Privacy

Your data, in your hands.

Last updated: 2026-05-11.

The short version

What stays on your device

Loops, Dailies, Tallies, completions, taps, your settings, and the data the home-screen widget shows — all of it lives on your phone, in the app's own storage. The app reads and writes there directly. Nothing in this list is sent anywhere unless you turn on sync.

If you never enable sync, the sync server has no record of you at all. Not a row, not a placeholder, not an analytics ping. The cloud surface exists only for people who explicitly turn sync on; everyone else uses Again as a fully-offline app and the server doesn't know they exist.

What sync sends, and only when you turn it on

When you tap "Sync between devices" in Settings, your phone creates two random values locally — without ever asking for your email, name, or anything personal:

From that point, your edits — your loops, dailies, tallies, and when you marked things done — are encrypted on your phone before being sent to the sync server at sync.again.nopanic.ing. The server stores the encrypted blobs by your random ID so your other devices can pull them. The server cannot decrypt them, and neither can anyone else without your private key.

Linking a second device is a single QR scan: the new device shows a QR, and your existing phone scans it. The QR carries only a one-time public key — never your sync key — so a photo or screen-recording of it reveals nothing. Your existing phone uses that public key to send your sync key to the new device sealed end-to-end; the server relays an opaque blob it cannot open. If you don't have your other phone to hand, Restore from sync key rejoins from your saved key instead.

Technical details, for the curious

The random ID is a UUID. The private key is a long random secret. At register / restore-from-key / rotate the device sends only a SHA-256 verifier of the secret — never the secret itself — so the raw secret never traverses the network at all; the server stores that verifier to authenticate you. Each event's body (`payload_json`) is encrypted client-side with AES-GCM-256 before push; the 256-bit AES key is derived from your private secret on the device via HKDF-SHA256 and is never sent at all. The server is a Cloudflare Worker backed by Cloudflare D1; it stores nonce + ciphertext + auth-tag envelopes and has no key material to decrypt them. Metadata fields needed for routing (event id, version, originating device id, timestamp) remain in plaintext — they reveal cadence ("user X completed something at time T") but not content.

Screens that reveal the QR-link or the raw sync key are protected from capture on both platforms — FLAG_SECURE on Android and a secure-layer overlay on iOS — so the system refuses to expose those screens to screenshots, system-recents thumbnails, screen recordings, or mirroring while they're visible.

For the full protocol and threat model — exactly what's encrypted, what isn't, and what we defend against — see the Security & sync details page.

If you subscribe for cross-device sync, your phone sends the server a single piece of subscription metadata along with each authenticated request: the date your current subscription expires. The server stores this against your random ID so the automatic inactivity cleanup (below) can tell a paying subscriber's dormant data apart from an abandoned account. It is not a payment record — Google Play handles billing entirely separately — and it is not tied to your name, email, or card. It is paid-status metadata, and the server stores nothing more granular than "subscription good until DATE."

What sync does NOT send

Push notifications (when sync is on)

To wake your phone when another of your devices has pushed new data, Again uses a push-message service in silent mode — no user-visible banner, just a wake-up signal so your phone fetches the new data quickly. Your phone's push identifier is registered against your random ID on the sync server. No marketing or promotional notifications are ever sent. You can disable this by turning off sync.

Technical details, for the curious

The push service is Google's Firebase Cloud Messaging, used in data-only mode (no notification payload).

Viewing on the web

An optional web companion at web.again.nopanic.ing lets you view and tick off your items from a browser. It pairs by scanning a QR code with the app — the encryption key travels device-to-browser over that scan, never through the server. The browser decrypts locally, exactly like the app; the server still only ever sees ciphertext.

The companion is account-less and temporary: no login, the link lasts for the browser session (it ends when you close the tab, or after a short idle timeout), and you can sign it out from your phone at any time under Settings → Sync → Manage devices. It needs sync turned on, since it rides the same end-to-end encrypted sync as the app — no new kind of data leaves your device.

Backup & export

Settings → Backup exports your data as a single file you save wherever you like — Drive, email, your own folder. The file is in plaintext (JSON) so you can read it yourself. The file is yours; no copy is sent anywhere.

Crashes

The app does not include any error-reporting service. If one is ever added (Sentry, for example), this section will be updated explicitly and the integration will be opt-in via Settings.

Deleting your data

Contact

Questions, concerns, bug reports or feature requests: contact.again@nopanic.ing.