Your journal is not our business model.
Most wellness apps treat your emotional data as inventory. We don't, and we built Hue. so we can't.
Other apps say "we take privacy seriously." We've read the privacy policies of nineteen popular wellness apps; fourteen of them share emotion data with advertisers, six of them pass it to third-party "wellness research partners" by default, and three of them have had public breaches in the last 24 months. The category has a problem.
Hue.'s privacy posture is not a marketing claim. It is an architectural one.
What we don't do, and why we can't.
Your entries live on your device. Period.
Hue. has no servers that store user data. There is no account to create. There is no login. We could not read your journal if we wanted to, because the bytes are not on any computer we own. Backup, if you choose to do it, goes through your phone's native iCloud or Google backup — encrypted with your own keys, not ours.
We don't know how you use the app.
No Mixpanel. No Amplitude. No Firebase Analytics. No "anonymous usage data." When you tap a hue, no event is logged anywhere outside your phone. We are aggressively uncurious about your behavior. The cost: we ship feature updates more slowly. The benefit: we can't sell what we don't have.
No ads. No SDKs. None.
Hue. contains zero advertising SDKs. There is no tracker for Meta, Google, TikTok, AppLovin, or any other ad network. We will never integrate one. The app costs us less than a dollar per month in distribution fees; it does not need to be monetized.
No "research partners." No "wellness ecosystems."
Some apps share emotional data with universities, insurers, or "wellness platforms" by default. We do not. The only way data leaves your device is if you choose to donate it for research — and that pathway is opt-in, anonymized, and granular.
You can audit our claims.
The full app source is on GitHub under the MIT license. The data format is JSON-based and inspectable. If we ever shipped a build that violated any of the above, the diff would show it, and we would lose every user who could read code. That accountability is part of the design.
Your phone holds it; your phone protects it.
Entries are encrypted at rest using your operating system's keychain. On iOS, that's Apple's hardware-backed Secure Enclave. On Android, the Android Keystore. If your phone is locked, your journal is unreadable — even by us, even with physical possession of the device.
Emotional data is the most sensitive class there is.
Health data — what you weigh, what medications you take, what your blood looks like — is regulated under HIPAA in the US and analogous frameworks elsewhere. Emotional data is not. A journal entry that says "I'm not okay tonight" sits outside almost every existing legal protection. There is nothing stopping a wellness company from selling that entry to a life-insurance underwriter. Several have.
This is not a hypothetical. In 2023, the FTC fined the maker of a popular mental-health app $7.8M for sharing user data with Facebook and Google after explicitly promising not to. The data included anxiety scores, depression scores, and free-text journal entries. The fine was a fraction of what the company made selling that data.
Hue.'s response is structural: we built the app so this category of failure is impossible. Not "against our policy." Not "we promise we won't." Architecturally impossible — because the data never leaves your phone in the first place.
If you want to verify any of this, the source code is open. The network requests the app makes (one, on first launch, to fetch a list of public translations) are documented and inspectable. Run a packet sniffer if you like. We've been there before you.
Where Hue. cannot protect you.
Honesty matters more than reassurance. Hue.'s privacy guarantees end at the boundary of your device. There are threats we cannot defend against, and you should know them:
If your phone is compromised by spyware (e.g. NSO Pegasus, Cellebrite extraction), your journal can be read. We can't fix that; the OS vendors are working on it.
If you screenshot an entry and post it, we can't help. Hue. doesn't try to be a secrets manager.
If you donate your data for research, that subset leaves the device. The donation process is anonymized and stripped of free-text — see the Donate page — but it is, by design, no longer fully under your sole control.
If you back up to iCloud or Google Drive, your backup file lives on Apple's or Google's servers. Encrypted, but stored. We can't change that without breaking phone-replacement workflows. You can disable backup in settings.
If a court compels access to your phone, your journal can be read. This is true of any app on any phone. Hue. uses standard OS-level encryption; we are not in the business of pretending it is more than that.