The privacy story
Last verified against the codebase: 3 July 2026
Said softly. Kept yours.
Alcove is a private journal that is yours alone. It is built so that no one — not Apple, not us, not anyone who takes your phone or your iCloud backup — can read what you keep. This document is the canonical, honest account of how that works: what stays on your device, what is encrypted, the little that ever leaves (and in what form), and the few honest caveats. It is the source of truth for the App Store privacy label, the onboarding copy, and any marketing claim — nothing here is aspirational; it describes the code as built.
There is no server we run. Alcove has no backend, no account system, and no analytics. That isn't a policy promise we could quietly break — it is the architecture. There is nowhere for your data to go.
The five promises
- On your device. Your entries, photos' places, walks, and the AI that reads them all live and run on your iPhone.
- Encrypted, always. Everything you keep is encrypted at rest with a key only your devices hold.
- No account, no tracking. No sign-up, no email required, no analytics, no ad identifiers, no third-party SDKs that phone home.
- Sync is yours. If you turn it on, sync runs over your own iCloud as encrypted blobs we (and Apple) cannot read — never a server we operate.
- You can leave with everything. Full plaintext export and full local erase, any time.
On-device by default
- The AI is on-device. Every word the assistant writes — day narration, the daily invitation, the reflection question, the Kept Report, Ask Alcove, the Scrapbook narration, the writing prompt — is generated by Apple's on-device Foundation Models. Your entries, calendar titles, and places are fed only to the local model. There is no remote model, no Private Cloud Compute, no Claude/OpenAI call — none is built or even linked. When the on-device model isn't available, the app falls back to plain local templates, never to a network.
- Dictation is on-device. Voice entries use the on-device speech recognizer only (a hard invariant). If a device can't transcribe locally, dictation is simply absent — audio is never sent anywhere.
- Voice notes and their words stay here. A sound memo's audio is sealed (AES-GCM) on this device, and its transcript is read entirely on-device. The words are stored encrypted alongside your timeline. The audio normally never leaves the device either — the exceptions are deliberate, opt-in choices (offloading a recording to your own iCloud to free space, or turning on “Back up everything”), and both upload the same already-sealed file, ciphertext only. Nothing is uploaded unless you choose it.
- Photo reading is on-device (and the words are opt-in). The timeline stores photo dates and places only. With the Photos source on, Alcove scores photos for quality on this device so the Scrapbook can lead with your best shots — wordless, nothing kept but a number. Turn on Let Alcove look (off by default) and Apple's on-device classifier additionally glimpses scene words to ground the day's narration. Pixels are read in memory and never stored.
- Finding meaning is on-device too. Ask Alcove and Threads reach past exact words to related moments using an on-device text embedding. It may download Apple's model assets over the air, but never your words: your entries are turned into vectors and stored encrypted on this device, and neither the text nor the vectors ever leave it.
- Suggestions stay out of our reach. “Suggested from your day” uses Apple's Journaling Suggestions, which runs out of process: the system shows you places, companions, and what you listened to — from signals on your phone that Alcove never sees — and hands back only the one you tap. It is not a new way for data to leave; it is a way for you to bring more in, privately.
- The map is on-device — including place names. The Fog-of-World map and your trails are rendered and stored only on the device. The names of the cities, states, countries and continents you've explored are resolved entirely offline, from bundled geographic data shipped inside the app. No coordinate is ever sent anywhere to be named.
- Weather is opt-in, off by default. Turn on Local weather and Alcove asks Apple Weather for conditions over places your days actually held — at most a few coarse (~25 km) cells per day, results stored encrypted. Off, and no coordinate ever goes to a weather service.
Encryption — what “encrypted” actually means
- Every store of journal data is sealed with AES-GCM-256 before it touches disk. This covers all of it: entries, day records, daily invitations, chance-card history, streak, Kept Reports, Scrapbook narration, the timeline index (photo references + geotags), trails (GPS paths), Privacy Zones, and the Ask search index (meaning-vectors derived from your entries, computed on-device).
- The encryption key is a 256-bit random key generated on-device and kept in the iCloud Keychain (Apple's end-to-end-encrypted keystore). It never leaves for any server, is never written into an app file, and is never logged. It roams to your other devices only through iCloud Keychain, which Apple itself cannot read.
- Encrypted files are excluded from iCloud/iTunes device backups, so the ciphertext doesn't even ride along in a backup.
Sync — your iCloud, ciphertext only
- Sync is optional and uses CloudKit's private database in your own iCloud account. We have no database of our own.
- What is uploaded is the already-encrypted file — the raw AES-GCM envelope bytes. Apple's servers store ciphertext; the key stays in your Keychain. Neither Apple nor we can read it.
- Your Privacy Zones never sync at all, under any setting — they are the one thing that stays only where you set it.
- The honest caveat (metadata): because sync uses CloudKit, Apple can see the existence of encrypted records, their sizes, and modification times for an iCloud-synced user. It can never see content. This is intrinsic to using iCloud and is the one thing about sync we don't control. Sync off → none of this.
No accounts, no tracking
- No account is required, ever. Identity is a random ID generated on your device. Anonymous use is first-class forever.
- Sign in with Apple is optional and gates nothing — it exists only to let your identity roam for multi-device continuity. Its identifier and your given name live in iCloud Keychain, not in any backup, not on any server.
- Zero third-party SDKs. No analytics, attribution, crash-reporting, or advertising frameworks are linked — no IDFA, no tracking prompt because there is nothing to track. The App Store label is “Data Not Collected.”
Location — the precise truth
Location is the most sensitive thing a journal touches, so here is the exact picture, without rounding:
- Privacy Zones never leave the device — not even encrypted. Trails stay device-only by default; they leave only if you opt into Atlas backup, and then only as sealed ciphertext to your own private iCloud.
- Privacy Zones redact before storage. A zone you drop (e.g. home) is checked at the moment of capture — a fix inside a zone is never written, never stored.
- An entry's place stamp is end-to-end encrypted. If you opt into stamping an entry with where you were, and you use iCloud sync, that coordinate travels inside the encrypted entry blob to your own private iCloud. No server sees it in readable form — but, to be fully honest, those encrypted bytes do leave the device. If you want zero location egress, leave entry stamping off — trails and Zones never sync regardless.
- Stamping is off by default and opt-in.
What ever leaves the device — the complete list
- Encrypted CloudKit blobs to your own iCloud private DB — the synced journal (sync on), and with backup on, your voice recordings, hand-added moments, and trail shards. Ciphertext only, in your own iCloud.
- The encryption key + identity (and the trial-start date) via iCloud Keychain (Apple E2EE) — the trial date is a timestamp, never content.
- A user-initiated export — a plaintext JSON copy, or a
.alcovebackuprestore file, explicitly sent through the iOS share sheet. The backup file carries your sealed data and your journal key (raw by default, or wrapped under a password you choose). This is data portability; you choose where it goes. - The purchase (a one-time unlock) runs through StoreKit 2 directly — Apple's App Store sees a receipt and an anonymous purchase, never journal content. No subscription, no payments middleman, and no account with us.
- (Opt-in, off by default) Local weather — coarse (~25 km) cells of places your days held, sent to Apple Weather. The one feature that sends a location off-device; results cached and stored encrypted.
- (Only while you type) Location-search text — when you use the timeline's Where filter and type a place, those characters go to Apple's map-search service to offer matches. Only the text you type; no coordinate of yours is sent.
That is the entire list. Apart from the opt-in weather lookup and the location search you trigger by typing, there is no other network path in the app: no URL, no HTTP client, no socket, no web view. (Place names are resolved entirely on-device from bundled data — © GeoNames (CC BY 4.0) and Natural Earth (public domain).)
Your control
- Export everything, any time: a self-contained restore file, or a readable plaintext JSON copy.
- Erase everything locally, any time — delete the app and every scope file, sealed recording, and preference goes with it.
- App Lock (Face ID / passcode) with a privacy veil that hides content in the app switcher.
- Privacy Zones to fence off places that should never be recorded.
- Per-source opt-in — photos, places, health, calendar each off until you turn them on, each explained before it asks.
Questions about privacy? Email support@meetalcove.com. Keep this document honest: if the code changes, we change this first.