Privacy Policy

Sarge holds less of your data than any fitness app you've used. Your data lives on your device. The encrypted backup we keep, we can't read. The server stores nothing — no logs, no profiling, nothing kept between calls. Conversations land inside attested hardware enclaves the operator can't see into. No email, no password, no ads, no cookies, no data trade.

Last updated 2026-06-12

Quick version

  • Your fitness data lives ONLY on your device by default.
  • If you set up Sarge backup, we hold an encrypted copy. We can't decrypt it.
  • Chat and log extraction run inside attested confidential-compute enclaves — the operator can't see in.
  • Our server doesn't store, log, or retain anything about you between requests.
  • Your access is a random account number. No email, no password, no identity attached to it.
  • No cookies. No ad networks. No selling. No profiling. Plausible for analytics.
  • Delete anytime: you can wipe device, server backup, or both.

How this is different from what you're used to

Most fitness apps work like this:

  • Your data sits on their servers in plaintext — staff and partners can read it
  • You sign up with an email, name, often a phone number; everything is bound to that account
  • Aggregated or "anonymized" health data is sold to advertisers, insurers, or employer wellness programs
  • Your conversations and logs are used to train AI models
  • Cookies and trackers follow you between sessions and across the web

Sarge:

  • Your data lives on your device. The only thing on our server is an encrypted blob we can't read — and only if you opt in to Sarge backup.
  • No identity. No email, no name, no phone number, no password. Your access is a random 16-digit account number; your backup is keyed by an ID your device derives from your recovery phrase. Neither one says who you are.
  • Nothing about you is sold, shared, or licensed. Not in aggregate. Not "anonymized." Not at all.
  • Your conversations don't train any model. They run through attested enclaves and are dropped after the response.
  • No advertising. No retargeting. No cross-site tracking. Nothing follows you off this site.
  • No automated decisions about you. No profiling in the GDPR Art. 22 sense.

What stays on your device

Everything. Every meal, workout, sleep entry, measurement, water log, step count. Your profile. Your missions. Sarge's notebook of facts about you. Your full chat history. Your saved favorites. All of it.

Stored locally in your browser's IndexedDB. Protected the same way every other app on your device is.

What touches our server

Almost nothing. The server handles your request, forwards it to the enclaves, streams the reply back, and retains none of the message content. A short list of other things persists on disk — none of it your fitness data.

Push subscriptions (only if you turn on pings)

If you opt into ping notifications, your browser issues a push endpoint URL we store so we can wake you up when Sarge has something to say. Device-bound. Not personally identifying on its own. Turn pings off and the URL drops off our server.

Encrypted backup blobs (only if you set up Sarge backup)

Your device encrypts a snapshot of your data with a 256-bit AES-GCM key derived from a 12-word BIP-39 recovery phrase. We store the encrypted bytes keyed by a UUID also derived from that same phrase. We cannot read it. We cannot link it to you. We cannot decrypt it. Rotate your key at any time.

One click in Settings → Delete data → "Delete server backup" wipes it.

Your account number + invite codes

When you first open Sarge, the server hands your device a random 16-digit account number. That number is your whole identity here — there's no email, name, or password to attach it to. Next to it we keep exactly three things: when it was created, how long its access runs once paid access launches, and which invite code admitted it. Invite codes themselves are tickets — each one records a label, how many uses it allows, and how many are used. Codes count redemptions; they don't identify the people who redeemed them. None of this ever touches your fitness data — your logs, chats, and profile never reach the server in readable form in the first place.

Account rows aren't deletable from inside the app today, because deleting yours would erase any access time attached to it. Email us and we'll purge it.

Looking ahead: when paid access launches, card payments will be handled by a payment processor, which needs your card details and an email to process the charge and send receipts. We keep no copy of either. Paying with Bitcoin keeps even that off the books.

That's the whole list

No processing. No analysis. No retention of anything you log.

What runs in attested enclaves

Both chat and extraction run inside hardware-attested enclaves. The hosting provider can't read what goes in or comes out — not in transit, not at rest, not while it's being processed.

How the connection works

Your data is encrypted in transit and processed on confidential-compute GPUs — the strongest commercially-available privacy architecture for AI inference. Once your data reaches the enclave, memory is encrypted, performance counters are disabled, and hardware firewalls cut off the host operating system, the hypervisor, and the hosting provider from inputs, outputs, and intermediate state.

What runs there

  • Chat. Your message routes to the enclave, where a large language model generates Sarge's reply and streams it back.
  • Extraction. A second enclave pass turns natural language ("I had eggs and toast") into structured log entries. Same hardware, same protections.

Who can see your messages

  • Sarge's server: only briefly, to forward them. Nothing stored, nothing logged, nothing analyzed.
  • The infrastructure operator: no. The host OS, hypervisor, and staff are cut off from the enclave's encrypted memory by hardware.
  • The network: no. TLS encrypts every hop.

Why this is the strongest setup we can build

Hardware-attested enclaves are how you process data without giving the operator visibility into it. Sarge ships them today — not as a future roadmap item. Pair that with a stateless server (no storage, no logging) and the only places your message exists in plaintext are your own device and the enclave processing it. The hardware providers' attestation architecture is publicly documented and independently audited.

Your rights

  • Delete it all. Settings → Delete data wipes device, server backup, or both.
  • Export it all. Settings → Export Data dumps everything as plain JSON. You own it.
  • Turn off pings. Settings → Notifications → OFF removes your push subscription from our server.
  • Skip analytics entirely. Plausible never identifies you, but if you'd rather not be counted even in anonymous totals: most ad/content blockers already exclude you automatically. No blocker? Set localStorage.plausible_ignore = "true" in your browser console on sarge.fitness and you're invisible to it.

EU (GDPR), California (CCPA / CPRA), and Washington (My Health My Data Act) residents — the rights above cover access, deletion, and portability obligations. Email sarge@sarge.fitness if you need a written record or want a more specific request handled.

Cookies and tracking

None. Sarge sets zero cookies — no banner because there's nothing to accept.

For analytics we use Plausible, a privacy-first system with no cookies, no fingerprinting, and no ability to follow you anywhere. All it ever shows us is anonymous, aggregate counts — how many people visited, which pages get read, roughly what country traffic comes from. That's how we know whether the landing page is doing its job without knowing anything about you. Rather not be counted at all, even anonymously? Easy — see Your rights above.

Changes to this policy

We'll update this page as the app evolves. The "Last updated" date at the top of the policy reflects the most recent revision.

Contact

Email: sarge@sarge.fitness