Skip to content
Regimio

Privacy

Why privacy is the precondition, not a feature

Regimio is local-first because protocol data is sensitive. Here's the architecture, the threat model, and what we'll never do.

Lance Sessions·May 8, 2026·7 min read

Regimio users track sensitive protocol data · research peptides, compounded GLP-1s, medically supervised TRT, supplements, labs, and symptom check-ins. Some users are fully supervised. Some are more private. None of them want that data sitting in someone else's database by default.

For both groups, privacy isn't a checkbox in the settings tab. It's the architectural precondition. If we screw it up, we don't have a product.

The default position

Every other health app starts the same way: create an account, accept the cloud sync, agree to "improve our service through analytics." You're told you can opt out · somewhere · but the defaults are flipped against you.

Regimio's defaults:

  • No account required. Free and Pro both work without one.
  • No cloud sync. Data lives in a SQLite database in the app's sandboxed storage. iOS Documents folder. Android internal storage.
  • No remote logging of doses, symptoms, or lab values. Sentry crash reporting is opt-in, and the values are scrubbed.
  • No third-party analytics SDKs. No Mixpanel, no Amplitude, no Segment, no Firebase Analytics.
  • No advertising SDKs. Ever.

The first time you open Regimio, you don't sign up. You don't sign in. You just start logging. The privacy badge on the home screen reads 🔒 Local so you don't have to dig through settings to confirm where your data is.

What we'll never do

I wrote this list before the first commit, and it ships verbatim in the app:

We will never:

  • Sell your data to anyone. Period.
  • Share data with research partners by default.
  • Show "consult your doctor" pop-ups before you log a compound.
  • Restrict which compounds you log.
  • Build features that require an account before you can use the app.
  • Auto-enroll you in cloud sync without asking.
  • Auto-write doses or symptoms back to HealthKit.
  • Send analytics events that include compound names, doses, or lab values.
  • Make the privacy policy harder to read than a settings page.
  • Send you marketing email without explicit opt-in.

When sync is implemented in v1 · and it will be, because some users want it · it will be opt-in, Apple-Sign-In-only, encrypted with a key that lives in iCloud Keychain (not in our database), and gated behind a separate explicit consent screen.

The four-layer model

Architecturally, Regimio is built in four layers:

1. Storage. All domain data · compounds, doses, symptoms, labs, vial state · lives in a SQLite database in the app's sandboxed Documents folder. The OS enforces app-level isolation. No other app can read this file without explicit user permission. We use Drizzle ORM for type-safe queries.

2. Keychain. Anything sensitive that isn't domain data · sync keys, biometric tokens, subscription receipts · lives in iOS Keychain or Android Keystore. Hardware-backed where the device supports it.

3. Transit. The only network calls in v0 are App Store / Play Store IAP receipts (Apple and Google handle this), opt-in Sentry crash reports (TLS 1.3, scrubbed), and the optional iCloud Drive document sync (encrypted client-side before upload).

4. Sync (opt-in only). When you enable multi-device sync, your SQLite file is wrapped in an envelope encrypted with a key stored in iCloud Keychain. We don't see the contents. Apple sees ciphertext. The compromise model is: if your iCloud account is hacked, the attacker has encrypted blobs. They need the local Keychain key · synced only to your Apple ID devices · to read anything.

The threat model · honestly

There are threats we defend against, threats we mitigate, and threats we don't pretend to solve.

Lost device. Optional Face ID / Touch ID gates the app and Settings. Apple/Google device encryption protects data at rest as long as you have a passcode. This is the most common real-world threat and the one we handle best.

Cloud breach (sync mode). Your data is encrypted client-side with a key Apple doesn't hold. A compromised iCloud account still requires the Keychain key to read your stack.

Targeted forensic compromise. If a state-level adversary has physical custody of your unlocked device with biometrics bypassed, no consumer app saves you. The one-tap erase button exists for the moment before a hand-off · Settings → Danger Zone → Erase Everything. SQLite dropped, Keychain purged, caches removed. Final.

Insider threats at Regimio. We don't run a server with user data. There's no engineer with a button that reads your stack. We physically can't get to it. This is by design.

Phishing. There's nothing to phish in the default flow. Sync mode uses Apple Sign-In with hardware-backed credentials · out of scope for typical phishing.

What "scrubbed" actually means

Sentry, our crash reporter, is opt-in. If you enable it (Settings → Diagnostics), we get stack traces with compound names, dose values, and lab values removed before submission. Implementation:

Sentry.init({
  beforeSend(event) {
    return scrubValues(event, [
      "compoundName", "doseAmount", "biomarker", "labValue", "vialSize"
    ]);
  },
});

We see "Crash in recon.calculateRecon at line 47, in vial reconstitution flow." We don't see "User Marcus injected 250 mcg of BPC-157." That's not a value to us. It's just a string we filter.

Why "consult your doctor" doesn't appear

Half our users run protocols their doctor would never approve. A "consult your doctor before logging" pop-up wouldn't just be useless · it would actively damage the product. It'd push users back to spreadsheets and ChatGPT, where the data is more exposed and the math is worse.

So Regimio doesn't ask. Your stack, your call. If you want a doctor's input, generate the doctor PDF export and bring it to your visit. The app is the tool. You're the user. We don't read between the lines.

What "no analytics on values" looks like in practice

If we send a single analytics event in the entire app, it's tracking something like: "vial_create_started" → "vial_create_completed" · the event name, not the event payload. Did the user complete the flow? Yes/no. We never need to know what compound they were logging.

This is the bar: an event Regimio logs about you should be useful to debugging the product, not useful to profiling you.

Why we're saying this out loud

Privacy isn't a posture we can prove. It's an architecture we have to commit to and live with. The blog post is the receipt · it gets indexed, it gets archived, it gets quoted back to us if we ever drift.

We are saying it now so the version of us that exists 2 years from now · bigger team, bigger pressure, real revenue · has a public document to compare against.

If we ever change this, you'll find out from the changelog, not a press release.

Read the full privacy posture and the security architecture. Or skip the words and join the beta.

privacysecurityarchitectureon-deviceencryption

Steady is a strategy.

Regimio is the bio co-pilot for TRT, peptides, GLP-1, supplements, and labs. Free forever. iOS + Android.

Join the private betaMore writing