Security

How your family's data stays safe.

The short version

Rhythm is local-first. Your data lives on your device by default and never touches a server unless you choose to sync. If you do sync, you can encrypt it end-to-end so that even I can't read it.

1. Local-first architecture

All tracking data, analytics, and predictions run entirely on your device. There is no central database storing your baby's feeds, sleep, or health notes by default. The app works offline and loads without server round-trips.

This means there's no central target to breach. If my server goes down, your data is still on your phone.

2. End-to-end encryption

If you enable household sync, you can turn on E2EE. Your data is encrypted on your device before it leaves. The encryption key is shared between household members via QR code — it never passes through my server.

The trade-off: if you lose your encryption key and all household members lose access, I cannot recover your data. There is no backdoor.

3. Authentication

Sessions use HttpOnly cookies that aren't accessible to JavaScript. Tokens are scoped and short-lived. CSRF protection is enforced on all authenticated routes.

4. Infrastructure

Each household's data lives in an isolated database. Sync replicates across independent nodes in separate geographic regions so a single datacenter failure doesn't affect availability.

The app enforces Content-Security-Policy headers, Strict-Transport-Security, and blocks access to internal database endpoints at the reverse proxy layer.

5. What I don't do

  • No ad-tracking scripts or third-party analytics
  • No selling or sharing of data
  • No server-side processing of your tracking data
  • No access to your encrypted data, even for support

6. Limitations

Rhythm is a web app. Data stored in the browser can be evicted by the OS under storage pressure. Enabling sync with a household is the safest way to ensure your data persists long-term.

I'm one developer, not a security team. I take it seriously, but I don't have the resources for formal third-party penetration testing yet.

Found something?

If you find a security issue, please report it via security@rhythm.baby. I'll respond as quickly as I can.

Find your Rhythm