Zero-Knowledge Architecture

Your data never leaves your phone.

PinkyBloom is built so that we cannot access your health data — even if we wanted to. Here’s exactly how it works.

What “on-device” actually means

Your health data — symptoms, mood, period dates, journal entries — lives in encrypted storage on your iPhone. It’s never uploaded to our servers. It never touches the cloud (unless you explicitly enable iCloud backup, which only you can access).

The AI assistant (Pinky) runs entirely on your phone’s chip using Apple Intelligence. Your conversations, your patterns, your predictions — all computed locally. Nothing leaves the device.

The contrast

Most period trackers upload your data to their servers. Some have shared it with Facebook. Others have been caught selling data to advertisers, data brokers, and even law enforcement.

PinkyBloom was designed so this is architecturally impossible. We don’t have your data. We can’t share what we don’t have.

What happens when you pair with a partner

Pairing happens face-to-face. No server. No internet. No accounts.

1

Both phones generate key pairs

Each device creates a Curve25519 key pair — a public key and a private key that never leaves the device.

2

QR codes scanned in person

You and your partner scan each other's QR codes, exchanging public keys face-to-face. No server involved.

3

Shared secret derived via ECDH

Using Elliptic Curve Diffie-Hellman, both phones independently compute the same shared secret — without ever transmitting it.

4

Stored in iOS Keychain

The shared secret is stored in the iOS Keychain — Apple's hardware-backed secure enclave. It never leaves the device.

“The trust moment happens face to face.”

How partner sharing works

PinkyBloom encrypts

Your app creates a snapshot — cycle phase, mood, and energy — and encrypts it with AES-256-GCM using the shared secret.

Encrypted blob sent

The encrypted blob is sent to our relay server. The server receives ciphertext it cannot read, decrypt, or interpret.

Blind storage

Our server stores only the encrypted blob. It has no key, no context, and no way to determine what the data contains.

PinkyBond decrypts locally

Your partner's app (PinkyBond) downloads the blob and decrypts it on their device using the same shared secret.

“Our server is a mailbox. It passes sealed envelopes it cannot open.”

What your partner sees (and doesn’t)

Shared

Cycle phase
Mood summary
Energy level
Custom status message

Never shared

Raw symptoms
Journal entries
AI conversations
Medical records
Voice recordings

Safety Mode

One tap sends fake, neutral data to your partner:

Phase: Follicular

Mood: Good

Energy: 3 / 5

No notification is sent. No trace is left. Your partner’s app looks completely normal.

Designed for users who need it — no questions asked.

What if we’re subpoenaed?

“We’d hand over encrypted blobs we cannot decrypt. Your plaintext health data has never existed on our servers.”

This isn’t a promise — it’s a technical fact. Zero-knowledge architecture means we are physically unable to produce your health data, because we never had it.

Want the legal details?

Read our full Privacy Policy →
Coming Soon to the App Store