Private by design

Encrypted on your device. Only you can read it.

Everything you bring in is encrypted on your iPhone before it ever leaves it. The key is generated on your device and stored in the iOS Keychain — it never leaves, and we never have a copy.

On-device

Your encryption key is generated and kept on your iPhone.

Zero-knowledge

The server stores encrypted blobs and your email — nothing else.

Yours alone

Not even Our Life can decrypt your records — by design.

Read the technical security whitepaper
What's protected

Everything but your email is encrypted

Every record you bring in is sealed on your device. The only thing stored in plain text is the email address on your account.

  • Labs, visits, medications, vaccines, vitals, notes, and AI summaries — all encrypted
  • The server sees only encrypted blobs and your email
  • It can see that a record exists and when it synced — never what's in it

What the server can and can't see

Your email address
Stored in plain text
Your lab results
Encrypted blob — unreadable
Your medications
Encrypted blob — unreadable
Your AI summaries & notes
Encrypted blob — unreadable
What this means for you

The promises that follow from the design

If our servers were breached

Attackers would get encrypted blobs they can't open. Your records stay locked.

Under subpoena

We can only hand over encrypted blobs we can't read and your account email. We can't decrypt your records for anyone — including ourselves.

For the AI

For Ask, only the small text snippets needed to answer are decrypted on your device and sent over an encrypted connection to a third-party AI model (Anthropic's Claude). They're used to compose one answer, then discarded — not retained or used for training.

If you lose your phone

Your recovery code is the only way back. We can give you a new account, but not new data — the records stay encrypted with the key only the old device held.

Extra protection

Layers on top of encryption

Face ID lock

Optionally require Face ID every time you open the app, and when it returns from the background.

Recovery code

A short word-based code shown once at setup. It's the only way to restore your encrypted records on a new phone — we can't recover it for you.

Verified sharing

Keys are pinned on first contact, like Signal. If a contact's key changes, you compare a safety number and confirm "it's really them" before viewing.

Security details

Common questions

Where is my encryption key?

It's generated on your iPhone and stored in the iOS Keychain. It never leaves the device, and Our Life never receives a copy. That's why only you can read your records.

Can Our Life employees read my records?

No. The server only ever holds encrypted blobs and your email. Without your on-device key, the contents are unreadable to us — and to anyone who obtained the data.

What does the AI actually receive?

Your records are stored zero-knowledge — the server only ever holds encrypted blobs. When you ask a question, the app decrypts on your device and sends only the small text snippets needed to answer, over an encrypted connection, to a third-party AI model (Anthropic's Claude). Those snippets are used to compose a single answer and are not retained or used for training. The app asks for your explicit permission before any snippet is sent.

How does revoking a share work?

Stopping a share removes the recipient's access and deletes the shared copy from the server. Recipients can also remove a share from their own side at any time.

What happens if I delete my account?

Deletion is permanent — it erases your account and all data. Signing back in starts a fresh, empty account. This can't be undone, so keep an export if you want a copy.

Your health, kept to yourself.

Private from the first tap — and every tap after.

Download on the App Store