No marketing fog — here is exactly what's stored, what touches the network, and how everything is encrypted on your device.
Everything you log stays in a SwiftData store on your iPhone — inside the app's private container. We have no servers, no accounts, no analytics. We don't have a copy of anything.
All cycles, symptoms, mood, temperatures, journal entries, photos, medications, lab records, and custom fields live in an encrypted SwiftData store inside Hoo-Ha's private sandbox.
The encryption key used to protect sensitive fields is generated on first launch and stored in the iOS Keychain with kSecAttrAccessibleAfterFirstUnlock. It never leaves the device.
No cloud, no server, no third-party SDK. The only time data leaves your device is if you personally export it, share a backup, or enable Apple Health.
Hoo-Ha's own code makes no network calls. This is verified at build time by a script that fails the build if any networking code (URLSession, URLRequest, analytics SDKs) is ever introduced. The only network involvement comes from Apple's own system services, and only when you choose to use them.
| Action | Network? | Why |
|---|---|---|
| Logging, viewing, charts, journal, predictions | No | All processed on-device via SwiftData and CryptoKit. |
| On-device dictation (the assistant's mic) | No | Speech recognition is forced on-device. Audio never leaves the phone. |
| Imports (CSV / Apple Health zip / others) | No | Files are parsed locally; nothing is uploaded. |
| Excel export, encrypted backup | No | Files are created on-device. You decide whether to share them. |
| Notifications, reminders, widgets | No | Scheduled locally through iOS. |
| App Store purchase / restore | Apple only | StoreKit verifies your purchase with the App Store. Standard for any paid iOS app. No health data is transmitted. |
| Siri (off by default) | Optional | The intent code runs in-process. If you opt in, Apple's Siri service may use the network for recognition — Hoo-Ha doesn't. |
| Apple Health write-back (off by default) | Optional | Writes menstrual flow, BBT, cervical mucus, and ovulation results to the local Health app on your device. If you turn on Apple's Health iCloud sync separately, Apple syncs it — not Hoo-Ha. |
| Apple Health imports — metrics & nutrition (off by default) | Optional | Pulls weight, BBT, resting HR, BP, steps, active energy, exercise minutes, sleep, calories, macros, and water from the local Health app. Reads happen on-device; nothing goes online from Hoo-Ha. |
| Tapping a link (Privacy / Terms / website) | Yes | Opens Safari to this site — initiated by you. |
Two layers, both standard, both on-device.
Sensitive content is encrypted in code using Apple's CryptoKit (AES-GCM) before it touches the database. The key is generated on first launch and stored in your Keychain.
What gets the extra layer:
The entire app database directory is created with FileProtectionType.complete. While your phone is locked, the OS itself encrypts the file — nothing in it is readable until you unlock the device.
This covers everything in the store, including structured values like dates and numeric mood/BBT readings that aren't separately field-encrypted.
The "Backup & Restore" feature produces an .enc file encrypted with AES-GCM using a key derived from a passphrase you set (HKDF / SHA-256).
We never receive your passphrase. If you store the backup in iCloud Drive or anywhere else, only the ciphertext is there — even Apple can't read it.
scripts/check-network.sh) scans every source file before compile. If it finds URLSession, URLRequest, or any analytics import, the build fails. This guarantee can't be quietly removed in a future update.