What we can — and cannot — read about you under each recovery mode. Updated as the implementation changes; nothing on this page is aspirational.
Every søvei account encrypts its sensitive data with a key that's derived on your device. The key never travels in plaintext to our servers — except, optionally, when you turn on Easy Recovery (a wrapped copy is sent once, encrypted under a key we hold).
Default
A 12- or 24-word phrase you write down. Your data's only key. Lose it and the data is unrecoverable — even by us.
Opt-in
A spare key we hold. Reset by email like any other app. We can read your data when that spare key is used.
Who can read what, in plain language. “Health data” means food logs, workouts, sleep, body measurements, blood work — everything you encrypt as part of the normal flow.
| Scenario | Recovery phrase | Easy Recovery |
|---|---|---|
| We read your health data | Cannot. | Yes — when the spare key is used (e.g. an employee with our infra access, a court order with a valid warrant). |
| A breach exposes your data | Ciphertext only. Useless to the attacker. | Ciphertext only — but a breach broad enough to also reach our key custody could decrypt it. |
| You forget your password | Unlock with your phrase. We cannot help. | Reset by email like any other app. The spare key unwraps your data after you set a new password. |
| You lose your recovery phrase | Data is unrecoverable. | Data still recoverable via email reset, as long as Easy Recovery stays on. |
| We get a subpoena for your data | We cannot comply — there’s nothing to hand over. | We must comply. Standard warrant response. |
The spare key is encrypted with industry-standard AES-256-GCM and stored in a managed key vault separate from your data. It's never written to logs, error reports, or disk in plaintext. We rotate the wrapping key on a regular cadence and we're actively investing in stronger hardware-backed key custody.
Every time the spare key is created, used, or removed, we log: an anonymous user ID, outcome, timestamp, and the strength of the calling session's authentication. The decrypted key itself is never logged.
We retain these audit records for 6 years, in line with healthcare data retention norms.
You can switch between modes at any time without losing data. Both directions are instant — we re-wrap your key, the underlying data isn't re-encrypted.
The toggle lives at Settings → Account → Easy Recovery.
Easy Recovery requires two-factor authentication. You'll set up a code from an authenticator app (Google Authenticator, 1Password, Authy — anything that speaks the standard 6-digit format) before we wrap your spare key, and you'll be asked for a fresh code on every new device. A stolen password alone can't reach your data.
On top of two-factor authentication, every new browser or device that uses Easy Recovery has to pass an email confirmation step before we'll unlock your data there. The first time we see a device, we email a one-click confirm link to the address on your account. Until you click it, the unlock is paused — your data stays encrypted on that device.
You can review the last ten Easy Recovery unlocks at Settings → Account → Easy Recovery. Each entry shows when the unlock happened and whether it came from a trusted device or a new one.
See our Privacy Policy for the legal framing, or contact us if anything on this page is unclear or disagrees with what you're seeing in the app.