Is user data truly private, or can the team access it internally or via third-party services?

Question

Based on your security page, data is stored on Google Cloud (Firebase/Firestore) with AES-256 encryption at rest and TLS in transit. You also state you only access data with user permission or if legally required. However, I want clarification:

Since data is processed via Google Cloud, does this mean third-party providers have infrastructure-level access?
Do you offer end-to-end encryption, or can your team technically access readable user data?
Are internal access events logged and visible to users?
As you state you are not yet GDPR compliant, how should EU users interpret data protection guarantees?

I’m trying to understand the difference between “private by policy” vs “private by architecture” before storing sensitive data.

ZevsMatic · Answer

If you want me to place an order, I need feedback on this one?

Arthur_ByDesign · Answer

Hey, Arthur here, one of the cofounders of ByDesign. Great questions, happy to address them directly.\u000a\u000aThird\u002Dparty integrations (like calendar) have scoped, limited access only to what\u0027s needed for that feature. They don\u0027t have broad infrastructure access.\u000a\u000aWe don\u0027t offer full end\u002Dto\u002Dend encryption today. That\u0027s an honest tradeoff we\u0027ve made because it would break collaboration features that are core to the app. Internal access to the database is tightly restricted and monitored.\u000a\u000aOn your \u0022private by policy vs private by architecture\u0022 question: we\u0027re currently policy\u002Dbased, not architecture\u002Dbased. We don\u0027t sell or share your data, and we give you full data deletion on request. We\u0027re actively working toward stronger architectural privacy guarantees over time.\u000a\u000aOn GDPR: we\u0027re in active implementation. In the meantime, the core protections (no data selling, full deletion rights) are already in place.\u000a\u000aMore detail on our security page: https://www.bydesign.io/security\u000a\u000aHappy to answer anything else!

Arthur_ByDesign · Answer

Sorry for the delay! Please see response above :)

ZevsMatic · Answer

Thanks Arthur, \u000aappreciate the honest answer.\u000a\u000aMy concern is that “policy\u002Dbased privacy” still means the team could technically access readable user data, even if access is restricted and monitored.\u000a\u000aFor an app that may contain someone’s private life, professional plans, calendar, relationships, and sensitive notes, that feels like a meaningful risk. Until there is stronger architectural privacy!

it.it.it · Answer

Totally agree with ZevsMatic. Perhaps there could be an opt-in option or a choice in the future so we can choose it ourselves?
E.g.
1. Collaboration mode: normal privacy
2. Privacy-focused mode: E2EE, but with no collaboration features

For me, I don't care about collaboration and social on this app, I just want a place where I can store my info reliably + good task mgmt features for personal use

ByDesign

Share ByDesign

Related questions