← Home

Privacy · Last updated 6 July 2026

Privacy Policy

Retrography is a personal timeline. Your locations, photos, journal entries, and health data stay on your device and sync only through your own private iCloud — no accounts, no logins, no cross-app tracking, and nothing I could read even if I wanted to.

This isn't a privacy mode you switch on — it's how I built the app, on purpose. Two things leave your device: AI requests you trigger, and anonymous diagnostics (crash reports + feature-usage counts — no content, nothing that's you, and you can turn them off). Even the AI part transcribes voice on your device first (the audio never leaves), sends only to AWS BedrockAnthropic never receives your data, not used to train models — and is off until you opt in.

1Who I am

I'm an independent developer, and Retrography is a solo project I ship under the name 2amLabs. This policy covers the Retrography app (the "App") and the website at retrography.app. Retrography reads a fair amount from your phone to build a rich timeline — places, photos, health, and more — but it keeps all of it on your own devices and sends it nowhere. Your data staying with you, never on my servers, is the whole point — not a feature. You can reach me anytime at beta@retrography.app.

2Data the App reads from your device

With your explicit permission, the App reads the following from iOS to build your personal timeline. All of it stays on your device and in your private iCloud container.

Location

Photos

Camera

HealthKit data

Motion & Fitness

Microphone

Bluetooth

Reminders

Notifications, Face ID

Optional. Face ID unlocks Privacy Mode (which hides journal entries, photos, and AI chats). Biometric data never leaves the Secure Enclave.

3iCloud sync

Retrography uses your private iCloud container to sync data between your own devices. I have no access to this container — it's Apple-managed and encrypted between your devices under your Apple ID. If you delete the app or your iCloud data, it's gone.

4Data sent off your device

Retrography has no user accounts and no analytics SDK inside the app. The only time data leaves your device is when AI features are enabled — chat, per-entry summaries, recap summaries, or on-request writing help — or when you opt in to optional integrations (Last.fm, in-app purchases, "On This Day").

Every AI feature is off by default. The first time you set up the App, I ask you — explicitly and in plain language — which AI features you want, and you can leave them all off. You can turn each one on or off anytime in Settings. Nothing about your journal, photos, or timeline is sent for AI processing unless you have opted in and then used the feature. This opt-in default applies from the beta build of 6 July 2026 onward; earlier beta builds had AI enabled by default.

AI chat, per-entry summaries, and recaps

Retrography uses AWS Bedrock to power these. They all follow the same path: the App contacts my authentication proxy on Netlify to get short-lived AWS credentials, then sends the request directly from your device to Amazon Web Services (AWS) Bedrock. The proxy itself never sees the contents of your prompts.

For all of these:

Authentication proxy

In-app purchases

Music history (optional)

Public read-only APIs

For "On This Day", the App fetches public articles from Wikipedia, the New York Times Archive, and the Hacker News public API. These calls send only a date — no user data, no identifiers, no location. They're equivalent to opening those websites in a browser.

Diagnostics & analytics (anonymous)

So I can fix crashes and see which features people actually use, the App sends me a little anonymous feedback — to my own server, never a third party. Two kinds:

That's the whole list: no journal text, no photos, no location, no name or email. It's tied only to a random per-install ID, and you can switch it off anytime in Settings → Data Management.

5What I don't do

6Children

Retrography is not directed at children under 13, and I do not knowingly collect data from children.

7Third parties involved

8Your choices

9Security

Data on device is protected by iOS's data-at-rest encryption. iCloud sync uses Apple's encryption under your Apple ID. The authentication proxy uses HTTPS and App Attest to reject requests from anything other than a genuine copy of the App.

10Changes to this policy

For minor changes — wording, contact details, a new read-only public source — I update the "Last updated" date at the top of this page. But if I ever change something material, such as sending a new kind of data off your device or adding a new processor, I'll ask you in the App before it takes effect, rather than quietly changing the rules. I don't send marketing or notification spam; consent screens appear only for genuine changes to how your data is handled.

11Contact

Questions or requests: beta@retrography.app. You'll hear back from me directly.

← Back to Retrography