Privacy · Last updated 6 July 2026
Privacy Policy
Retrography is a personal timeline. Your locations, photos, journal entries, and health data stay on your device and sync only through your own private iCloud — no accounts, no logins, no cross-app tracking, and nothing I could read even if I wanted to.
This isn't a privacy mode you switch on — it's how I built the app, on purpose. Two things leave your device: AI requests you trigger, and anonymous diagnostics (crash reports + feature-usage counts — no content, nothing that's you, and you can turn them off). Even the AI part transcribes voice on your device first (the audio never leaves), sends only to AWS Bedrock — Anthropic never receives your data, not used to train models — and is off until you opt in.
1Who I am
I'm an independent developer, and Retrography is a solo project I ship under the name 2amLabs. This policy covers the Retrography app (the "App") and the website at retrography.app. Retrography reads a fair amount from your phone to build a rich timeline — places, photos, health, and more — but it keeps all of it on your own devices and sends it nowhere. Your data staying with you, never on my servers, is the whole point — not a feature. You can reach me anytime at beta@retrography.app.
2Data the App reads from your device
With your explicit permission, the App reads the following from iOS to build your personal timeline. All of it stays on your device and in your private iCloud container.
Location
- Why: To detect visits to places (home, work, cafés, etc.) and build an automatic timeline.
- How: iOS visit monitoring and significant-location changes. "Always" authorization is requested so visits can be logged in the background, even when the app is closed.
- Where it goes: Your on-device database and your private iCloud container. Never sent to my servers.
Photos
- Why: To display photos from your library alongside places and events on your timeline.
- How: The App reads photos and their metadata (date, location) via the PhotoKit API.
- Where it goes: Photos stay in your library — the App only references them. Metadata is processed on-device. The exception is a photo you explicitly attach to an AI chat message — see §04.
Camera
- Why: To take a photo directly inside an AI chat when you don't want to switch to the Photos app.
- Where it goes: Shown in the chat and, if you send the message, it follows the same path as any attached photo (§04).
HealthKit data
- Why: To show workouts, steps, sleep, stand hours, active energy, and distance on your timeline.
- How: With your permission via HealthKit. The App may also write workout location back to Health when available.
- Where it goes: Health data stays in HealthKit and your on-device database. Never sent to my servers.
Motion & Fitness
- Why: To detect walking, driving, and cycling so the timeline shows how you moved between places.
- Where it goes: Processed on-device only.
Microphone
- Why: To dictate voice notes for journal entries.
- How: Audio is transcribed entirely on your device using Whisper (whisper.cpp) — no speech ever goes to a server, mine or anyone else's. The recording and the transcription stay on your device.
- Only if you then choose an AI writing action on the resulting text (§04) is text sent off-device — never the audio.
Bluetooth
- Why: To create event markers when you connect to known devices (headphones, car audio, speakers) so your timeline can show context.
- Where it goes: On-device only.
Reminders
- Why: To show completed Reminders tasks on your timeline.
- Where it goes: Read on-device; never sent off-device.
Notifications, Face ID
Optional. Face ID unlocks Privacy Mode (which hides journal entries, photos, and AI chats). Biometric data never leaves the Secure Enclave.
3iCloud sync
Retrography uses your private iCloud container to sync data between your own devices. I have no access to this container — it's Apple-managed and encrypted between your devices under your Apple ID. If you delete the app or your iCloud data, it's gone.
4Data sent off your device
Retrography has no user accounts and no analytics SDK inside the app. The only time data leaves your device is when AI features are enabled — chat, per-entry summaries, recap summaries, or on-request writing help — or when you opt in to optional integrations (Last.fm, in-app purchases, "On This Day").
Every AI feature is off by default. The first time you set up the App, I ask you — explicitly and in plain language — which AI features you want, and you can leave them all off. You can turn each one on or off anytime in Settings. Nothing about your journal, photos, or timeline is sent for AI processing unless you have opted in and then used the feature. This opt-in default applies from the beta build of 6 July 2026 onward; earlier beta builds had AI enabled by default.
AI chat, per-entry summaries, and recaps
Retrography uses AWS Bedrock to power these. They all follow the same path: the App contacts my authentication proxy on Netlify to get short-lived AWS credentials, then sends the request directly from your device to Amazon Web Services (AWS) Bedrock. The proxy itself never sees the contents of your prompts.
- Per-entry summaries. When the summary-on-save option is on, saving a journal entry sends the entry's text to AWS Bedrock for a one-time short summary (~500 characters). The summary is written back into the entry on your device; the model response is then discarded. Existing entries that already have a summary are not re-sent.
- Recap summaries (weekly, monthly, yearly). When recaps are enabled, the App sends entry text or prior short summaries to AWS Bedrock to generate the recaps shown in the Journal Explorer — when you open a period that doesn't yet have one, or when an existing recap is older than its source content.
- AI chat. When you ask a question in chat, the request includes the text of your prompt, the context you selected (which you can preview before sending), and any photos you attach — with each photo's capture date and, if present, GPS coordinates — so the model can describe what's in the photo. Photos you attach are also written to the App's private Documents folder so they persist in your chat history. That local copy is not synced to iCloud and is not sent anywhere else.
- AI writing help (correct & shorten). When you tap the correction or shortening action on an entry, that entry's text is sent to AWS Bedrock to fix punctuation, spelling, and formatting, or to condense a long entry — keeping your meaning, tone, and language. You trigger this manually, per entry; the cleaned-up text replaces the original on your device and the response is discarded. Dictated entries are transcribed on-device first — only the resulting text is ever sent, and only if you ask for it.
For all of these:
- AWS Bedrock runs Anthropic's Claude language model on AWS infrastructure. Anthropic does not receive your data; AWS hosts the model weights. Per Bedrock's service terms, AWS does not use customer content to train foundation models and does not share it with model providers.
- I do not store the content of your AI prompts, journal text, photos, or model responses on my servers. The only thing my backend keeps tied to your install is a per-device entitlement record (subscription state and recent transaction IDs for replay protection).
- See: AWS Service Terms (section 50 covers Bedrock) and AWS Privacy.
Authentication proxy
- The proxy exists only to issue short-lived AWS credentials and enforce rate limits. It uses Apple's App Attest service to verify requests come from a genuine copy of the App on a real device.
- It stores a per-install device identifier so entitlement and rate limits can be tracked. No personal identifiers, no email, no Apple ID.
In-app purchases
- Apple's StoreKit 2 handles the transaction when you unlock unlimited timeline history or subscribe to AI Pro Monthly.
- The App passes the StoreKit-signed transaction (a JWS issued by Apple) to my server, which verifies the signature against Apple's root certificate and stores only the Apple transaction ID (to prevent double-claiming), the product ID, and the resulting entitlement state. No payment-card data ever touches my server.
Music history (optional)
- Last.fm: If you enter a Last.fm username in Settings, the App calls the public Last.fm API with that username to fetch your scrobbles. Last.fm receives only the username you typed. No OAuth, no token stored.
- Spotify Extended Streaming History: If you import your Spotify takeout files, they are parsed entirely on-device. The takeout files never leave your device.
Public read-only APIs
For "On This Day", the App fetches public articles from Wikipedia, the New York Times Archive, and the Hacker News public API. These calls send only a date — no user data, no identifiers, no location. They're equivalent to opening those websites in a browser.
Diagnostics & analytics (anonymous)
So I can fix crashes and see which features people actually use, the App sends me a little anonymous feedback — to my own server, never a third party. Two kinds:
- Crash reports (via Apple's MetricKit): a stack trace plus device model, OS, and language, so I can hunt down the bug.
- Simple usage counts: feature, screen, and settings names — like "opened the photo explorer" or "turned on the Spotify box" — plus the choice you picked.
That's the whole list: no journal text, no photos, no location, no name or email. It's tied only to a random per-install ID, and you can switch it off anytime in Settings → Data Management.
5What I don't do
- I don't run user accounts, ask for your email, or collect personally identifying information.
- I don't use third-party analytics SDKs inside the App.
- I don't sell, rent, share, or license your data to anyone.
- I don't track you across other apps or websites.
- There's no advertising.
6Children
Retrography is not directed at children under 13, and I do not knowingly collect data from children.
7Third parties involved
- Apple — iCloud, HealthKit, Photos, StoreKit, App Attest (platform services).
- Amazon Web Services (Bedrock) — processes AI requests you voluntarily send. AWS runs the Claude model on its own infrastructure.
- Anthropic — creator of the Claude model used by Bedrock. Anthropic does not receive requests from this app; the model runs inside AWS Bedrock.
- Netlify — hosts the authentication proxy and this website.
- Last.fm (optional) — if you enter a username, public listening data is fetched from their API.
- Wikipedia, New York Times, Hacker News — public read-only APIs for "On This Day". Date-only queries; no user data sent.
- Umami — privacy-first, cookieless analytics for this website only. No cookies, no personal data, no cross-site tracking. Not used inside the App.
8Your choices
- Revoke any permission (Location, Photos, Health, Microphone, etc.) in iOS Settings at any time.
- Delete all Retrography data by deleting the App — local data is removed, and iCloud data is removed when you delete it from iCloud.
- Request deletion of the per-install device record held by the authentication proxy by emailing me with your device ID, which is visible in the App's Settings screen.
9Security
Data on device is protected by iOS's data-at-rest encryption. iCloud sync uses Apple's encryption under your Apple ID. The authentication proxy uses HTTPS and App Attest to reject requests from anything other than a genuine copy of the App.
10Changes to this policy
For minor changes — wording, contact details, a new read-only public source — I update the "Last updated" date at the top of this page. But if I ever change something material, such as sending a new kind of data off your device or adding a new processor, I'll ask you in the App before it takes effect, rather than quietly changing the rules. I don't send marketing or notification spam; consent screens appear only for genuine changes to how your data is handled.
11Contact
Questions or requests: beta@retrography.app. You'll hear back from me directly.