The server stores
The minimum needed to run a Plan
- Pseudonymous Plan events such as created, completed, rescheduled, or missed
- An optional encrypted, padded note that the server cannot read
- Public integrity records used to detect changes to history
Privacy & safety
No account. No server-side contact list. No readable note. No stored IP address. Here is the plain version of what the service can see, what it cannot, and where risk remains.
The server stores
The server does not store
Your private note
Backers can read the note only when the Plan needs attention, Help is requested, or a completion contains the private safety signal. A normal completed Plan never exposes its note.
If you choose it, Backers can read the note as soon as the Plan is created. That also shares any legal name, phone number, or map pin included in that Plan.
Important limits
Like any internet service, the phone still makes a network connection. BackBy is designed not to retain IP addresses or identifying request logs. A network provider or someone who already knows a channel may still observe that activity occurred and roughly when, but cannot read the encrypted Plan header or note. Stronger private discovery remains in development.
Map sharing is off by default. Turning it on can reveal your IP address and viewed map area to the map provider. The app must warn you before the first map request.
BackBy cannot protect against on-device malware, keyloggers, or every form of physical coercion. Protect your device and share Backer access only with people you trust.
The server does not call police, counsel, family, or a rapid-response network. Your Backers decide how to respond using the plan you prepared.
Legal process
If legally required, BackBy may be able to provide pseudonymous event records, encrypted notes, and integrity proofs. It cannot provide plaintext notes, stored IP addresses, or a server-side contact graph. Narrow legal holds may preserve specifically identified existing records; they do not turn on new logging.
Encrypted payloads have a fixed retention period, with safety floors that keep them available through the relevant Plan and attention window. Plan events are append-only and remain part of the integrity history.
For reviewers
Notes are encrypted on the device with AES-GCM. The unlock key is derived from the Backer secret shared by QR code or recovery words. The server never receives that key.
Sensitive reads require a per-Plan capability. A missing or wrong capability returns the same 404 response as missing data.
Every lifecycle change is a new append-only event. Public production is designed to publish signed tree heads and daily anchors so independent reviewers can detect tampering. Production evidence is not yet complete.
On a PIN-protected Plan, two incorrect PIN attempts silently complete the Plan with a private safety signal. The Planner sees an ordinary success screen. Trusted Backers can recognize the signal and read the note; the server cannot tell whether the completion was normal or carried the signal.