eggshell

Privacy policy — last updated: 30 May 2026

In one sentence

eggshell does not collect any data. Everything you record in the app — medications, doses, hormone values, journal, photos, voice clips, reminders — stays encrypted on your phone and is never sent, shared or stored anywhere else.

Who publishes this app

eggshell is published by douxev, independent developer. Contact: eggshell@douxev.com. Source code and architecture details: github.com/douxev/eggshell.

What the app never does

• No server connection. The app does not even request the Internet permission: it technically cannot send anything off-device.
• No advertising, no trackers (no Google Analytics, no Crashlytics, no Sentry, no Firebase).
• No account, no user identifier.
• No automatic cloud backup (Google Drive, iCloud: explicitly disabled in the app's manifest).
• No telemetry, no usage metrics, no remote crash reports.

What the app stores and where

All your data lives in an encrypted SQLite database (SQLCipher, AES-256-CBC) in the app's private folder on your phone. Photos and audio recordings are stored as encrypted blobs (AES-256-GCM) in the same folder. The encryption key is either:

• randomly generated and protected by the Android Keystore of your phone (default mode);
• derived from a passphrase you choose (Argon2id);
• or both (mixed mode, or "Paranoid" mode where the key is never persisted).

Without one of these keys, the database contents are unusable — even by someone with physical access to your unlocked phone.

Android permissions and why

• POST_NOTIFICATIONS — show medication and lab reminders.
• SCHEDULE_EXACT_ALARM / USE_EXACT_ALARM — fire reminders at the exact time you scheduled (clinically relevant for HRT regimens).
• RECEIVE_BOOT_COMPLETED — re-schedule reminders after a phone reboot.
• USE_BIOMETRIC — use your fingerprint / face unlock to open the vault, if you opted in.
• CAMERA — only if you choose to use the photo timeline. Capture happens in-app, the photo is encrypted immediately and never written to the system gallery.
• RECORD_AUDIO — only if you choose to use voice tracking. Same: in-app capture, immediate encryption, never in system files.

No network-related permission (INTERNET, ACCESS_NETWORK_STATE) is requested.

Third-party libraries

The app bundles several technical libraries, all 100% on-device:

• SQLCipher — database encryption.
• ML Kit Text Recognition (bundled variant) — text recognition on lab-result PDFs for automatic import. The model ships inside the app; it does not contact any Google server and does not depend on Google Play Services.
• Android Keystore — secure master-key management.
• Jetpack Compose, Material 3, AndroidX — standard Android UI / resource libraries.

None of these libraries perform network calls to our knowledge. You can verify this technically: the app does not request INTERNET permission in its manifest.

Your rights over your data

Because no data ever leaves your phone, there is nobody to ask for access or deletion of data concerning you. All GDPR-type actions are local actions you perform directly:

• Access — all your data is already shown in the app after unlock.
• Portability — Settings → "Export an encrypted backup" produces a .transition.enc file you can keep / move / re-import on another phone.
• Erasure — Settings → "Reset vault" permanently and irreversibly destroys all content and encryption keys. Uninstalling the app has the same effect.

Voluntary sharing

The app includes two sharing features explicitly triggered by you:

• "Doctor visit" PDF export — generates a local document you then choose (or not) to send via the Android system share sheet.
• Encrypted backup — produces a .transition.enc file protected by a passphrase only you know.

In both cases the recipient (doctor, other phone, USB stick…) is chosen by you at share time; nothing is sent automatically.

Phone security itself

eggshell can't protect you from an unlocked phone in someone else's hands. For that reason:

• The Recents thumbnail and screenshots are blocked by default (toggleable in Settings → Privacy).
• An optional "decoy" PIN presents a fake calculator / notes app to a snooping eye.
• A "Paranoid" mode requires the passphrase at every cold boot.

Children

This app deals with adult medical topics (hormone therapy). It is not intended for users under 18 and is not designed to follow the Play Store's "Designed for Families" guidelines.

Changes to this policy

Any change is published on this same URL with the updated date at the top of the page. Substantial changes (new data type, new permission, new third-party service) are also announced explicitly in a "What's new" notice the next time you open the app after the update.

Jurisdiction

eggshell is an independent project developed in France. For any GDPR or related question, the contact remains eggshell@douxev.com.