Overview
Apollo Wellness LLC ("we," "us," or "our") operates the Apollo Suite: a household subscription that currently includes Alluvium (personal finance), Welkin (network filtering and VPN), and Hearth (recipes and meal planning), together with the apollo-suite.com account hub, the product websites, and the companion mobile apps (collectively, the "Services"). This Privacy Policy explains what personal information we collect across the Services, how we use and share it, how long we keep it, and the choices you have.
This one policy covers every Apollo Suite product. Where a product has its own data practices — Alluvium's bank connections, Welkin's network activity, Hearth's recipe imports — this policy has a product-specific section below.
- We do not sell personal information, and we do not share it for cross-context behavioral advertising.
- We do not run third-party advertising, analytics, or tracking SDKs in any of our apps or websites.
- AI features run on your device using the operating system's on-device models; your data is not sent to a cloud AI service.
- We collect what the products need to work, and we say specifically what that is below.
Information we collect — your Apollo account
One Apollo account signs you in to every product. For that account we collect:
- Email address, used to sign you in (via an emailed one-time link/code, or Google sign-in if you choose it) and to send the emails described below. We do not store passwords.
- Profile details you provide, such as your display name and avatar image.
- Subscription and billing status. Payments are processed by Stripe; we store your Stripe customer and subscription identifiers, your plan, and its status. We never see or store full payment card numbers.
- Household information: the household you belong to, each member's role, and the email addresses you enter when you invite someone. Household members can see one another's names and email addresses.
- Records of your acceptance of our Terms of Service (timestamp and version).
- Communication preferences, such as whether the weekly household digest email is enabled.
- Push notification tokens for mobile devices where you enable notifications.
Information we collect — technical
- Essential cookies that keep you signed in and remember interface preferences. We do not use advertising or third-party analytics cookies.
- Server logs generated when you use the Services (IP address, browser or app version, timestamps, requested pages, error messages), kept for security, debugging, and reliability.
- Crash and error reports our own apps send us when something breaks (error message, technical stack trace, and the page or screen where it happened). These go only to our own infrastructure — no third-party crash service.
Alluvium (personal finance)
Alluvium stores the financial records you create or connect:
- Accounts, balances, transactions, categories, tags, budgets, rules, and recurring items you enter by hand or import from CSV files you upload.
- If you connect a financial institution, data supplied by our aggregation partners (Plaid, MX, or Akoya): institution name, account names and types, account masks (last four digits — never full account or routing numbers), balances, and transactions including dates, amounts, descriptions, merchant names and categories, and any additional transaction details your institution or the aggregator provides (which can include merchant location or logo references).
- Encrypted connection credentials: the access tokens that let an aggregator sync your accounts are encrypted with AES-256-GCM before storage and are never readable by app clients.
- Images you upload as account avatars.
Connecting an institution is always your choice, made per institution. When you connect one, your data is also handled by that aggregator under its own privacy policy (Plaid: plaid.com/legal, MX: mx.com/privacy, Akoya: akoya.com/privacy) and by your institution under its terms. When you disconnect an institution or delete your account, we revoke the aggregator's access.
If you enable transaction push notifications, notification text (for example, an amount and counterparty name) is delivered through Expo's notification service and Apple's or Google's push systems.
Household sharing in Alluvium is off by default: accounts and everything derived from them are private to you unless you explicitly mark an account "shared," at which point household members can view and co-edit that account's data. The "Ask Alluvium" assistant runs entirely on your device using the operating system's on-device model; your financial snapshot is processed on the phone and is not sent to us or to any cloud AI provider.
Welkin (network filtering and VPN)
Welkin routes an enrolled device's internet traffic through a WireGuard tunnel to servers we operate, and answers the device's DNS queries so it can apply the content filters you configure. For Welkin we store:
- Devices you enroll: the name you give each device, its WireGuard public key, and its assigned tunnel address. The private key is generated on the device and never leaves it.
- The filter policies and schedules you configure (which categories or domains you block, and when).
- Daily activity aggregates per device: total DNS queries, total blocked queries, and a list of the most frequently blocked domains for that day. We do not store a browsing history or per-request log in our database.
- Aggregate data-transfer counters (bytes in/out per device) used for service health.
To answer and filter DNS, our resolvers necessarily process each DNS query from an enrolled device in real time. Queries are counted in short-lived memory on the server and reduced to the daily aggregates described above; standard server operational logs may temporarily record query details for reliability and abuse debugging and are automatically rotated. We do not inspect, log, or store the content of your web traffic. Queries for domains we don't block are resolved through an upstream public DNS service (currently Google Public DNS), which receives the queried domain but no account information.
Activity reports and people who use an enrolled device
The account holder can see the daily activity aggregates for every device on their account, and can choose to email a recurring activity report — query counts, blocked counts, per-device totals, and top blocked domains — to recipients they designate (an accountability partner). Reports identify the account by email address and note when a device had no activity.
If you use a device that someone else enrolled in Welkin (for example, a family member's account covers your phone), that account holder can see the device's daily DNS activity summaries and may share them as described above. We require account holders to enroll only devices they own or manage, or where the device's user has been informed — see the Terms of Service. If you believe a device you use is enrolled without your knowledge, contact us.
Welkin activity data is never shared with other household members through the household feature; only the account holder that enrolled the device (and their designated report recipients) can see it. Report recipients' email addresses are stored so we can send the reports; a recipient can stop the reports by contacting us or asking the sender to remove them.
The optional Focus feature uses Apple's Screen Time framework on your own device to block apps you select during periods you set; the list of apps you choose is held by the operating system, not sent to us.
Hearth (recipes and meal planning)
Hearth stores the cooking data you create:
- Recipes you save, including recipes imported from web pages at your request (title, description, ingredients, steps, and a link to the source page and its image), plus your ratings, notes, and tags.
- Meal plans, shopping lists, and pantry contents.
- Stores you save for shopping, including an optional store address or ZIP code you provide.
When you use grocery-price features, we send ingredient or item names and your chosen store location (or ZIP code) to the Kroger API to look up products, prices, and aisles; no account identity is sent. Nutrition estimates are computed from a built-in reference table and, where needed, by sending ingredient names (nothing else) to the USDA FoodData Central public API. Scanning a recipe photo runs entirely on your device — the image is processed locally and never uploaded. On-device AI cleanup of imported recipes likewise stays on the phone.
Household sharing in Hearth is on by default: recipes, meal plans, shopping lists, pantry items, and stores you create are visible to and co-editable by your household members unless you mark them private. If you prefer to keep something to yourself, set its visibility to "private."
We also compute anonymous, aggregated statistics across users (for example, the most commonly chosen product for a grocery item, or typical shelf life of a pantry item). These aggregates contain no user identifiers.
How we use information
- Provide, maintain, and improve the Services — syncing your data across your devices and, where you've chosen, your household.
- Process subscriptions, trials, and billing through Stripe, and send billing-related emails (welcome, trial ending, payment failed).
- Send service emails you've enabled, such as the weekly household digest (which summarizes your own products' data for you) and bank-connection alerts. The digest has a one-click unsubscribe.
- Send the Welkin activity reports the account holder configures.
- Protect the Services and our users against fraud, abuse, and security incidents.
- Comply with law and enforce our Terms of Service.
We do not use your data to train AI models, and we do not build advertising profiles.
Service providers
These providers process personal information on our behalf, only to provide their service to us:
- Supabase — authentication, database, and file storage for all products.
- Vercel — web application hosting (processes web request traffic and server logs).
- Oracle Cloud Infrastructure — the servers we operate for Welkin's VPN and DNS filtering run on OCI compute.
- Stripe — payment processing and subscription billing.
- Resend — delivery of the emails we send.
- Plaid, MX, Akoya — bank and brokerage aggregation for Alluvium, only for institutions you connect.
- Expo — mobile app build/update services and push-notification routing; Apple and Google deliver push notifications on their platforms.
- Kroger — grocery product, price, and aisle lookups for Hearth (receives item names and store location only).
- USDA FoodData Central — nutrition lookups for Hearth (receives ingredient names only; a US government public API).
- Brandfetch — merchant and institution logos in Alluvium; your browser or app fetches the logo directly, so Brandfetch receives the merchant's domain name and your device's IP address, but no account information.
- Google (sign-in) — only if you choose to sign in with Google. Google Public DNS additionally serves as Welkin's upstream resolver as described above.
- GitHub — runs our scheduled jobs (contains no user data beyond what those jobs process transiently).
- Cloudflare — DNS hosting for our own domains (no user personal data).
Data retention and deletion
- Your data is retained while your account is active.
- When you delete your Apollo account, we revoke bank-aggregator access immediately, deactivate the account, and permanently delete your personal data across all products within 30 days, except where we must keep specific records longer for legal, tax, billing-dispute, or security reasons. Backups purge on their own cycle shortly after.
- Deleting an individual item deletes it for everyone it was shared with; deleting a Welkin device deletes that device's activity aggregates.
- Welkin's transient DNS processing is short-lived by design: per-query data lives in server memory and rotating operational logs, and only daily aggregates are kept.
You can delete your account from Alluvium's Settings (Data & privacy), or by emailing support@apollo-suite.com from your account email. Account deletion covers your entire Apollo account — all products.
Security
All traffic to the Services is encrypted in transit (HTTPS; WireGuard for Welkin tunnels). User data is isolated with database row-level security. Bank connection credentials are encrypted at rest with AES-256-GCM, with keys held outside the database. Access to production systems is restricted. No method of transmission or storage is completely secure, and we cannot guarantee absolute security; if we learn of a breach affecting your personal information we will notify you as required by law.
Your privacy rights
Depending on where you live, you may have rights to know, access, correct, delete, or receive a portable copy of your personal information, and to opt out of sale, sharing, or targeted advertising (we do none of those, so there is nothing to opt out of). We do not discriminate against you for exercising privacy rights.
To exercise any right, use the export and deletion tools in Alluvium's Settings, or email support@apollo-suite.com from your account email address. We verify requests by confirming control of the account email, respond within the time required by applicable law (typically 45 days), and let you appeal a refusal by replying to our response. Authorized agents may submit requests with proof of authorization.
The Services are operated from the United States and directed to US residents. If you use them from elsewhere, your information is processed and stored in the United States.
Children
Apollo accounts are for adults: you must be at least 18 to create one, and the Services are not directed to children under 13. We do not knowingly collect personal information directly from children.
A parent or legal guardian may enroll a child's device in Welkin under their own account. In that case the data we process about the child's device (device name, tunnel address, and the daily DNS activity aggregates described above) is collected at the parent's direction and is visible to and controlled by the parent, who can review it and delete it by removing the device. If you believe we hold information collected from a child in any other way, contact us and we will delete it.
Changes to this policy
We may update this Privacy Policy. We will post the revised policy with a new effective date, and for material changes we will notify you through the Services or by email before the changes take effect.
Contact us
Apollo Wellness LLC · Questions, privacy requests, or concerns: support@apollo-suite.com