Privacy & security

How Joust protects your data

Your protocol lives on your device, encrypted with a key only you hold. Our servers store scrambled data we cannot read — not because we promise not to, but because we built it so we can't.

Why we built it this way

People who track peptides, GLP-1s, TRT, and other self-directed protocols are handling some of the most sensitive information about themselves there is — what they take, how much, how their body responds, their bloodwork. That information deserves to be private by default, not private by policy.

Most apps "protect" your data by promising to be careful with it. That promise is only as good as the company keeping it, its security team, its lawyers, and whoever eventually buys it. We didn't want you to have to trust a promise. So Joust is built so that the data on our servers is unreadable to us in the first place. There's nothing for us to sell, leak, hand over, or change our minds about.

The honest framing: Privacy by architecture, not privacy by policy. The difference is whether your trust depends on our intentions or on our math.

End-to-end encryption, in plain terms

Think of every piece of data you enter — a compound name, a dose, a schedule, a lab value — as going into a locked box before it ever leaves your phone. The box travels to our servers and sits there locked. We store the box. We do not have the key.

When you open Joust, your device unlocks the boxes locally, shows you your data, and re-locks anything you change before sending it back. The unlocking only ever happens on your device, in memory, for as long as you're using the app.

You sign in with Apple or Google — and we never get a password

Joust has no password for you to create, and we never store one. You sign in with Apple or Google, the way you already sign in to lots of apps. That proves who you are without ever handing us a secret we'd then have to protect.

But signing in is separate from unlocking. The key that decrypts your data isn't your Apple or Google login — it's a separate key that lives on your device and syncs privately across your own Apple devices. We never hold it, and neither Apple nor Google can read it.

Under the hood

Identity and encryption are deliberately kept apart. Apple/Google sign-in proves your identity to our auth system — but it supplies no secret we could use to read your data. Unlocking is handled by a separate custody key: a random 32-byte key generated on your device and stored in your iOS Keychain as a synchronizable item, so it syncs across your Apple devices through iCloud Keychain. iCloud Keychain is itself end-to-end encrypted — Apple can't read what's in it, and neither can we. Your master key (the one that actually decrypts your protocol data) is wrapped under this custody key, and only the wrapped version is stored on our servers. At cold launch, your device reads the synced custody key, unwraps the master key in memory, and you're in — no password, no prompt. The plaintext master key lives only in your session. Because identity and unlocking are separate, linking or switching between Apple and Google later changes only how you sign in — it never touches your key or re-encrypts your data. And your master key is created exactly once per person: a second sign-in method for the same verified email links to your existing account rather than spinning up a second, separate vault.

What happens on a new device, or if you lose access

Most of the time, switching to a new iPhone just works: your custody key syncs through iCloud Keychain, and Joust unlocks itself. You don't have to do anything.

For the cases where that sync isn't available — a brand-new device that hasn't synced yet, or losing access to the Apple/Google account or iCloud Keychain that normally carries your key — Joust gives every account a 24-word recovery phrase as a deep backstop. It's a second, fully independent way to unlock your data that doesn't depend on any of your accounts or any device sync.

We don't throw the phrase at you during signup, where it'd be easy to skip past and forget. Instead it's always available in Settings → Recovery phrase, and we recommend you save it somewhere safe and offline (a password manager, or written down) once you're set up. It's the one thing that can restore you no matter what happens to your devices or accounts — and because we don't have it, nobody but you can use it.

Under the hood

The recovery phrase is a standard 24-word BIP39 mnemonic. Your master key is wrapped a second time under a key derived from the phrase's seed, independent of the custody-key wrap — changing or rotating one never exposes the other. On a device with no synced custody key, restoring from the phrase unwraps the master key and then re-wraps it onto a freshly adopted custody key, so subsequent launches on that device are phrase-free again. The phrase itself is stored encrypted under your own master key, which is what lets the Settings screen reveal it back to you verbatim — that reveal is strictly read-only and never re-derives or alters any of your keys. We never see the phrase in plaintext and cannot regenerate it for you.

What our servers can — and cannot — see

We think the honest version of this is more reassuring than a vague "we take privacy seriously," so here's the actual split.

Encrypted — unreadable to us

Every compound name and what class it is; every dose, schedule, and titration step; all bloodwork values and panels; vial details, concentrations, and inventory; goals, notes, side-effect observations, and skip reasons; progress photos.

Plaintext — readable to us, by design

Your email address (held only in the authentication system, used to log you in and contact you about your account); subscription state and billing bookkeeping (trial dates, active/past-due status, checkout IDs); a compound's form factor — whether it's an injection, an oral, a patch, etc.; timestamps of when records were created or changed.

Why form factor is plaintext but the compound isn't: the app needs to know whether to draw a syringe icon or a pill icon without ever knowing which compound it is. Knowing something is "an injectable" tells us nothing about what it is, who you are, or your protocol. The identity — the part that's actually sensitive — is encrypted. Everything plaintext is either non-identifying structure or the minimum billing data needed to run a subscription. None of it is your health information.

Bloodwork stays on your device

When you import a Quest or LabCorp PDF, the parsing happens entirely on your device. The PDF is read locally to pull out your lab values, those values are encrypted with your key, and then the PDF is discarded. We never upload it, never store it, and never send it to any third party or AI service for processing.

Progress photos

Photos follow the exact same rule as the rest of your data. They're encrypted on your device before upload and stored as encrypted blobs we can't open. When you view one or build a share card, your device decrypts it in memory only — the decrypted image is never written back to disk in the clear or sent over the network. Share cards are composed locally on your device; we never create a server-hosted copy of your photo.

What we deliberately don't do

We don't sell your data. There's no data-broker relationship, no "anonymized" data resale, none of it. (And as above — your protocol data is encrypted, so there's nothing readable to sell.) We don't run ad trackers — no advertising SDKs, no third-party pixel tracking, no cross-app profiling. We don't build a clinical record on you; Joust is a personal tracker, not a medical database. We don't store your lab PDFs or cache your Apple Health data on our servers. We don't have a social graph or multi-user model — your account isn't connected to anyone else's, no feed, no follower list, no way for another user to see your data.

The telemetry we do collect — and how to turn it off

We'd rather tell you exactly what we collect than hide behind "we collect some usage data." To ship a stable app and understand whether features work, Joust collects two narrow, anonymous streams: crash reports (so we can fix bugs we'd otherwise never see) and product analytics (a short list of lifecycle events — app opened, signed up, started a trial, completed a purchase, imported bloodwork, and similar — so we can tell whether the app is working for people).

Both are anonymous and never tied to your identity or your protocol: they're keyed to a random ID generated on your device at install, not to your account, email, or anything that identifies you; they never include any of your health data — no dose values, no compound names, no schedules, no bloodwork, no goals (a scrubber strips that data automatically before anything is sent, so it can't leak even by accident); there's no session recording, no automatic screen capture, no "record everything" mode. Only the specific events on our list are sent.

And you can turn both off completely in Settings → Privacy, effective immediately. This is also disclosed in our App Store privacy label, under "Data Not Linked to You."

Payments

When you subscribe, your payment is handled by Apple through the App Store. Apple sees what it needs to process a card — we never do. On our side, we store only plaintext subscription bookkeeping: your status, trial dates, and the customer IDs needed to keep your access in sync. Your billing data and your health data never touch each other, and the App Store receives none of your protocol information.

You control your data, and you can delete it

Your data is yours, and you can delete your account and everything in it at any time. Deletion is real and complete — it's not a flag that hides your data while we keep a copy.

We want to be straight about one thing here, because a lot of apps are vague about it: today Joust does not have a one-tap "export everything" feature. Your data is fully readable to you inside the app, and it's encrypted such that it isn't readable to anyone else — but a portable download you can take elsewhere isn't something we offer yet. We'd rather tell you that plainly than imply a portability we haven't built.

"What if…"

…your servers get breached?

An attacker who got into our database would find your email, your subscription status, and a pile of encrypted blobs they can't read without your key — which isn't there. The sensitive part of a Joust breach is mathematically inert.

…someone sends a legal request for my data?

We can only ever produce what we actually hold: your email and billing bookkeeping, plus ciphertext we can't decrypt. We can't be compelled to hand over plaintext protocol data because we don't possess it and have no means to produce it.

…I lose my phone?

Your data isn't usable to whoever finds it — it's encrypted, and the key to read it is locked inside the device's secure Keychain, not sitting in the app. You sign in to a new device with Apple or Google, your key syncs back through iCloud Keychain, and you're restored. If that sync isn't available, your 24-word recovery phrase brings everything back.

…Joust shuts down someday?

Two honest halves. The reassuring half: your sensitive data was always encrypted with a key we never held, so a shutdown never exposes it to us or anyone else. The straight half: as noted above, we don't yet offer a full data export, so we wouldn't pretend a shutdown is zero-friction for getting your history out. Building that export is the right thing to do, and it's on our radar precisely because "you control your data" should mean you can take it with you.

One thing we're not

Joust is a personal health tracker, not medical advice. We help you record what you take and see how your body responds — we don't tell you what to take, what to change, or what your numbers mean. The decisions are yours; we just make them easier to track honestly.

Questions about any of this? Reach us at support@getjoust.app. For the formal legal terms, see our Privacy Policy and Terms of Service.