This is the technical detail behind the promise. Your medical records are encrypted on your iPhone with a key that never leaves it, and our servers only ever hold ciphertext. Here's exactly how that works — and what it means when things go wrong.
Every record is sealed on your device before it's stored or synced. Decryption only ever happens on a device holding your key — never on our servers.
When a record arrives — from Apple Health, a scan, or a file — it's encrypted on your iPhone with AES-256-GCM before it touches storage.
Your data key is generated on-device and stored in the iOS Keychain (hardware-backed). It never leaves the device and we never receive a copy.
Sync and backup move encrypted blobs over TLS 1.3. The server stores those blobs plus your email — and nothing it can read.
When you share, the data is re-sealed so only your recipient's device can open it. The server relays a blob it still can't read.
| Layer | How it's done |
|---|---|
| Record encryption | AES-256-GCM — authenticated encryption applied on-device to every record before storage or sync. |
| Key generation | A per-account data key is generated on your iPhone at setup. It is never transmitted to our servers. |
| Key storage | Held in the iOS Keychain, hardware-backed by the Secure Enclave, protected by your device passcode / Face ID. |
| Account recovery | A one-time, word-based recovery code shown at setup lets you re-derive access on a new device. We never store it and can't recover it for you. |
| Data in transit | All sync and sharing traffic uses TLS 1.3. The payloads inside are already encrypted end-to-end. |
| Sharing | Records are re-encrypted for the specific recipient. Contact keys are pinned on first use; a changed key prompts a Signal-style safety-number check before you proceed. |
| AI “Ask” | Storage is zero-knowledge. For a question, only the minimal record snippets needed to answer are decrypted on-device and sent over TLS to a third-party AI model (Anthropic's Claude) to compose a single answer; they are not retained or used for training. The app requests explicit permission before any snippet is sent. |
| App lock | Optional Face ID / Touch ID gate on launch and on return from the background. |
Independent security audit and open-sourcing of the encryption module are on our roadmap — we'll publish results here when complete.
Good security is judged by the bad days. Here's how the design holds up under pressure.
| Scenario | What an attacker gets | Why your records stay safe |
|---|---|---|
| Our servers are breached | Encrypted blobs and a list of email addresses. | Blobs are useless without the on-device key, which was never on the server. |
| We receive a subpoena | The same ciphertext and your email. | We can't decrypt your records for anyone — including ourselves. There's no key to compel. |
| A malicious insider | Access to ciphertext at rest. | No employee or system on our side ever holds your decryption key. |
| Your phone is lost or stolen | A locked device. | The Keychain key is gated by your passcode / Face ID; optional in-app lock adds a second gate. |
| Network is intercepted (MITM) | TLS 1.3 traffic carrying already-encrypted payloads. | Two layers must fail at once; the payload stays end-to-end encrypted regardless. |
| A share link leaks | A blob re-encrypted for one specific recipient. | Only the intended recipient's device can decrypt it; revoke to delete the shared copy. |
| A recipient's key changes | Nothing yet. | You're prompted to verify a safety number before any data is shown — like Signal. |
No system is perfectly invulnerable. We design so that a single failure — a breach, a lost phone, a legal order — never adds up to your records being read.
Wherever you live, your health data is yours. Because of how Our Life is built, several of these rights you can exercise yourself, instantly, from the app.
Export everything as PDF or JSON from the app, anytime. It's your full record, in a portable format — no request needed.
Delete your account in-app and your data is permanently removed. Because we hold only ciphertext, there's nothing readable left behind.
Add notes and corrections to any record, and re-import from your provider so your history reflects the source of truth.
We do not sell or share your personal information, and there's no targeted-advertising use of it — so there's nothing to opt out of.
Limit processing or object to it by contacting us — and in practice, encryption already restricts what can be processed to begin with.
Exercising any of these rights never changes the price or features you get. The app is the same for everyone.
Making a request. Most rights are self-service in the app (export, delete, edit). For anything else — including questions about the legal basis for processing or to reach a data-protection contact — email privacy@itsourlife.ai. We respond within the timeframes required by the GDPR (one month) and CCPA/CPRA (45 days).
We welcome reports from security researchers and treat them as a gift. Email us with steps to reproduce and we'll acknowledge quickly and keep you posted on the fix.
Please don't access other people's data, degrade the service, or run automated scans against production while testing.
Encrypted on your device, unreadable to us, and yours to export or erase anytime.
Download on the App Store