Last updated: May 1, 2026
Surfacing collects no data. There is no analytics, no telemetry, no crash reporting, and no usage tracking of any kind. The app contains no third-party SDKs that capture or transmit information.
All entries, settings, and logs are stored exclusively on your device in a local SQLite database encrypted with AES-256 via SQLCipher. Nothing is transmitted to any server. Surfacing has no backend and does not require an internet connection to function.
When you choose to export, a self-contained HTML file is generated on your device. The file is encrypted with AES-256 using a one-time password generated locally on your device. The file is only shared when you explicitly tap "Send Report." No export occurs automatically.
Your data is protected by a device key stored in the iOS Keychain or Android Keystore, accessible only when the device is unlocked. Biometric or device-PIN authentication is required before any export. All exported files are AES-256 encrypted.
Because there is no cloud backup, losing or resetting your device will permanently delete your data. Store exports somewhere safe and never together with the decryption password.
Surfacing does not require an account, email address, name, or any personally identifying information.
Surfacing is a personal tracking tool. It does not replace clinical care, diagnosis, or treatment. Share exports with your provider to support — not substitute — professional sessions.
Questions about this policy can be sent through the Contact Us form inside the app or via the contact section on surfacingapp.com.