TL;DR. Apple’s privacy “nutrition label” is the only privacy disclosure surface in tech with structural enforcement. Most apps declare extensive data collection linked to user identity. The Ostler iOS app’s label declares zero tracking and no linked data, because there is no Ostler server to link data to. The architecture writes the label, not the lawyer.
Most people do not read privacy policies. Nobody does. A 2008 study at Carnegie Mellon found that reading every policy you encountered in a year would take seventy-six working days, and policies have grown longer since. The result is a market where promises about data handling cost nothing to make and rarely cost anything to break.
There is exactly one place this has changed. Since December 2020 every app on the iOS App Store has shipped with a structured disclosure form Apple calls the Privacy Nutrition Label. It sits on the app’s product page above the screenshots. Users scan it. Journalists screenshot it. Apple enforces it. Apps that lie on the form get pulled from the store, and Apple has pulled them.
It is, by some distance, the most-trusted privacy disclosure surface in consumer technology. And unlike a privacy policy, it does not give the developer room to be eloquent. It is a form. You tick boxes.
What the form actually asks
The label organises every piece of data an app touches into one of three buckets, in descending order of concern.
Data Used to Track You. Tracking, in Apple’s definition, means linking data collected from this app with data collected by other companies, for advertising or measurement. It also means sending data to a data broker. If an app declares anything here, Apple shows the user a prompt the first time the app runs, asking permission. Most users say no, which is why the category exists at all.
Data Linked to You. Data the app collects, that is tied to your identity through an account, device ID, or similar handle. The data is not sold or cross-pollinated, but the developer holds it and could, in principle, look it up by user.
Data Not Linked to You. Data the app touches in order to function, but never associates with a persistent user identifier. The classic case is a maps app that knows where you are right now in order to draw a map, but does not record that location against an account.
Data Not Collected. Self-explanatory.
The categories cascade. An app that reports “Data Not Collected” across the board is the rarest creature on the store, mostly calculators and offline games. An app that reports everything as “Linked to You” is the cloud norm. Almost every consumer app sits somewhere between, and the one column that determines the social signal of the label is the first: whether the app tracks.
What the Ostler iOS app’s label says
Here is what the Ostler iOS app’s PrivacyInfo.xcprivacy manifest declares, line by line. The manifest is the source of truth Apple’s nutrition label is generated from at submission time; lying on the label while the manifest tells a different story is detected automatically.
| Apple category | Ostler iOS app answer |
|---|---|
| Data Used to Track You | Nothing. The app declares NSPrivacyTracking: false. |
| Data Linked to You | Nothing. There is no account system to link data to. |
| Data Not Linked to You | Five entries: Health, Fitness, Precise Location, Photos or Videos, Other User Content. |
| Data Not Collected | Everything else. |
The five entries in the “Not Linked” column are the data types the app touches on the user’s behalf, on the user’s device. Health and Fitness mean the app can read from Apple Health to enrich the user’s timeline. Precise Location means the app logs where the user has been, on the user’s own Mac. Photos means the app reads creation date and location metadata, never the images themselves. Other User Content covers transcripts and conversation snippets the user has chosen to capture.
Each of those entries is marked “App Functionality” as its purpose, which is Apple’s narrowest permitted use. None of them is marked as Linked. None of them is marked as Tracking. We also checked the codebase for every tracking SDK on the industry standard list: Firebase, Sentry, Mixpanel, Amplitude, Segment, PostHog, AppsFlyer, Adjust, Google Analytics, Crashlytics, Bugsnag, Datadog. None of them is present. We checked for any code that asks iOS for an advertising identifier, or that would trigger the “Allow this app to track your activity” prompt that most apps display on first launch. None of it is there. That prompt will never appear because there is nothing in the app that would trigger it.
Why this is automatic, not virtuous
The temptation reading the table above is to assume some unusual discipline on the engineering side, a team holding the line against tracking SDKs by force of will. There is no such discipline. The label looks like that because the architecture makes any other label impossible.
Ostler is built on a single rule. The Hub, a one-time-purchase macOS app, lives on the customer’s own Mac. The iOS app talks to the Hub on the customer’s home network. Personal data never leaves the customer’s device. The reasoning model, a local LLM, runs on the Hub. The personal knowledge graph, which grows to millions of relationships and hundreds of thousands of embedded references for an active user, lives on the Hub’s disk. The cloud round-trip that other personal-AI products take for inference simply does not happen.
That single architectural choice writes the entire nutrition label. With no Ostler server, there is nothing for the iOS app to phone home to. With no Ostler account, there is no identity to link data against. With no third-party SDK in the bundle, there is no surface through which a data broker could be introduced later without it being noticed in a code review. The “Not Linked to You” column reads the way it does because there is no “You” in Ostler’s database in the first place. A customer’s Hub is a customer’s Hub, and we have no view into it.
Why other apps cannot follow
The structural cost of changing a nutrition label is the part that does not get discussed. Most consumer apps in the personal-AI space are cloud-first by necessity. The model runs on the developer’s GPUs because the model is too large to fit on the user’s phone. To run the model on the developer’s GPUs, the user’s data has to reach the developer’s GPUs. To make the experience coherent across sessions and devices, the data has to be linked to an account. To pay for the GPUs, the developer has to know which account used how much. Every one of those decisions writes another row into “Data Linked to You”, and the architecture cannot be unbuilt without rewriting the product from the wall sockets up.
A privacy policy can be rewritten in an afternoon. A nutrition label is a function of the binary. When Apple flips the toggle that requires a real label, the label tells the truth about the codebase whether the developer wants it to or not.
Ostler made the move by building local-first from day one. Eight months of architectural commitment, two provisional patents filed on the pipeline, and a deployment shape designed around the customer’s own machine. The reward is a nutrition label that needs no qualifying paragraph underneath it. The world does revolve around you.™ The form on the App Store says so in Apple’s words, not ours.
The architecture writes the label. Not the lawyer.
Questions, corrections, disagreements – [email protected].