Alcove

The privacy story

Last verified against the codebase: 3 July 2026

Said softly. Kept yours.

Alcove is a private journal that is yours alone. It is built so that no one — not Apple, not us, not anyone who takes your phone or your iCloud backup — can read what you keep. This document is the canonical, honest account of how that works: what stays on your device, what is encrypted, the little that ever leaves (and in what form), and the few honest caveats. It is the source of truth for the App Store privacy label, the onboarding copy, and any marketing claim — nothing here is aspirational; it describes the code as built.

There is no server we run. Alcove has no backend, no account system, and no analytics. That isn't a policy promise we could quietly break — it is the architecture. There is nowhere for your data to go.


The five promises

  1. On your device. Your entries, photos' places, walks, and the AI that reads them all live and run on your iPhone.
  2. Encrypted, always. Everything you keep is encrypted at rest with a key only your devices hold.
  3. No account, no tracking. No sign-up, no email required, no analytics, no ad identifiers, no third-party SDKs that phone home.
  4. Sync is yours. If you turn it on, sync runs over your own iCloud as encrypted blobs we (and Apple) cannot read — never a server we operate.
  5. You can leave with everything. Full plaintext export and full local erase, any time.

On-device by default

Encryption — what “encrypted” actually means

Sync — your iCloud, ciphertext only

No accounts, no tracking

Location — the precise truth

Location is the most sensitive thing a journal touches, so here is the exact picture, without rounding:

What ever leaves the device — the complete list

  1. Encrypted CloudKit blobs to your own iCloud private DB — the synced journal (sync on), and with backup on, your voice recordings, hand-added moments, and trail shards. Ciphertext only, in your own iCloud.
  2. The encryption key + identity (and the trial-start date) via iCloud Keychain (Apple E2EE) — the trial date is a timestamp, never content.
  3. A user-initiated export — a plaintext JSON copy, or a .alcovebackup restore file, explicitly sent through the iOS share sheet. The backup file carries your sealed data and your journal key (raw by default, or wrapped under a password you choose). This is data portability; you choose where it goes.
  4. The purchase (a one-time unlock) runs through StoreKit 2 directly — Apple's App Store sees a receipt and an anonymous purchase, never journal content. No subscription, no payments middleman, and no account with us.
  5. (Opt-in, off by default) Local weather — coarse (~25 km) cells of places your days held, sent to Apple Weather. The one feature that sends a location off-device; results cached and stored encrypted.
  6. (Only while you type) Location-search text — when you use the timeline's Where filter and type a place, those characters go to Apple's map-search service to offer matches. Only the text you type; no coordinate of yours is sent.

That is the entire list. Apart from the opt-in weather lookup and the location search you trigger by typing, there is no other network path in the app: no URL, no HTTP client, no socket, no web view. (Place names are resolved entirely on-device from bundled data — © GeoNames (CC BY 4.0) and Natural Earth (public domain).)

Your control


Questions about privacy? Email support@meetalcove.com. Keep this document honest: if the code changes, we change this first.