Overview
Apollo Wellness LLC ("we," "us," or "our") operates the Apollo Suite: a household subscription that currently includes Alluvium by Apollo ("Alluvium" — personal finance), Welkin by Apollo ("Welkin" — network filtering and VPN), Hearth by Apollo ("Hearth" — recipes and meal planning), and Cambium by Apollo ("Cambium" — connected notes), together with the apollo-suite.com account hub, the product websites, and the companion mobile apps (collectively, the "Services"). This Privacy Policy explains what personal information we collect across the Services, how we use and share it, how long we keep it, and the choices you have.
This one policy covers every Apollo Suite product. Where a product has its own data practices — Alluvium's bank connections, Welkin's network activity, Hearth's recipe imports, Cambium's note analysis — this policy has a product-specific section below.
- We do not sell personal information, and we do not share it for cross-context behavioral advertising.
- We do not run third-party advertising, analytics, or tracking SDKs in any of our apps or websites.
- AI features (recipe cleanup and grocery matching in Hearth; categorization help and the Ask Alluvium assistant in Alluvium; connection suggestions and semantic search in Cambium) are processed by Anthropic's Claude API and — for Cambium's search index — Voyage AI, each acting as our service provider. Only the content the feature needs is sent, and it is not used to train AI models. On supported iPhones some features may run on-device instead. Welkin's network activity is never sent to any AI service.
- We collect what the products need to work, and we say specifically what that is below.
Information we collect — your Apollo account
One Apollo account signs you in to every product. For that account we collect:
- Email address, used to sign you in (via an emailed one-time link/code, or Google sign-in if you choose it) and to send the emails described below. We do not store passwords.
- Profile details you provide, such as your display name and avatar image.
- Subscription and billing status. Payments are processed by Stripe; we store your Stripe customer and subscription identifiers, your plan, and its status. We never see or store full payment card numbers.
- Household information: the household you belong to, each member's role, and the email addresses you enter when you invite someone. Household members can see one another's names and email addresses.
- Records of your acceptance of our Terms of Service (timestamp and version).
- Communication preferences, such as whether the weekly household digest email is enabled.
- Push notification tokens for mobile devices where you enable notifications.
Information we collect — technical
- Essential cookies that keep you signed in and remember interface preferences. We do not use advertising or third-party analytics cookies.
- Server logs generated when you use the Services (IP address, browser or app version, timestamps, requested pages, error messages), kept for security, debugging, and reliability.
- Crash and error reports our own apps send us when something breaks (error message, technical stack trace, and the page or screen where it happened). These go only to our own infrastructure — no third-party crash service.
Alluvium (personal finance)
Alluvium stores the financial records you create or connect:
- Accounts, balances, transactions, categories, tags, budgets, rules, and recurring items you enter by hand or import from CSV files you upload.
- If you connect a financial institution, data supplied by our aggregation partners (Plaid, MX, or Akoya): institution name, account names and types, account masks (last four digits — never full account or routing numbers), balances, and transactions including dates, amounts, descriptions, merchant names and categories, and any additional transaction details your institution or the aggregator provides (which can include merchant location or logo references).
- Encrypted connection credentials: the access tokens that let an aggregator sync your accounts are encrypted with AES-256-GCM before storage and are never readable by app clients.
- Images you upload as account avatars.
Connecting an institution is always your choice, made per institution. When you connect one, your data is also handled by that aggregator under its own privacy policy (Plaid: plaid.com/legal, MX: mx.com/privacy, Akoya: akoya.com/privacy) and by your institution under its terms. When you disconnect an institution or delete your account, we revoke the aggregator's access.
If you enable transaction push notifications, notification text (for example, an amount and counterparty name) is delivered through Expo's notification service and Apple's or Google's push systems.
Household sharing in Alluvium is off by default: accounts and everything derived from them are private to you unless you explicitly mark an account "shared," at which point household members can view and co-edit that account's data. The "Ask Alluvium" assistant answers with an AI model: your question, the recent conversation, and a compact financial snapshot (headline totals, category names, and — when the assistant looks something up — the matching transaction lines) are processed by Anthropic (Claude) acting as our service provider, or by the operating system's on-device model on supported iPhones. Anthropic does not use this content to train its models, and we do not store chat transcripts on our servers.
Welkin (network filtering and VPN)
Welkin routes an enrolled device's internet traffic through a WireGuard tunnel to servers we operate, and answers the device's DNS queries so it can apply the content filters you configure. For Welkin we store:
- Devices you enroll: the name you give each device, its WireGuard public key, and its assigned tunnel address. The private key is generated on the device and never leaves it.
- The filter policies and schedules you configure (which categories or domains you block, and when).
- Daily activity aggregates per device: total DNS queries, total blocked queries, and a list of the most frequently blocked domains for that day. We do not store a browsing history or per-request log in our database.
- Aggregate data-transfer counters (bytes in/out per device) used for service health.
To answer and filter DNS, our resolvers necessarily process each DNS query from an enrolled device in real time. Queries are counted in short-lived memory on the server and reduced to the daily aggregates described above; standard server operational logs may temporarily record query details for reliability and abuse debugging and are automatically rotated. We do not inspect, log, or store the content of your web traffic. Queries for domains we don't block are resolved through an upstream public DNS service (currently Google Public DNS), which receives the queried domain but no account information.
Activity reports and people who use an enrolled device
The account holder can see the daily activity aggregates for every device on their account, and can choose to email a recurring activity report — query counts, blocked counts, per-device totals, and top blocked domains — to recipients they designate (an accountability partner). Reports identify the account by email address and note when a device had no activity.
If you use a device that someone else enrolled in Welkin (for example, a family member's account covers your phone), that account holder can see the device's daily DNS activity summaries and may share them as described above. We require account holders to enroll only devices they own or manage, or where the device's user has been informed — see the Terms of Service. If you believe a device you use is enrolled without your knowledge, contact us.
Welkin activity data is never shared with other household members through the household feature; only the account holder that enrolled the device (and their designated report recipients) can see it. Report recipients' email addresses are stored so we can send the reports; a recipient can stop the reports by contacting us or asking the sender to remove them.
The optional Focus feature uses Apple's Screen Time framework on your own device to block apps you select during periods you set; the list of apps you choose is held by the operating system, not sent to us.
Hearth (recipes and meal planning)
Hearth stores the cooking data you create:
- Recipes you save, including recipes imported from web pages at your request (title, description, ingredients, steps, and a link to the source page and its image), plus your ratings, notes, and tags.
- Meal plans, shopping lists, and pantry contents.
- Stores you save for shopping, including an optional store address or ZIP code you provide.
When you use grocery-price features, we send ingredient or item names and your chosen store location (or ZIP code) to the Kroger API to look up products, prices, and aisles; no account identity is sent. Nutrition estimates are computed from a built-in reference table and, where needed, by sending ingredient names (nothing else) to the USDA FoodData Central public API. Scanning a recipe photo runs entirely on your device — the image is processed locally and never uploaded. AI cleanup of imported recipes, grocery-product matching, and pantry expiry estimates send the recipe text or item names to Anthropic (Claude) acting as our service provider (not used to train AI models) — or run on the operating system's on-device model on supported iPhones.
Household sharing in Hearth is on by default: recipes, meal plans, shopping lists, pantry items, and stores you create are visible to and co-editable by your household members unless you mark them private. If you prefer to keep something to yourself, set its visibility to "private."
We also compute anonymous, aggregated statistics across users (for example, the most commonly chosen product for a grocery item, or typical shelf life of a pantry item). These aggregates contain no user identifiers.
Cambium (connected notes)
Cambium stores the notes you write — their text, titles, and any metadata you import with them (such as tags from another app's files). Notes are private to you; Cambium has no household sharing.
To power connection suggestions and search-by-meaning, your note text is converted into numerical representations ("embeddings") by Voyage AI, and short excerpts of related notes are sent to Anthropic (Claude) to generate a one-line explanation of the suggested connection. Both act as our service providers and do not use this content to train AI models. Suggestions are only that — a connection becomes part of your notes only when you accept it. Notes you write while offline are processed the next time your device syncs.
You can export all of your notes at any time as plain markdown files (Vault → Export), and deleting a note deletes its embeddings and suggestions with it.
How we use information
- Provide, maintain, and improve the Services — syncing your data across your devices and, where you've chosen, your household.
- Process subscriptions, trials, and billing through Stripe, and send billing-related emails (welcome, trial ending, payment failed).
- Send service emails you've enabled, such as the weekly household digest (which summarizes your own products' data for you) and bank-connection alerts. The digest has a one-click unsubscribe.
- Send the Welkin activity reports the account holder configures.
- Protect the Services and our users against fraud, abuse, and security incidents.
- Comply with law and enforce our Terms of Service.
We do not use your data to train AI models — and Anthropic, our AI service provider, does not train models on the content our apps send — and we do not build advertising profiles.
Service providers
These providers process personal information on our behalf, only to provide their service to us:
- Supabase — authentication, database, and file storage for all products.
- Anthropic — AI processing for Hearth, Alluvium, and Cambium features (receives the feature's content, such as imported recipe text, grocery item names, a finance chat message and its snapshot, or excerpts of related notes; retained briefly for abuse prevention, never used to train models; Welkin network activity is never sent).
- Voyage AI — text embeddings for Cambium's connection suggestions and semantic search (receives note text; not used to train models).
- Vercel — web application hosting (processes web request traffic and server logs).
- Oracle Cloud Infrastructure — the servers we operate for Welkin's VPN and DNS filtering run on OCI compute.
- Stripe — payment processing and subscription billing.
- Resend — delivery of the emails we send.
- Plaid, MX, Akoya — bank and brokerage aggregation for Alluvium, only for institutions you connect.
- Expo — mobile app build/update services and push-notification routing; Apple and Google deliver push notifications on their platforms.
- Kroger — grocery product, price, and aisle lookups for Hearth (receives item names and store location only).
- USDA FoodData Central — nutrition lookups for Hearth (receives ingredient names only; a US government public API).
- Brandfetch — merchant and institution logos in Alluvium; your browser or app fetches the logo directly, so Brandfetch receives the merchant's domain name and your device's IP address, but no account information.
- Google (sign-in) — only if you choose to sign in with Google. Google Public DNS additionally serves as Welkin's upstream resolver as described above.
- GitHub — runs our scheduled jobs (contains no user data beyond what those jobs process transiently).
- Cloudflare — DNS hosting for our own domains (no user personal data).
Data retention and deletion
- Your data is retained while your account is active.
- When you delete your Apollo account, we revoke bank-aggregator access immediately, deactivate the account, and permanently delete your personal data across all products within 30 days, except where we must keep specific records longer for legal, tax, billing-dispute, or security reasons. Backups purge on their own cycle shortly after.
- Deleting an individual item deletes it for everyone it was shared with; deleting a Welkin device deletes that device's activity aggregates.
- Welkin's transient DNS processing is short-lived by design: per-query data lives in server memory and rotating operational logs, and only daily aggregates are kept.
You can delete your account from Alluvium's Settings (Data & privacy), or by emailing support@apollo-suite.com from your account email. Account deletion covers your entire Apollo account — all products.
Security
All traffic to the Services is encrypted in transit (HTTPS; WireGuard for Welkin tunnels). User data is isolated with database row-level security. Bank connection credentials are encrypted at rest with AES-256-GCM, with keys held outside the database. Access to production systems is restricted. No method of transmission or storage is completely secure, and we cannot guarantee absolute security; if we learn of a breach affecting your personal information we will notify you as required by law.
Your privacy rights
Depending on where you live, you may have rights to know, access, correct, delete, or receive a portable copy of your personal information, and to opt out of sale, sharing, or targeted advertising (we do none of those, so there is nothing to opt out of). We do not discriminate against you for exercising privacy rights.
To exercise any right, use the export and deletion tools in Alluvium's Settings, or email support@apollo-suite.com from your account email address. We verify requests by confirming control of the account email, respond within the time required by applicable law (typically 45 days), and let you appeal a refusal by replying to our response. Authorized agents may submit requests with proof of authorization.
The Services are operated from the United States and directed to US residents. If you use them from elsewhere, your information is processed and stored in the United States.
Children
Apollo accounts are for adults: you must be at least 18 to create one, and the Services are not directed to children under 13. We do not knowingly collect personal information directly from children.
A parent or legal guardian may enroll a child's device in Welkin under their own account. In that case the data we process about the child's device (device name, tunnel address, and the daily DNS activity aggregates described above) is collected at the parent's direction and is visible to and controlled by the parent, who can review it and delete it by removing the device. If you believe we hold information collected from a child in any other way, contact us and we will delete it.
Changes to this policy
We may update this Privacy Policy. We will post the revised policy with a new effective date, and for material changes we will notify you through the Services or by email before the changes take effect.
Contact us
Apollo Wellness LLC · Questions, privacy requests, or concerns: support@apollo-suite.com