Privacy Architecture

Privacy in most apps means a policy document. A wall of legal text explaining what they collect, how they share it, and which third parties have access to your data. The document exists because there’s data flowing somewhere it shouldn’t be, and lawyers need to cover it.

Step FWD’s privacy architecture is different. We don’t have a complicated privacy policy because there’s nothing complicated happening. Your data stays on your device. There are no accounts, no cloud sync, no analytics on your walking patterns. This post explains exactly how that works, at the engineering level.

SwiftData, local only

Every piece of data in Step FWD lives in a SwiftData database on your iPhone. SwiftData is Apple’s persistence framework — it stores structured data in a local SQLite database within the app’s sandboxed container.

The data models:

• WalkingSession — each walk you take, with start/end times, steps, distance, calories, goal type, and active duration
• RoutePoint — GPS coordinates linked to a session, with timestamps and segment markers
• DailyStepRecord — daily aggregated step counts for historical views
• UserPreferences — your settings: weight, height, unit preferences, goal targets, notification toggles

The ModelConfiguration is initialized with isStoredInMemoryOnly: false and no CloudKit container. There’s no remote sync, no iCloud backup integration, no replication. The database file exists in the app’s Documents directory, encrypted at rest by iOS.

No accounts

There is no sign-up flow, no sign-in screen, no email verification, no OAuth redirect. You download the app and use it. Your identity is the device.

This is a deliberate architectural choice, not a missing feature. Accounts exist to link data across sessions and devices. We don’t need cross-device sync because your walking data belongs to the phone that recorded it. We don’t need session persistence because SwiftData handles that locally. We don’t need authentication because there’s no server to authenticate against.

The absence of accounts eliminates entire categories of security concerns: password breaches, credential stuffing, session hijacking, token expiration. None of these apply because there are no credentials to compromise.

One external call

Step FWD makes exactly one network request: fetching current weather conditions via Apple’s WeatherKit.

When you start a walk, the app sends your current coordinates to WeatherKit and receives temperature and conditions in return. That’s it. The request contains a location and returns weather data. No user ID, no device fingerprint, no analytics payload piggybacking on the request.

The weather fetch is throttled to once every 10 minutes. It uses the device’s cached location when available (if fresh enough) and falls back to a single on-demand location request. If the fetch fails — no network, WeatherKit outage, location unavailable — the app continues normally without weather data. It’s a graceful degradation, not a blocking dependency.

Everything else runs locally. Step counting reads from HealthKit on-device. GPS tracking uses CoreLocation on-device. AI insights use Foundation Models on-device. There is no telemetry, no crash reporting SDK, no analytics framework watching your behavior.

Cascading deletion

Every WalkingSession has a relationship to its RoutePoint entries with deleteRule: .cascade. When you delete a walk, its GPS coordinates are deleted automatically. There’s no orphaned data, no cleanup job, no archive table holding soft-deleted records.

The delete operation in SwiftData is immediate and permanent. We call context.delete(session), save the context, and the data is gone from the persistent store. There’s no undo, no recycle bin, no 30-day retention period. When you delete a walk, it’s deleted.

Delete the app, delete everything

This is the strongest privacy guarantee we can offer: uninstalling Step FWD removes all data, permanently.

Because there’s no server, no cloud backup, and no account, there’s nothing to persist after uninstallation. The SwiftData database lives in the app’s sandboxed container. When iOS removes the app, it removes the container. Every walk, every route, every preference, every daily record — gone.

There’s no email to send requesting data deletion. No account to deactivate. No support ticket to file. The uninstall button is the delete button.

HealthKit: read only

Step FWD requests read-only access to HealthKit for step count, distance, and active energy. We never write to HealthKit. Your HealthKit data is read by the app on-device and never transmitted anywhere.

HealthKit itself is sandboxed by iOS. Apps can only read the specific data types the user has authorized, and they can only read it on the device. There’s no API for exporting another user’s HealthKit data remotely.

Background operations

Step FWD runs background tasks for two purposes: checking if you’ve reached your daily step goal (to send a local notification), and observing HealthKit for new step data.

Both operations are entirely local. The background goal checker reads from HealthKit and UserDefaults, compares the values, and either sends a local notification or doesn’t. No network request is involved. The HealthKit observer triggers a local data refresh — again, no network.

Local notifications are generated and delivered by iOS on the device. They’re not push notifications routed through a server. No token is registered with any notification service.

What this means in practice

If someone gained access to our servers, they would find… nothing. There are no servers. There’s a Vercel deployment serving the marketing site you’re reading right now, and that’s it. No database, no user table, no walking data, no GPS traces. The servers don’t exist because the data doesn’t leave your phone.

This is privacy by architecture, not by policy. We didn’t choose to not collect your data — we built a system where collection is structurally impossible. The data never enters a network pipe, so there’s nothing to intercept, nothing to breach, nothing to subpoena.

Your walks are yours. We built the engineering to keep it that way.