymous identifier from Apple’s identifierForVendor. This identifier is unique to Openly on your device and is stable across app launches as long as the app is installed. It is not your AppleID, not your IDFA, and not visible to any other app.

Every request from the app to our backend includes this identifier in the X-Device-ID HTTP header. We use it for one purpose: tracking how much of your monthly fair-use cap you have consumed, so we can enforce the cap on your subscription tier.

2.2 Subscription Receipt

When you purchase or restore a subscription, the iOS app passes Apple’s receipt to our backend. The backend validates the receipt against Apple’s receipt-validation endpoint and stores only the validation result (subscription tier and expiration date), keyed against your anonymous device identifier.

2.3 Conversations (Local Only)

Your conversation history is stored on your device using Apple’s SwiftData framework. It never leaves your iPhone. Our servers do not see, store, or back up your conversations.

3. Data We Do Not Collect

The Openly iOS app collects the absolute minimum needed to run a paid Service. Beyond the device identifier and the receipt above, nothing else is sent to or stored by us.

Specifically, the Openly iOS app does not collect or use:

Your name, email, or AppleID.
The content of your prompts (sent to the model provider, never stored by us).
The content of model replies (returned to you, never stored by us).
Your IP address (the Worker discards it inside the request handler).
Your precise or coarse location.
Your contacts, calendar, reminders, or address book.
Your photos or media library.
Microphone or audio data.
Health, fitness, or biometric data.
Browsing history outside of Openly.
The IDFA (Advertising Identifier) or any other advertising identifier.
Payment card information, billing address, or financial data of any kind.
Any product analytics or marketing-attribution events.

4. Data Shared with Third Parties

Openly intentionally ships with no analytics, advertising, attribution, or measurement SDKs. The complete list of third parties that ever see anything from the iOS app is:

Third party	What it receives	Why
Cloudflare	The HTTPS request as it transits the edge (request line and your `X-Device-ID` header). The Worker handler discards the source IP and never writes the prompt or reply to any log.	Hosts the Worker proxy and the cap-counter Durable Object at `api.openly.chat`.
Novita	The text of your prompt and the chosen model name. No device identifier, no IP, no subscription information, no other identifier.	Generates the model response. Contractually bound to a no-log clause — the prompt and reply are not retained, not used for training, and not used for any other purpose.
Apple	Subscription purchase events through StoreKit (purchase, renewal, cancellation, refund). Standard iOS crash signatures if you have crash reporting enabled in iOS Settings.	Processes payment, issues the receipt, manages auto-renewal. We never see your AppleID, billing address, or payment card.

That is the entire third-party surface. There are no other SDKs, no other endpoints, and no other recipients of any data from Openly.

5. iOS Permissions

Openly requests no iOS runtime permissions. The following permission prompts you have seen in other apps will never appear in Openly because the corresponding capability is not used:

No camera permission.
No photo library permission.
No microphone permission.
No location permission (foreground or background).
No contacts permission.
No calendar / reminders permission.
No notification permission (Openly does not push notifications).
No App Tracking Transparency prompt (we do not collect IDFA — see Section 6).

6. App Tracking Transparency

Apple requires apps to show the App Tracking Transparency (ATT) prompt before collecting the device’s Advertising Identifier (IDFA) for tracking across apps and websites owned by other companies. Openly does not show the ATT prompt because Openly does not collect the IDFA, does not perform cross-app or cross-site tracking, and does not share any data with data brokers.

Per Apple’s definition of “tracking,” nothing Openly does qualifies. The anonymous device identifier we use is a per-vendor value that exists only inside Openly’s data scope; it is not linked to data from other apps and is not shared with third parties for advertising purposes.

7. Data Retention

Data	Where it lives	How long
Anonymous device identifier + monthly cap counter	Cloudflare Workers KV / Durable Object	Active month plus a short rolling window. Auto-deleted after 90 days of inactivity.
Receipt-validation cache entry	Cloudflare Workers KV	Until your subscription expires plus a short grace window.
Conversations (prompts and replies)	Locally on your device (SwiftData)	Until you delete them in-app or uninstall.
Subscription records	Apple’s App Store	Per Apple’s policies and applicable tax / accounting law.

8. Your Rights and Deletion

One-tap reset. Open Openly, then go to Settings → Delete all data. This wipes:

Your local SwiftData store (all conversations on the device).
Your cap counter on the Worker side (sent as a delete request, processed server-side).
The receipt-validation cache entry (so the next purchase or restore re-validates fresh).

By email. If you cannot open the app, email support@openly.chat and we will manually delete any cap counter and receipt-validation entry tied to a device identifier you provide.

GDPR / CCPA. Because the only personal data we hold is the device identifier and the cap counter, “right of access” and “right of erasure” are functionally identical to the in-app reset. For the formal legal basis under GDPR and the rights conferred by CCPA, see the general Privacy Policy.

9. Subscription Management

Openly offers two auto-renewing monthly subscriptions through Apple’s App Store: Openly ($9.99 / month) and Openly Plus ($29.99 / month). Current pricing is shown in the app at the moment of purchase.

Auto-renewal. Payment is charged to your Apple Account at confirmation of purchase. Subscriptions automatically renew unless cancelled at least 24 hours before the end of the current period. Your payment method is charged for renewal within 24 hours prior to the end of the current period.

How to cancel. Open iOS Settings → [your name] → Subscriptions → Openly and tap Cancel Subscription. You can also reach the same screen from inside Openly at Settings → Manage Subscription.

Refunds. Refund requests for App Store purchases are handled by Apple at reportaproblem.apple.com.

10. Children’s Privacy

Openly is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has used Openly, please contact us and we will remove any associated cap-counter entry promptly.

11. Security

All network traffic between the iOS app and our backend uses HTTPS / TLS.
The Worker proxy runs on Cloudflare’s edge with built-in DDoS protection and per-device rate limiting (60 requests / minute).
Our upstream API key for Novita lives only in Cloudflare Worker Secrets — never in the iOS bundle, never in source control, never on your device.
Receipt validation is performed server-side against Apple’s endpoint; the iOS app never holds the validation logic and cannot be tricked into granting tier access by tampering with a local file.
Database access on our side uses Cloudflare’s default scoping — the cap counter for one device cannot be read or written by a request from another device.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we update the “Last updated” date at the top. Continued use of Openly after a change constitutes acceptance of the updated policy. For material changes we will make reasonable efforts to notify you in-app.

13. Contact

Questions about this iOS Privacy Policy or your data? Reach us at support@openly.chat.

North Tumbleweed LLC
Wyoming, United States
support@openly.chat