Can an App Read My Journal?

Most journaling apps can read your entries. If an app stores your text on a server without end-to-end encryption, then the company — and potentially anyone who gains access to their systems — can read what you wrote. Daylogue is different. Your journal entries are encrypted on your device with AES-256-GCM before they are transmitted. Your encryption keys are stored on your devices, not on Daylogue servers. This means Daylogue cannot read your raw journal entries, even if compelled.

What most journaling apps actually do with your data

The default in the journaling app industry is server-side storage. You type an entry, it gets sent to a server over HTTPS (encrypted in transit), and then it sits in a database. Some apps encrypt the database at rest using keys that the company controls. Others store entries as plain text. In either case, the company has the technical ability to read your entries. They may promise not to, but the capability exists.

This matters because databases get breached. Employees sometimes have overly broad access. Legal requests can compel companies to turn over data they have the ability to decrypt. If the company can read your entries, those entries are only as private as the company is trustworthy and secure — and that is a high bar for content as personal as a journal.

The difference between “encrypted” and “end-to-end encrypted”

Many apps advertise that your data is encrypted. This is technically true but misleading. There are two very different kinds of encryption:

• Server-side encryption: The company encrypts your data on their servers using keys they control. They can decrypt it at any time. This protects against external attackers but not against the company itself.
• End-to-end encryption: Your data is encrypted on your device before it leaves. The encryption keys exist only on your devices. The company never has the ability to read your data, even if they wanted to.

How end-to-end encryption works in Daylogue

Daylogue generates encryption keys on your device during setup. These keys never leave your devices. When you write an entry, it is encrypted locally using AES-256-GCM — the same standard used by financial institutions and government agencies — before being transmitted to Daylogue servers for syncing across your devices. On the server, the data is an unreadable ciphertext blob. No one at Daylogue has the keys to read it.

When you open Daylogue on another device, the encrypted data syncs and your local keys decrypt it. The readable version only ever exists on your devices.

The AI processing tradeoff

There is one moment when your entry exists in readable form outside your device: during AI processing. When Daylogue generates your daily narrative, detects patterns, or runs a conversational check-in, your entry is briefly decrypted and sent to the AI provider (AWS Bedrock) over an encrypted connection. The AI processes it in memory, returns the result, and does not store or log your content.

This is a genuine tradeoff. Full privacy purists might prefer no AI processing at all. Daylogue is transparent about this window because honesty about limitations is more trustworthy than false claims of absolute privacy. You can read more about how Daylogue handles AI safety and the technical details of AI processing.

What “zero knowledge” means in practice

A zero-knowledge architecture means the service provider has no technical ability to access your data. In Daylogue, this means:

• Daylogue servers store only encrypted ciphertext
• Encryption keys exist only on your devices
• A server breach exposes only unreadable encrypted data
• Even a legal subpoena cannot produce readable entries from Daylogue servers

Red flags to watch for in journaling app privacy policies

If you are evaluating a journaling app, read the privacy policy carefully. These phrases should raise concerns:

• “We may use your data to improve our services” — this often means AI training
• “We share anonymized data with partners” — anonymized emotional data is often re-identifiable
• “Your data is encrypted at rest” without mentioning who holds the keys — this is likely server-side encryption
• No mention of encryption at all — your data is likely stored as plain text

Daylogue publishes its privacy architecture in plain language, not just in legal documents. If you are concerned about how apps use psychological pressure, that is worth reading too.