Security

How your family's data stays safe.

The short version

Rhythm is local-first. Your data lives on your device by default and never touches a server unless you choose to sync. If you do sync, your data is encrypted in transit (TLS) and at rest on my servers. End-to-end encryption is planned.

1. Local-first architecture

Everything - tracking, analytics, predictions - runs on your device. Nothing is stored on a server unless you turn on sync. The app works fully offline.

2. Sync encryption

If you enable household sync, data is encrypted in transit (TLS), and my offsite backups are encrypted. The database itself is not encrypted at rest on disk. I hold any encryption keys, which means I could technically read your synced data. I don't, but the capability exists and you should know that.

I'm working on end-to-end encryption to close that gap. Once shipped, even I won't be able to access your data.

3. Authentication

Sessions use HttpOnly cookies that aren't accessible to JavaScript. Tokens are scoped and short-lived. CSRF protection is enforced on all authenticated routes.

4. Infrastructure

Each household's data lives in an isolated database. Sync replicates across independent nodes in separate geographic regions so a single datacenter failure doesn't affect availability.

The app enforces Content-Security-Policy headers, Strict-Transport-Security, and blocks access to internal database endpoints at the reverse proxy layer.

5. Backups

Encrypted backups run daily and are stored offsite on a rolling schedule: 7 daily, 4 weekly, 3 monthly. If you delete your account, your data is removed from servers right away and ages out of backups within 90 days.

6. What I don't do

  • No ad-tracking scripts or third-party analytics
  • No selling or sharing of data
  • No server-side analytics or algorithms running on your data

7. Limitations

Rhythm is a web app. Browsers can clear stored data under storage pressure (low disk space, for example). Turning on household sync is the best way to make sure you don't lose anything.

I'm one developer, not a security team. I take security seriously, but I haven't done formal third-party validation.

Found something?

If you find a security issue, please report it via security@rhythm.baby. I'll respond as quickly as I can.

Rhythm App, LLC
Incorporated in the State of Delaware

Start free, no signup