Privacy & Security

A complete and honest explanation of how Offgrid handles your data — written for real people, not legal departments. Last updated: v5.7 CLD — April 2026

Contents

The short version
Where your data lives
Encryption
The AI companion (Pepper)
Premium & payments
UX Analytics
Existence toggle
Location data
Exports & backups
Service Worker & offline
Third-party services
Your rights & controls

1. The short version

🔒 Your diary never leaves your device. Offgrid has no server, no account system, no database, and no analytics pipeline. Every word you write is stored locally, encrypted with AES-GCM 256-bit using a key only you hold.

The only outbound network requests Offgrid ever makes are:

Google Fonts on load (no diary data sent)
AI chat/coach — only when you press a button, only if you configured a key
A daily quote from Groq using a shared read-only key (no personal data)
An anonymous existence ping — only if you opt in, no ID, no content

No background syncs. No telemetry. No crash reporters. No ads.

2. Where your data lives

All user content is stored on your device only — in localStorage (with a migration to IndexedDB in progress for larger storage quotas).

Data	Location	Encrypted?	Leaves device?
Diary entries & titles	`localStorage` / IDB	✓ AES-GCM 256-bit	✗ Never
Settings & theme	`localStorage`	✗ Plain text	✗ Never
AI API key	`localStorage`	✗ Plain text	⚠ Sent to your AI provider only when you use Pepper
Export password hash	`localStorage`	djb2 hash (non-reversible)	✗ Never
Location	`localStorage`	✗ Plain text	⚠ Sent to your AI provider in greeting prompt only
UX analytics	`localStorage`	✗ Plain text	✗ Never
Premium flag	`localStorage`	✗ Plain text	✗ Never
Existence opt-in flag	`localStorage`	✗ Plain text	⚠ A single anonymous POST (+1) is sent when you opt in
Dystopia game state	`localStorage`	✗ Plain text	✗ Never

3. Encryption

All diary entries are encrypted at rest using the Web Crypto API — built into every modern browser, no external libraries needed.

Algorithm: AES-GCM 256-bit

Confidentiality: Without the key, ciphertext is indistinguishable from noise
Authenticity: GCM authentication tag detects any tampering
Freshness: Each encryption uses a new 96-bit random IV

Key derivation: PBKDF2-SHA256

310,000 iterations (2023 NIST recommendation)
Random 128-bit salt per encryption call
Makes brute-force attacks computationally prohibitive

// Core of Offgrid's encryption flow
const key = await crypto.subtle.deriveKey(
  { name: "PBKDF2", salt, iterations: 310000, hash: "SHA-256" },
  keyMaterial, { name: "AES-GCM", length: 256 }, false, ["encrypt","decrypt"]
);
const ciphertext = await crypto.subtle.encrypt(
  { name: "AES-GCM", iv }, key, new TextEncoder().encode(plaintext)
);
// Stored as base64(salt):base64(iv):base64(ciphertext)

⚠️ Forgotten password = lost data. There is no recovery mechanism because there is no server. Use Nuclear Reset (Settings → Forgot Password) to wipe everything if locked out.

4. The AI companion (Pepper)

Pepper is entirely optional. Without an API key, no AI requests are made (except the daily quote).

What Pepper sends to your AI provider:

Greeting — time of day, diary count, diary names, city if set. No entry content.
Chat — your message, recent chat history, up to 400 chars of current entry (if not a Time Capsule)
Writing Coach — full current entry text, on explicit button press only
Context compression — older entries for summarisation; Time Capsule entries always excluded
Dystopia game — prompts to generate forbidden words and check roleplay compliance; no diary content

Time Capsule locked entries are never passed to any AI function under any circumstances.

5. Premium & payments

Premium is processed via the Digital Goods API (Google Play Billing) when Offgrid is installed as a PWA through the Play Store. Offgrid never receives payment information — your card goes to the store directly.

After purchase, a premium_unlocked: true flag is stored locally. The Ko-fi tip link opens ko-fi.com/offgriddiary — Offgrid receives no payment data from Ko-fi.

⚠️ The Premium flag is device-local. Clearing all data or reinstalling will require restoring via the store's native restore mechanism.

6. UX Analytics

Offgrid tracks button press events only — which features you use, which themes you choose — stored exclusively in localStorage. This data never leaves your device. You can view and reset it in Settings → UX Analytics.

Analytics include: feature use counts, theme preferences, Dystopia game events, Premium purchase attempts, and mobile navigation patterns. No entry content is ever included.

7. Existence toggle

In Settings → Community you can opt in to letting us know you exist. This sends a single anonymous HTTP POST to our counter endpoint. The request contains:

No user ID, no device ID, no session ID
No diary content, no settings, no location
No cookies (credentials: 'omit')
No readable response (mode: 'no-cors')
Just +1 to a counter

The opt-in flag is stored locally. Toggling it off removes the flag; no further pings are sent. You can toggle this at any time in Settings.

8. Location data

Optional free-text city/region input. Stored locally in plain text. Sent only to your AI provider as part of the greeting prompt. Never used for analytics, advertising, or statistics. Change or delete it anytime in Settings → Location.

9. Exports & backups

JSON and PDF exports are generated entirely in your browser. They never pass through any server. PDF export requires your master password as a gate. Time Capsule entries are excluded from all PDF exports.

📄 Exported files are unencrypted. Treat your JSON backup like a plaintext document of your diary — store it in an encrypted folder if privacy is important.

10. Service Worker & offline

Offgrid registers a Service Worker to enable offline use. It pre-caches the app shell (HTML/CSS/JS/icons) and Google Fonts. It never caches AI API calls. The SW cannot read or modify your localStorage data — your diary is completely outside its scope.

Starting in v5.6, Offgrid migrates data from localStorage to IndexedDB transparently in the background. Both stores are written to simultaneously during the transition. No data is lost.

11. Third-party services

Service	What it receives	Privacy policy
Google Fonts	Your IP + font request. No diary data.	policies.google.com
Groq (daily quote)	Static quote prompt only. No user data.	groq.com/privacy-policy
Your AI provider	Greeting context, chat, entry text for Coach. Controlled by you.	Depends on your choice
Ko-fi	Nothing until you tap the link.	ko-fi.com/privacy
Existence counter	Anonymous POST body of "1". No ID, no cookies.	Self-hosted endpoint — no third party
Google Play (Premium)	Purchase verification. Payment handled by store.	policies.google.com

12. Your rights & controls

Access: Export your data anytime as JSON
Erasure: Settings → Clear all data (requires master password) or Nuclear Reset
Portability: JSON export is human-readable and importable
Object to AI: Don't configure an API key; individual AI features can be toggled off
Correct: Edit any entry at any time
Existence ping: Toggle off anytime in Settings → Community

Offgrid is a passion project. No investors. No ad network. No telemetry. Just a diary.
v5.7 CLD [KK2] · April 2026