Transparency
What we can — and cannot — read about you under each recovery mode. Updated as the implementation changes; nothing on this page is aspirational.
Two recovery modes
Every Sovei account encrypts its sensitive data with a key that's derived on your device. The key never travels in plaintext to our servers — except, optionally, when you turn on Easy Recovery (a wrapped copy is sent once, encrypted under a key we hold).
Default
Recovery phrase
A 12- or 24-word phrase you write down. Your data's only key. Lose it and the data is unrecoverable — even by us.
Opt-in
Easy Recovery
A spare key we hold. Reset by email like any other app. We can read your data when that spare key is used.
Access table
Who can read what, in plain language. “Health data” means food logs, workouts, sleep, body measurements, blood work — everything you encrypt as part of the normal flow.
| Scenario | Recovery phrase | Easy Recovery |
|---|---|---|
| We read your health data | Cannot. | Yes — when the spare key is used (e.g. an employee with our infra access, a court order with a valid warrant). |
| A breach exposes your data | Ciphertext only. Useless to the attacker. | Ciphertext only — but a breach broad enough to also reach our key custody could decrypt it. |
| You forget your password | Unlock with your phrase. We cannot help. | Reset by email like any other app. The spare key unwraps your data after you set a new password. |
| You lose your recovery phrase | Data is unrecoverable. | Data still recoverable via email reset, as long as Easy Recovery stays on. |
| We get a subpoena for your data | We cannot comply — there’s nothing to hand over. | We must comply. Standard warrant response. |
What we still see, even at the strongest setting
Even with the recovery-phrase setting — the strongest one, where we hold no key to your data — syncing your encrypted records between devices means our servers still see a few plain facts. They never see what's inside your records:
- That you have records, which kinds (for example, a workout or a sleep entry), and when they last synced — never their contents.
- The public profile you choose to share — your username, display name, and avatar.
- The account essentials we need to run your account — your email, your billing identity (handled by Stripe), and a few non-sensitive app and workout-planning preferences.
Everything else you log stays scrambled to us.
How the spare key is protected
The spare key is encrypted with industry-standard AES-256-GCM and stored in a managed key vault separate from your data. It's never written to logs, error reports, or disk in plaintext. We rotate the wrapping key on a regular cadence and we're actively investing in stronger hardware-backed key custody.
What we audit
Every time the spare key is created, used, or removed, we log: an anonymous user ID, outcome, timestamp, and the strength of the calling session's authentication. The decrypted key itself is never logged.
We retain these audit records for 6 years, in line with healthcare data retention norms.
What you can switch
You can switch between modes at any time without losing data. Both directions are instant — we re-wrap your key, the underlying data isn't re-encrypted.
- Phrase → Easy Recovery: we store a wrapped copy of your key. Phrase still works.
- Easy Recovery → Phrase: you type your phrase to confirm you have it, we delete the wrapped copy. From then on, only the phrase unlocks your data.
The toggle lives at Settings → Account → Easy Recovery.
Two-factor authentication
Easy Recovery is designed to require two-factor authentication. When it's enabled, you'll set up a code from an authenticator app (Google Authenticator, 1Password, Authy — anything that speaks the standard 6-digit format) before we wrap your spare key, and you'll be asked for a fresh code on every new device, so a stolen password alone can't reach your data.
New-device protections
Every new browser or device that uses Easy Recovery has to pass an email confirmation step before we'll unlock your data there. The first time we see a device, we email a one-click confirm link to the address on your account. Until you click it, the unlock is paused — your data stays encrypted on that device.
You can review the last ten Easy Recovery unlocks at Settings → Account → Easy Recovery. Each entry shows when the unlock happened and whether it came from a trusted device or a new one.
What we don't do
- We don't support hardware security keys (YubiKey, passkey-only) yet — authenticator apps are the only second-factor option for now.
- We don't support customer-managed encryption keys for partner organisations yet.
Questions or concerns
See our Privacy Policy for the legal framing, or contact us if anything on this page is unclear or disagrees with what you're seeing in the app.