Privacy
Your data, in your hands.
Last updated: 2026-05-11.
The short version
- Again works fully on your device by default. No login, no account.
- Cross-device sync is opt-in. Again never collects your email, password, name, phone number, contacts, location, photos, or anything similar.
- When sync is on, your data is end-to-end encrypted on the device before being sent. The server stores encrypted blobs it cannot decrypt.
- No third-party analytics. No ad networks. No third-party login providers.
- The single-device experience is fully functional without any data leaving your phone.
What stays on your device
Loops, Dailies, Tallies, completions, taps, your settings, and the data the home-screen widget shows — all of it lives on your phone, in the app's own storage. The app reads and writes there directly. Nothing in this list is sent anywhere unless you turn on sync.
If you never enable sync, the sync server has no record of you at all. Not a row, not a placeholder, not an analytics ping. The cloud surface exists only for people who explicitly turn sync on; everyone else uses Again as a fully-offline app and the server doesn't know they exist.
What sync sends, and only when you turn it on
When you tap "Sync between devices" in Settings, your phone creates two random values locally — without ever asking for your email, name, or anything personal:
- A random ID. What the server uses to find your data. Looks like a string of letters and numbers; it isn't tied to your name, email, or phone number in any way.
- A private key. Proves to the server that it's really you, and is what your phone uses to encrypt everything before sending. Your phone never sends this key to the server — only a one-way fingerprint of it, which is what the server stores to recognise you. The actual key never leaves your phone, so the server can't read your data even in principle. The same fingerprint is sent again if you ever paste a saved key into a new device to recover data.
From that point, your edits — your loops, dailies, tallies, and when you marked things done — are encrypted on your phone before being sent to the sync server at sync.again.nopanic.ing. The server stores the encrypted blobs by your random ID so your other devices can pull them. The server cannot decrypt them, and neither can anyone else without your private key.
Linking a second device is a single QR scan: the new device shows a QR, and your existing phone scans it. The QR carries only a one-time public key — never your sync key — so a photo or screen-recording of it reveals nothing. Your existing phone uses that public key to send your sync key to the new device sealed end-to-end; the server relays an opaque blob it cannot open. If you don't have your other phone to hand, Restore from sync key rejoins from your saved key instead.
Technical details, for the curious
The random ID is a UUID. The private key is a long random secret. At register / restore-from-key / rotate the device sends only a SHA-256 verifier of the secret — never the secret itself — so the raw secret never traverses the network at all; the server stores that verifier to authenticate you. Each event's body (`payload_json`) is encrypted client-side with AES-GCM-256 before push; the 256-bit AES key is derived from your private secret on the device via HKDF-SHA256 and is never sent at all. The server is a Cloudflare Worker backed by Cloudflare D1; it stores nonce + ciphertext + auth-tag envelopes and has no key material to decrypt them. Metadata fields needed for routing (event id, version, originating device id, timestamp) remain in plaintext — they reveal cadence ("user X completed something at time T") but not content.
Screens that reveal the QR-link or the raw sync key are protected from capture on both platforms — FLAG_SECURE on Android and a secure-layer overlay on iOS — so the system refuses to expose those screens to screenshots, system-recents thumbnails, screen recordings, or mirroring while they're visible.
For the full protocol and threat model — exactly what's encrypted, what isn't, and what we defend against — see the Security & sync details page.
If you subscribe for cross-device sync, your phone sends the server a single piece of subscription metadata along with each authenticated request: the date your current subscription expires. The server stores this against your random ID so the automatic inactivity cleanup (below) can tell a paying subscriber's dormant data apart from an abandoned account. It is not a payment record — Google Play handles billing entirely separately — and it is not tied to your name, email, or card. It is paid-status metadata, and the server stores nothing more granular than "subscription good until DATE."
What sync does NOT send
- No email, name, phone number, or any user-identifying info.
- No analytics, no telemetry.
- No "what apps do you have installed," no contacts, no location, no photos.
- No payment information — billing is handled by Google Play / App Store directly.
Push notifications (when sync is on)
To wake your phone when another of your devices has pushed new data, Again uses a push-message service in silent mode — no user-visible banner, just a wake-up signal so your phone fetches the new data quickly. Your phone's push identifier is registered against your random ID on the sync server. No marketing or promotional notifications are ever sent. You can disable this by turning off sync.
Technical details, for the curious
The push service is Google's Firebase Cloud Messaging, used in data-only mode (no notification payload).
Viewing on the web
An optional web companion at web.again.nopanic.ing lets you view and tick off your items from a browser. It pairs by scanning a QR code with the app — the encryption key travels device-to-browser over that scan, never through the server. The browser decrypts locally, exactly like the app; the server still only ever sees ciphertext.
The companion is account-less and temporary: no login, the link lasts for the browser session (it ends when you close the tab, or after a short idle timeout), and you can sign it out from your phone at any time under Settings → Sync → Manage devices. It needs sync turned on, since it rides the same end-to-end encrypted sync as the app — no new kind of data leaves your device.
Backup & export
Settings → Backup exports your data as a single file you save wherever you like — Drive, email, your own folder. The file is in plaintext (JSON) so you can read it yourself. The file is yours; no copy is sent anywhere.
Crashes
The app does not include any error-reporting service. If one is ever added (Sentry, for example), this section will be updated explicitly and the integration will be opt-in via Settings.
Deleting your data
- On device: uninstall the app, or use Android Settings → Apps → Again → Storage → Clear data.
- On the sync server: Settings → Sync → "Disable sync and delete cloud data" wipes your row on the server side, immediately. No retention period.
- Automatic inactivity cleanup: if no device on your account authenticates with the sync server for over 6 months and there is no active paid subscription, Again automatically deletes everything stored for that account — events, devices, link tokens, snapshots. Active subscribers are exempt: cloud data is preserved as long as the subscription is current (plus a 30-day grace after any lapse). Local data on whatever device you eventually pick the app back up on is untouched.
Contact
Questions, concerns, bug reports or feature requests: contact.again@nopanic.ing.