When we started building Momena, one of the first decisions we had to make wasn’t about design or features. It was about where your data lives.
Most apps answer this question the same way: on our servers, synced automatically, accessible from everywhere. It sounds convenient. And it is — until you start asking the follow-up questions.
Who can see it? How long is it stored? What happens if the company shuts down? What if there’s a breach?
For a general productivity app, these questions feel abstract. For an app that holds your child’s first steps, health records, and family memories, they feel very real.
So we made a different choice. Momena is local-first.
What local-first actually means
Local-first means your data lives on your device by default. Not on our servers. Not in a third-party database. On your phone.
When you add a memory, save a health record, or log a milestone, that data is written to your device and encrypted immediately. We never see it. We can’t see it. We don’t have the keys.
This isn’t just a privacy policy promise — it’s an architectural decision. There is no server-side database for Momena to breach, because there isn’t one.
“But what about iCloud Backup?”
Good question. Momena 1.4 introduced optional iCloud Backup — and yes, that means your data can leave your device if you choose.
The key word is choose. iCloud Backup in Momena is:
- Opt-in, not the default
- End-to-end encrypted before it ever leaves your device
- Password-protected — even we can’t access your backup
- Synced via iCloud Keychain so your password travels with you securely
You control whether it’s on. You control the password. We never touch the content.
Why this matters more than you think
Think about what Momena stores. Your child’s growth measurements. Doctor visits. First words. Diary entries. Family photos. Health symptoms.
This is some of the most personal data a family can have. And yet most apps treat it the same as a shopping list — something to sync to a server for convenience.
We think that’s wrong.
Children can’t consent to their data being uploaded. Parents shouldn’t have to read a 40-page privacy policy to understand where their family’s most private moments end up.
Local-first is our answer to that. Simple, honest, structural.
The trade-offs we accepted
Local-first isn’t free. It comes with real constraints.
There’s no automatic multi-device sync. If you get a new phone, you restore from a backup. There’s no web app to log in to from any browser. Features that require a server — like real-time sharing or collaborative editing — are either not possible or require careful design to do privately.
We accepted these trade-offs intentionally. Because we think for a family app, privacy is a feature, not a setting.
What’s next
We’re not done thinking about this. There are features we want to build — sharing memories with a partner, syncing across family devices — that require us to revisit some of these decisions carefully.
But the principle stays the same: your family’s data belongs to your family. Every architectural decision we make starts from that.
If you’re curious how we implemented the encryption layer, the iCloud Backup architecture, or how we think about future sync features, we’ll be writing about those in upcoming posts.
Until then — your data is on your device. That’s exactly where it should be.