Butter Privacy Policy
Last updated: July 14, 2026
This policy explains what Gregarious, Inc. ("Gregarious," "we," "us") collects when you use Butter — our AI yoga and mobility coach for iOS — how we use it, and the choices you have. It covers the Butter app and butter.yoga (the "Service").
Each section opens with a short plain-language summary. The short summaries are for convenience only; the full policy governs.
Because Butter works with information about your body and movement, we also maintain a separate, standalone Consumer Health Data Privacy Policy. It is a distinct document with its own terms, and it governs consumer health data as defined by Washington's My Health My Data Act and similar state laws.
The one-line version of our posture: we collect what the coach needs to coach you, we don't sell it, we don't run ads, and we don't let anyone else track you through our app.
1. What we collect
Account information. If you create an account: your email address and sign-in credentials (for Sign in with Apple, Apple gives us a token and, at your choice, your name and email or a private relay address). You can use Butter without an account; anonymous sessions get a random identifier not tied to your name.
Information you give your coach. This is the heart of the product, and much of it is health information:
- Health details you add to your profile: name, gender, age, height, weight.
- Memories ("Life Context"): notes you record by voice or text so the coach can plan around your life — these often include injury history, physical limitations, and training history.
- Coach messages: anything you type or say to your coach, at any time.
- Voice notes: when you speak to the coach, the audio is transcribed on your device. The audio recording is not uploaded — only the transcribed text is sent to our servers.
- Practice history: sessions completed, poses held, durations, streaks, and the session settings you choose.
The coach draws inferences from this information (for example, which areas to work gently because of an injury you mentioned). Those inferences are health data too, and we treat them that way. See the Consumer Health Data Privacy Policy for the full treatment.
Payment information. Subscriptions are processed by Stripe. Stripe collects your payment details and the email you enter at checkout directly; we never see or store your card number. On our side we keep subscription status and billing records under a pseudonymous billing identifier.
Support messages. If you contact support, your messages go to our own systems — not a third-party helpdesk — and are read by named members of our team. An AI assistant may help the team draft replies, but a human reviews and sends every message.
Device and usage data (first-party analytics). To understand how the app performs and how features are used, we collect:
- product-interaction events (app opens; sessions started, completed, or abandoned; feature usage such as screen views and button taps) with measures like durations, completion, pose counts, and streak days;
- device and app context: device model, OS version, app version, language, timezone, and network type (wifi/cellular);
- device diagnostics: battery level, low-power mode, and thermal state;
- coarse location (country, region, city) and network operator, derived transiently from your IP address when an event is received — the IP address itself is not stored in analytics;
- pseudonymous identifiers: a random analytics ID (not derived from your identity), a per-run session ID, and an event sequence number.
What we deliberately do not do: no precise location, no stored IP addresses in analytics, no advertising identifiers, no cross-app tracking, no third-party advertising or analytics SDKs, and no free-form text in analytics events (values are restricted to a fixed allow-list).
Crash and error data. Crash reports and errors are sent to Sentry, our error-tracking provider, tagged only with a random pseudonymous identifier. Our integration is built so that message content, health information, and identity never reach Sentry.
2. How we use your information
We use the information above to:
- deliver and personalize coaching — plan sessions around your body, history, and goals, and speak to you about your practice;
- operate the Service — sync your practice across devices, play the right audio, keep the app working;
- provide support — answer your messages and investigate problems you report;
- handle billing — manage subscriptions, trials, and payments through Stripe;
- improve the product — understand, from first-party analytics, which features work and where the app fails;
- protect the Service and comply with law — prevent abuse, secure accounts, and meet legal obligations.
We do not use your information for advertising. We do not sell your personal information, and we do not share it for cross-context behavioral advertising. There are no third-party ad or analytics trackers in the app.
3. AI processing
Coaching is powered by third-party AI providers acting on our behalf:
- Anthropic processes coaching content — your memories, coach messages, profile context, and session history — to generate session plans and coaching language.
- xAI (Grok) synthesizes the coach's spoken audio. It receives the coaching text to be spoken, which can reference your context, and your first name for personalized greetings.
Both providers process this data under contractual data-protection terms. Under our agreements with these providers, your content is not used to train their models. Requests are made under pseudonymous identifiers, not your name or email (your first name appears only where it is the content being spoken).
4. Who we share it with
We share personal information only with service providers that process it on our behalf, under contracts limiting their use to providing their service to us:
| Provider | Purpose | What they receive |
|---|---|---|
| Amazon Web Services (AWS) | Hosting, storage, encryption key management, analytics infrastructure | All Service data, encrypted at rest; analytics events under pseudonymous IDs |
| Anthropic | AI coaching (language model) | Coaching content: memories, coach messages, profile context, session history — under pseudonymous IDs |
| xAI (Grok) | Coach voice synthesis (text-to-speech) | Coaching text to be spoken; your first name for personalized greetings |
| Stripe | Payment processing | Payment details and checkout email (collected by Stripe directly); pseudonymous billing ID; subscription events |
| Sentry | Crash and error tracking | Crash/error technical data under a random pseudonymous ID; no message content or health data |
| Apple | Sign in with Apple, push notifications, App Store distribution | Sign-in tokens; push tokens; whatever you share with Apple under your Apple account |
Beyond service providers, we disclose personal information only: to comply with law or valid legal process; to protect the rights, safety, or property of you, us, or others; or as part of a merger, acquisition, or sale of assets (in which case this policy continues to apply to your data and we will notify you of any change).
We do not sell personal information and have not done so. We do not share personal information for cross-context behavioral advertising.
5. How we store and protect it
- Encryption at rest: personal data is encrypted with AES-256; encryption keys are stored separately in AWS Key Management Service (KMS).
- Encryption in transit: all traffic between the app and our servers uses TLS.
- Pseudonymous aliases: internally, each service domain (coaching, billing, analytics, error tracking, and so on) identifies you by its own random identifier. No single service sees your real identity alongside its data, and the identifiers can't be linked across services without the separately-guarded identity keys. This limits what any single breach could expose.
- Access controls: production access is restricted and audited.
No system is perfectly secure, and we cannot guarantee absolute security — but the architecture is built so that the sensitive parts are encrypted, compartmentalized, and pseudonymous by default.
6. Retention and deletion
We retain personal information while your account is active and as needed to provide the Service.
When you delete your account (Profile → account settings, or by emailing privacy@butter.yoga):
- your account, profile, health details, memories, and coach content are deleted or scrubbed from our systems;
- analytics events still queued on your device are purged;
- the link between you and your pseudonymous identifiers is permanently severed, so retained records can no longer be attributed to you;
- your payment records at Stripe are deleted through Stripe's deletion API.
What we keep, and why we can keep it honestly: previously collected analytics records are retained in de-identified form — they carry only a random identifier whose link to you has been permanently destroyed, and by design contain no IP address, no precise location, no device-stable identifiers, and no free-form text, so they can no longer be connected to any person. We also keep an encrypted audit record of the deletion itself, and records we are legally required to retain. Deletion is designed to complete promptly and within the timelines required by applicable law.
We do not claim to delete "everything": we delete or de-identify everything that could identify you.
7. Your rights and choices
Everyone:
- Access and portability — ask what personal information we hold about you.
- Correction — fix your profile and health details in the app, or ask us.
- Deletion — delete your account in the app, or email privacy@butter.yoga (see Section 6 for exactly what deletion does).
To exercise any right, use the in-app controls or email privacy@butter.yoga. We verify requests using your account or the email associated with it, and we respond within the timelines required by applicable law. We will not discriminate against you for exercising your rights. You may use an authorized agent where the law provides for one; we will verify the agent's authority.
California residents. The rights above cover the CCPA/CPRA rights to know, correct, and delete. We do not sell personal information or share it for cross-context behavioral advertising, so there is no sale/sharing opt-out to exercise, and we do not use or disclose sensitive personal information for purposes that require a right to limit. Because we do not sell or share personal information, a Global Privacy Control signal does not change anything about how we treat your data — there is nothing to opt out of; we note it here so you don't have to wonder.
Washington, Nevada, and Connecticut residents. Your rights over consumer health data — including access, deletion, withdrawal of consent, and the appeal process — are set out in our standalone Consumer Health Data Privacy Policy.
8. Children
The Service is not directed at children under 13, and we do not knowingly collect personal information from them. Our Terms require users to be 18 or have parental consent. If you believe a child has provided us personal information, email privacy@butter.yoga and we will delete it.
9. Changes to this policy
We may update this policy from time to time. If a change is material, we will notify you before it takes effect — in the app, by email if we have your address, or both — and update the "Last updated" date above. Material changes to how we handle consumer health data will follow the consent requirements of the Consumer Health Data Privacy Policy.
10. Contact
Privacy questions and requests: privacy@butter.yoga
Support: support@butter.yoga
Gregarious, Inc.
Related policy: Consumer Health Data Privacy Policy — our separate, standalone policy for consumer health data under Washington's My Health My Data Act and similar state laws.