Why your health data belongs on your device

The average fitness app sends your weight, sleep, and meals to half a dozen third parties before you've even finished logging breakfast. Analytics SDKs, crash reporters, marketing pixels, AI training pipelines, each with its own retention policy and its own breach risk. Health data is uniquely sensitive: it's tied to your body, your identity, and in many jurisdictions your insurability. Once it leaves your device, you have no way to get it back.

What "private" usually means (and doesn't)

Most apps sell "privacy" while quietly storing everything on their servers. Common dodges:

• "Your data is encrypted in transit." So is everything on the modern web. That's table stakes, it tells you nothing about who can read it once it lands.
• "We don't sell your data." Not today. Not under this management.
• "Zero-knowledge encryption." Usually true for the primary blob, but not for the metadata, usage patterns, or the inevitable "optional" analytics layer.

These aren't lies. They're just designed to make you feel safe while the underlying architecture still depends on a company you'll never meet.

How Refit stores your data

Refit stores everything in your browser's localStorage. Not encrypted-in-the-cloud. Not "zero-knowledge". On your device. We run a small, opt-in sync relay (see Sync that can't read you), but it only ever holds ciphertext with a key we do not have. There is no server of ours that can be breached, subpoenaed, or sold for readable health data. When you clear the app, your local data is gone, from the universe, not just our logs.

Refit is consumer software, not a HIPAA-regulated service, and not a substitute for clinical record-keeping. The privacy posture on this page is about architecture, not compliance claims.

Every tracker, food, water, weight, sleep, mood, meds, symptoms, blood pressure, period, writes to a key like fittrack_2026-04-10. That's it. The web app is a static HTML/CSS/JS bundle; there's no backend database holding your profile. You can inspect the data yourself in devtools. You can export it as JSON any time.

The closest real comparison is a privacy-first note tool that stores your notes as plain Markdown files on your filesystem, readable by any editor, forever. Refit applies the same principle to health tracking.

The trade-offs are real

This architecture isn't free. You give up:

• Automatic cross-device sync, unless you opt in to our encrypted relay (AES-256-GCM over a passphrase-derived key; the relay only ever sees ciphertext).
• Social features. No streaks with friends. No leaderboards.
• Cloud-based restoration if you lose your phone. You control the backup; we can't recover it for you.

For most people, that's the right trade. The apps that "help you" the most are the ones with the most intrusive architecture. Refit is deliberately less ambitious, and that's why it can stay honest.

What you gain

• No account. Open the app. Start logging. Done.
• Minimal breach risk. We never collected your health data, so a compromise of our infrastructure has nothing readable about you to expose.
• Always portable. Your data stays on your device in open formats. Readable anywhere, locked to nothing.
• Future-proof formats. Your logs live in plain JSON and CSV - readable in any text editor, importable into any tool.

A health tracker you can't delete is a health tracker that doesn't respect you. We think that's the bar. So Refit is, and will always be, a tracker you can walk away from, with all your data, in a single click.