Development preview BackBy is still being tested. Do not rely on it yet for real emergencies or safety check-ins.

What that means

Privacy & safety

We designed BackBy to know less about you.

No account. No server-side contact list. No readable note. No stored IP address. Here is the plain version of what the service can see, what it cannot, and where risk remains.

The server stores

The minimum needed to run a Plan

  • Pseudonymous Plan events such as created, completed, rescheduled, or missed
  • An optional encrypted, padded note that the server cannot read
  • Public integrity records used to detect changes to history

The server does not store

Your identity or your support network

  • No plaintext legal name, phone number, contacts, or address book
  • No list showing who your Backers are
  • No cookies, analytics profile, session, or stored IP address

Your private note

You choose when Backers can read it.

Emergency Only is the default

Backers can read the note only when the Plan needs attention, Help is requested, or a completion contains the private safety signal. A normal completed Plan never exposes its note.

Right Away is optional

If you choose it, Backers can read the note as soon as the Plan is created. That also shares any legal name, phone number, or map pin included in that Plan.

Important limits

Privacy is a design choice, not a magic shield.

Someone who already knows a channel may observe activity

Like any internet service, the phone still makes a network connection. BackBy is designed not to retain IP addresses or identifying request logs. A network provider or someone who already knows a channel may still observe that activity occurred and roughly when, but cannot read the encrypted Plan header or note. Stronger private discovery remains in development.

Optional maps use another company’s tiles

Map sharing is off by default. Turning it on can reveal your IP address and viewed map area to the map provider. The app must warn you before the first map request.

A compromised phone can still expose local information

BackBy cannot protect against on-device malware, keyloggers, or every form of physical coercion. Protect your device and share Backer access only with people you trust.

BackBy is not emergency services

The server does not call police, counsel, family, or a rapid-response network. Your Backers decide how to respond using the plan you prepared.

Legal process

We cannot hand over information we never had.

If legally required, BackBy may be able to provide pseudonymous event records, encrypted notes, and integrity proofs. It cannot provide plaintext notes, stored IP addresses, or a server-side contact graph. Narrow legal holds may preserve specifically identified existing records; they do not turn on new logging.

Retention

Encrypted payloads have a fixed retention period, with safety floors that keep them available through the relevant Plan and attention window. Plan events are append-only and remain part of the integrity history.

For reviewers

Technical evidence, kept out of the everyday flow.

How note encryption works

Notes are encrypted on the device with AES-GCM. The unlock key is derived from the Backer secret shared by QR code or recovery words. The server never receives that key.

How state reads are protected

Sensitive reads require a per-Plan capability. A missing or wrong capability returns the same 404 response as missing data.

How history is meant to be checked

Every lifecycle change is a new append-only event. Public production is designed to publish signed tree heads and daily anchors so independent reviewers can detect tampering. Production evidence is not yet complete.

How the private safety signal works

On a PIN-protected Plan, two incorrect PIN attempts silently complete the Plan with a private safety signal. The Planner sees an ordinary success screen. Trusted Backers can recognize the signal and read the note; the server cannot tell whether the completion was normal or carried the signal.