When you reach for a recovery companion app, you're rarely at your strongest. You might be wrestling with cravings at 2:00 AM, processing shame after a relapse, or finally admitting to yourself that you can't do this alone. In that moment of raw vulnerability, when you open an app and begin to type, you are not just entering data; you are establishing a relationship of trust. You're sharing some of the most intimate details of your life: your failures, your fears, your medical history, the names of people you've hurt, and the hopes you have not yet spoken aloud to anyone else.

That trust is, by default, betrayed by the software industry.

The Business of Your Secrets

Most modern apps operate on a simple, invisible premise: the data you enter belongs to the company, not to you. When you tap "save," your words, moods, and location data are transmitted to centralized servers owned by the app's creators. There, they are stored in a format that allows the company - and often any engineer with database access - to read, analyze, and monetize them.

This is not a theoretical concern. The data broker industry is a multi-billion dollar ecosystem where health-adjacent data, even when ostensibly anonymized, is sold to advertisers, insurers, and third-party analytics firms. Mental health and recovery data is particularly valuable because it indicates specific vulnerabilities and behavioral patterns. When these databases leak (and they do, with alarming regularity) the intimate confessions intended only for your digital companion become public commodities. A breach in a generic fitness app is inconvenient; a breach in a recovery app can expose information that jeopardizes employment, relationships, and legal standing.

The Chilling Effect

Most of us carry a subconscious awareness that our digital footprint is being used against us. We know that algorithms profile us, that ads seem to know our diagnoses before we tell our families, that our search histories can be subpoenaed. When you use a standard recovery app, that awareness creates a background radiation of surveillance. You feel watched, even if you can't identify by whom.

This feeling creates self-censorship. You hesitate before logging a relapse because you worry about what the record implies. You soften the language describing your trauma because you know it is being parsed by machines. You omit details that feel too identifying, too risky, too real. Over time, you are no longer being honest with the tool designed to help you heal. The app becomes a performance of recovery rather than a companion to it, and your ability to genuinely process and grow is compromised by the architecture of the software itself.

Inverting the Model: What "Local-First" Means

"Local-first" software represents an inversion of the standard architecture. Instead of treating your device as a client that merely displays data stored on corporate servers, local-first applications primarily store your data on your device - exactly where you entered it. Any external servers exist only to facilitate specific actions you explicitly choose, such as syncing between your own devices.

When implemented correctly, this model is privacy-preserving by default. Because the data never leaves your device in a readable format, the company that built the app cannot see your entries, cannot sell your patterns to advertisers, cannot train artificial intelligence models on your vulnerabilities, and cannot accidentally leak your identity to the dark web. You are not trusting us with your secrets because we have architected the software so that we are physically incapable of accessing them.

Why This Matters for Recovery

The benefits of local-first architecture extend beyond immediate privacy:

• Sovereignty: Your recovery journal survives even if the company behind the app ceases operations. If we at furl disappear tomorrow, your data remains on your device, fully functional and accessible.
• Control: You decide when and how your data moves. Export it to a therapist, keep it forever, or delete it permanently - all without negotiating with a customer service department or navigating a "data portability" portal designed to retain you as a user.
• Psychological Safety: Knowing that your 2:00 AM confession exists only on your device can help minimize the ambient anxiety of surveillance. You can be honest because the only audience is you, and perhaps the accountability partner or clinician you explicitly choose to invite in.

The Tradeoffs

Local-first architecture is not without limitations, and we believe in being transparent about them:

Storage Constraints: Because your data lives on your device, you are limited by your device's available storage. We work diligently to minimize the storage space we require. However, if you are using an older device with nearly full storage, this may eventually require you to export and archive older data to free space.

Device Loss: If you lose your phone and have not created a backup, you lose your data. Unlike cloud-first apps where you can simply log in on a new device, local-first requires deliberate recovery mechanisms. To address this, we offer a paid tier that enables encrypted cloud backups. We emphasize encrypted: your data is encrypted on your device using keys that only you possess before any byte is transmitted to our backup servers. We cannot read these backups, cannot restore them for you if you lose your password, and cannot comply with subpoenas requesting your unencrypted history because we mathematically do not have the capability to decrypt them. (We will publish a detailed technical breakdown of our encryption architecture in an upcoming post.)

Our Commitment at furl

At furl, we believe that the only way to fully safeguard your data is to ensure we never possess it. We have engineered our app so that we cannot create a meaningful profile of you, cannot sell your patterns to data brokers, and cannot accidentally expose your vulnerabilities through our own negligence. We promise to never sell, share, or profit from your data - not merely because it is the right thing to do, but because we have removed our ability to do so.

In practice this is achieved by having all your data - notes, check-ins, mood data, recovery metrics, etc. - remain on your device in an encrypted format at rest. None of this information leaves your device unless to take action using one of the following features:

• Export: You may manually export your data at any time. Once exported, you control where that file travels. That could be to a printed journal, a trusted therapist, your desktop computer, or your own private cloud storage.
• Cross-Device Sync: If you subscribe to our paid tier, you may sync data across your devices. This data is end-to-end encrypted using keys generated and held only on your devices. Our servers act as blind couriers, moving encrypted packets that we cannot unwrap.
• Backup: If you subscribe to our paid tier, you may enable automatic cloud backups. This data is end-to-end encrypted using keys generated and held only on your devices. We are fundamentally unable to read or decrypt these backups.
• Accountability Sharing: You may choose to share specific entries with an accountability partner or clinician. When you do, the data is encrypted for their public key on your device before transmission, ensuring that only you and your designated partner can read it. (We will detail this cryptographic flow in a future post.)

Recovery requires radical honesty. Radical honesty requires radical privacy. By choosing local-first, you are not just selecting a feature set; you are reclaiming the psychological safety necessary to do the hard work of healing. Your data belong to you, and to you alone, until you decide otherwise.