Sync that can't read you

The story of every health-app data breach starts the same way. The company had your data, then someone took it. Refit is built so the first part can't happen.

Most fitness apps collect everything. Your weight, your cycle, your medications, your mood. They store it on their servers. They promise to "use it responsibly." Then an acquisition happens, a breach happens, or a subpoena arrives, and the promise stops mattering.

Refit is built differently. This is the plain-language version of what that actually means.

What we promise

Three things. Narrow. Testable.

Your data lives on your device. Your phone, your laptop. Not our servers. If you never turn on sync, we never see a byte of your health information.
Sync is encrypted with a key we don't hold. When you do turn on cross-device sync, our server stores a scrambled copy of your data. We cannot unscramble it. The system is designed so that we can't.
There is no account. No email, no password, no profile sitting on a user table somewhere. Nothing about you to leak, because we never collected it.

Why we can actually promise this

The first time you turn on sync, you pick a passphrase. That passphrase never leaves your device. It becomes the key that locks and unlocks your data.

Our sync server is a dumb box. It stores scrambled bytes under a shelf number and nothing else. It has no idea which bytes belong to which person. It could not tell you anything about you, because it has nothing about you to tell.

An analogy. Imagine mailing sealed envelopes to a warehouse. The warehouse files each envelope under your shelf number but never opens one. If the warehouse is robbed, the thief walks out with a pile of sealed envelopes and no way to read them. Our server is the warehouse. Your passphrase is the key on your keychain at home.

This is not a marketing claim. It is a structural property of how the system is built.

What a breach actually looks like

Say tomorrow a sophisticated attacker breaks into our infrastructure. They exfiltrate our entire sync database.

What they walk away with: a list of opaque shelf numbers and a matching pile of scrambled bytes.

What they do not get: your name, your email, your phone number, your weight, your sleep, your meals, your medications, your symptoms, your blood pressure, your period. We never asked for any of that, and the health data is encrypted with a key we do not hold.

That is the whole point of the architecture. The breach that exposes your health data is designed out of the system, because the data that would matter is not ours to lose.

The honest caveat

The two ways an attacker could still reach your plaintext health data are (a) malware on your specific device, and (b) a passphrase so weak that it is guessable. We cannot help with device malware. We do require strong passphrases at setup, and we generate one for you on request.

For developers and evaluators

If you want the full technical breakdown, including key derivation details, cipher choice, the CRDT merge that lets your phone and laptop converge after offline edits, the exact threat model, and known gaps on the roadmap, we publish it on a separate page.

Read the full technical breakdown: Refit Security.

Ready to try it?

Open Refit. Free, no account, works offline. Your data stays on your device unless you opt in to sync, and if you do, we still can't read it.