Plume logo Plume
Privacy by architecture

See exactly where your data lives

No trust required. We'll show you the architecture, the data flow, and every decision that makes it impossible for anyone to read your journal.

See the diagrams

The big picture

Your data never touches our servers — because we don't have any

Here's the complete architecture. Everything happens on your device or through Apple's encrypted iCloud infrastructure. We're not in the picture at all.

YOUR DEVICES 📱 iPhone SwiftData / SQLite 📟 iPad SwiftData / SQLite 💻 Mac SwiftData / SQLite 🔒 🔒 🔒 🛡️ Protected by Face ID / Touch ID Biometric lock before anyone can open the app YOUR iCLOUD ☁️ CloudKit Encrypted data only Apple cannot read it Optional — you choose 🔐 Encrypted AI PROVIDER 🤖 OpenAI / Claude / Gemini / Local Your API key, your choice Only when you ask Direct device → provider Plume never in the middle Optional — you choose When you use AI ✦ PLUME SERVERS We don't have any. Zero. None. Nada. Nothing to hack, leak, or hand over No connection

Data lifecycle

Follow your data from keystroke to storage

1

You type an entry

Your words go directly into a local SwiftData database stored in your device's sandboxed app container. This is the same secure storage Apple uses for its own apps.

Never leaves your device at this step
2

Auto-saved locally

Plume auto-saves as you write. The database file sits in your device's protected storage — only your app can access it. Not even other apps on your phone can read it.

Protected by iOS / macOS sandboxing
3

Sync across devices (optional)

If you enable iCloud sync, your data is encrypted before it leaves your device and travels through Apple's CloudKit infrastructure to your other devices. This is your personal iCloud — not a Plume server.

Encrypted in transit and at rest
Apple cannot read it. Plume cannot read it.
4

AI features send data to your chosen provider (optional — you configure it)

If you enable AI features by entering your own API key, entry data is sent to the AI provider you chose (OpenAI, Anthropic, Google, or a local model). This only happens when you actively use an AI feature — never in the background.

Two features send entry data:

Custom AI Prompt

Sends today's entry along with your prompt to the AI provider for a response.

Introspection

Sends all entries you select to the AI provider for deeper reflection and pattern analysis.

You bring your own API key — Plume never sees it on our end
Only triggered when you actively use the feature
Choose a local model to keep everything on-device
5

That's it. There is no step 6.

Your data goes nowhere else. No analytics service. No crash reporting. No remote database. No "anonymous" aggregation. Your journal stays between you and your devices — unless you explicitly choose to use AI features.

End of story

Encryption details

Every layer of protection, explained

Data at rest

Your journal is stored in a SwiftData (SQLite) database inside the app's sandbox. On iOS, this is protected by Apple's Data Protection, which encrypts the file system with your device passcode.

iOS Data Protection encrypts files when locked
macOS FileVault encrypts your disk
App sandbox blocks all other apps from reading

Data in transit

When sync is enabled, data is encrypted before leaving your device and sent through Apple's CloudKit. The connection uses TLS, and the payload is encrypted end-to-end.

TLS encryption for the connection
End-to-end encryption for the data payload
Goes through your iCloud — not our servers

Access control

Even if someone has your unlocked phone, they can't open Plume without your face, fingerprint, or passcode. The app locks itself when you switch away.

Face ID and Touch ID support
Passcode fallback
Auto-lock when app goes to background

Exports

When you export your journal, you can choose to encrypt the file with a password. The export is generated locally — it never passes through any server.

Optional password encryption
Standard JSON format — no lock-in
Generated on your device, saved to your files

AI features

When AI is enabled, here's exactly what happens

AI features are entirely opt-in. You bring your own API key, you choose the provider, and data only leaves your device when you press the button.

YOUR DEVICE 📓 Your Journal Database All entries stored locally Custom Prompt Sends today's entry only Introspection Sends selected entries 👆 You press the button Nothing happens automatically Direct + encrypted OpenAI (ChatGPT) Your API key, TLS encrypted Anthropic (Claude) Your API key, TLS encrypted Google (Gemini) Your API key, TLS encrypted 🏠 Local Model Never leaves your device Stays on device Plume's role: We don't proxy, store, or even see the request. Device → Provider. That's it. 🔒 Zero knowledge

Your API key

Stored locally on your device. Plume never sees or transmits it through our infrastructure.

Only on demand

Data is only sent when you actively trigger an AI feature. Nothing runs in the background.

Go fully local

Choose a local AI model and nothing ever leaves your device. Full AI features, zero internet.

Internet access

When does your data touch the internet?

Only when you choose. Here's the complete and exhaustive list.

iCloud Sync enabled

Optional

Encrypted data travels between your devices through your iCloud account. This is the only time journal data touches the internet — and it's encrypted end-to-end, so no one can read it in transit.

AI features used

Optional — you configure

When you set up an AI provider with your own API key and actively use an AI feature, entry data is sent directly from your device to that provider. This happens in two cases:

Custom AI Prompt

Today's entry is sent to get a response to your prompt.

Introspection

All selected entries are sent for deeper reflection.

Data goes directly from your device to the provider (OpenAI, Anthropic, Google, or a local model). Plume never proxies or stores this data. You can choose a local AI model to keep everything entirely on-device.

Everything disabled

Default

With sync off and no AI configured, your data never touches the internet. Period. The app works 100% offline — on a plane, in a cabin, anywhere. Zero network requests.

Things that never happen

Sent to Plume's servers
Sent to analytics providers
Sent anywhere without your action
Sold to data brokers
Shared with advertisers
Aggregated "anonymously"

How we compare

Plume vs typical journal apps

Plume Typical apps
Data storage On your device Their cloud servers
Who can read it Only you Company employees, hackers if breached
Account required No Email + password
Works offline 100% offline Limited or none
Tracking / analytics Zero Usage tracking, crash reports
Data breach risk None — no servers High — centralized servers
Government data requests Nothing to give Must comply

The bottom line

We built Plume so that it's architecturally impossible for us — or anyone — to read your journal. Not "we promise not to." Not "we have a policy." We literally can't.

If we don't collect it, we can't leak it, lose it, or be forced to hand it over.

Start journaling privately