Who can reach your data — and who can't.

What we actively protect against

Us

This is the most important category. Even if you fully trust us today, you shouldn't have to depend on us remaining trustworthy forever. That's why Endearist is local-first: your content lives on your device. We simply don't have access to it, because we don't run a central content server.

If you enable cloud sync, the content is AES-256-GCM encrypted before it leaves your device. Our own Endearist Cloud server sees only opaque bytes — it knows neither your contact names nor your notes. The key is derived from your passphrase and 12-word recovery code, and it never leaves your device.

Third-party trackers

On this website: no Google Analytics, no Facebook Pixel, no Hotjar, no embedded social buttons. We use a self-hosted Plausible instance that collects no personal data and no cookies — only anonymous page views.

In the app: no third-party SDKs transmitting usage behavior without your consent. In-app telemetry is opt-in; the default sends nothing. No Amplitude, no Mixpanel, no Segment.

Employees and internal access

Since we don't run content servers, there is nothing for employees to access. Customer support requests are not linked to content, because we don't have it. If you file a bug report, you have no way to accidentally send us your contacts — unless you deliberately paste them into your message.

What we mitigate but can't fully prevent

Government actors with court orders

If an authority comes to us with a valid legal order, we can only hand over what we have — which is exclusively account data (email address, purchase timestamp, license ID) and encrypted, unreadable bytes from sync storage. We cannot hand over your content because we cannot decrypt it.

What we don't guarantee: protection against authorities with access to your physical device. If your unlocked device is in the hands of a law enforcement agency, that is outside our technical control. Device full-disk encryption (FileVault, BitLocker, iOS Secure Enclave) is your first line of defense in that scenario.

Compromised sync services

If you use Google Drive or iCloud as a sync transport and one of those services is compromised: an attacker finds encrypted blobs they can't read without your device key. The end-to-end encryption protects you even against a compromised transport. What is not protected: metadata like sync timestamps and file sizes — from these, an attacker could infer you use an app with regular activity, but not what's inside.

What we honestly can't protect against

Physical device access by an attacker

If someone holds your unlocked device with Endearist open, they see your data. That's not a failure of our app — it's physics. We plan an optional app lock via PIN or biometrics for exactly this case. But we will never claim to protect you against an attacker with physical device access and sufficient time.

Screenshots by an attacker who controls your device

If malware is active on your device and can take screenshots, that's a device problem, not an app problem. We can't implement screenshot protection without also breaking legitimate accessibility features. We use FLAG_SECURE on sensitive screens, but that's a mitigation, not complete protection.

Forgotten passphrases with no recovery path

If you forget your passphrase and lose your 12-word recovery code and no longer have another unlocked device: the encrypted sync data is permanently lost. That is the price of real end-to-end encryption — there is no server-side backdoor to help you. Local backups always remain unencrypted so this worst case only affects your cloud data, not your entire dataset.