Regimio users track sensitive protocol data · research peptides, compounded GLP-1s, medically supervised TRT, supplements, labs, and symptom check-ins. Some users are fully supervised. Some are more private. None of them want that data sitting in someone else's database by default.
For both groups, privacy isn't a checkbox in the settings tab. It's the architectural precondition. If we screw it up, we don't have a product.
The default position
Every other health app starts the same way: create an account, accept the cloud sync, agree to "improve our service through analytics." You're told you can opt out · somewhere · but the defaults are flipped against you.
Regimio's defaults:
- No account required. Free and Pro both work without one.
- No Regimio cloud database in MVP. Data lives in app-local storage protected by the mobile OS sandbox.
- No remote logging of doses, symptoms, or lab values. Sentry crash reporting is opt-in, and the values are scrubbed.
- No third-party analytics SDKs. No Mixpanel, no Amplitude, no Segment, no Firebase Analytics.
- No advertising SDKs. Ever.
The first time you open Regimio, you don't sign up. You don't sign in. You just start logging. The privacy badge on the home screen reads 🔒 Local so you don't have to dig through settings to confirm where your data is.
What we'll never do
I wrote this list before the first commit, and it ships verbatim in the app:
We will never:
- Sell your data to anyone. Period.
- Share data with research partners by default.
- Show "consult your doctor" pop-ups before you log a compound.
- Restrict which compounds you log.
- Build features that require an account before you can use the app.
- Auto-enroll you in cloud sync without asking.
- Auto-write doses or symptoms back to HealthKit.
- Send analytics events that include compound names, doses, or lab values.
- Make the privacy policy harder to read than a settings page.
- Send you marketing email without explicit opt-in.
If multi-device sync ships later, it will be opt-in, separately explained, and reflected in the privacy policy plus store privacy disclosures before release.
The four-layer model
Architecturally, Regimio is built in four layers:
1. Storage. All domain data · compounds, doses, symptoms, labs, vial state · lives in app-local storage controlled by the mobile OS sandbox. No other app can read this data without explicit user action through export or share flows.
2. Local control. Regimio avoids a default account model in MVP. The main controls are local erase, local export, OS-level device protection, and store-managed subscription access.
3. Transit. The network surfaces in MVP are App Store / Play Store subscription checks, RevenueCat entitlement checks, opt-in Sentry crash reports (scrubbed), support links opened by the user, and user-controlled export or share flows.
4. Future sync. Multi-device sync is not part of MVP. If it ships later, it needs explicit opt-in, clear privacy copy, and updated store disclosures before release.
The threat model · honestly
There are threats we defend against, threats we mitigate, and threats we don't pretend to solve.
Lost device. Optional Face ID / Touch ID gates the app and Settings. Apple/Google device encryption protects data at rest as long as you have a passcode. This is the most common real-world threat and the one we handle best.
Cloud breach. Regimio does not run a cloud database for user health data in MVP, which removes a major server-side breach path for stack, dose, lab, and check-in data.
Targeted forensic compromise. If a state-level adversary has physical custody of your unlocked device with biometrics bypassed, no consumer app saves you. The one-tap erase button exists for the moment before a hand-off · Settings -> Danger Zone -> Erase Everything. Local Regimio app data cleared. Final.
Insider threats at Regimio. We don't run a server with user data. There's no engineer with a button that reads your stack. We physically can't get to it. This is by design.
Phishing. There is no Regimio account to phish in MVP. Users should still protect their Apple ID or Google account because subscriptions are managed through the stores.
What "scrubbed" actually means
Sentry, our crash reporter, is opt-in. If you enable it (Settings → Diagnostics), we get stack traces with compound names, dose values, and lab values removed before submission. Implementation:
Sentry.init({
beforeSend(event) {
return scrubValues(event, [
"compoundName", "doseAmount", "biomarker", "labValue", "vialSize"
]);
},
});
We see "Crash in recon.calculateRecon at line 47, in vial reconstitution flow." We don't see "User Marcus injected 250 mcg of BPC-157." That's not a value to us. It's just a string we filter.
Why "consult your doctor" doesn't appear
Half our users run protocols their doctor would never approve. A "consult your doctor before logging" pop-up wouldn't just be useless · it would actively damage the product. It'd push users back to spreadsheets and ChatGPT, where the data is more exposed and the math is worse.
So Regimio doesn't ask. Your stack, your call. If you want a doctor's input, generate the doctor PDF export and bring it to your visit. The app is the tool. You're the user. We don't read between the lines.
What "no analytics on values" looks like in practice
If we send a single analytics event in the entire app, it's tracking something like: "vial_create_started" → "vial_create_completed" · the event name, not the event payload. Did the user complete the flow? Yes/no. We never need to know what compound they were logging.
This is the bar: an event Regimio logs about you should be useful to debugging the product, not useful to profiling you.
Why we're saying this out loud
Privacy isn't a posture we can prove. It's an architecture we have to commit to and live with. The blog post is the receipt · it gets indexed, it gets archived, it gets quoted back to us if we ever drift.
We are saying it now so the version of us that exists 2 years from now · bigger team, bigger pressure, real revenue · has a public document to compare against.
If we ever change this, you'll find out from the changelog, not a press release.
Read the full privacy posture and the security architecture. Or skip the words and download it on the App Store.