ReturnKit
Open app
Data & security

Your data, and how it's kept

The technical detail behind the privacy policy, in plain English. Last updated: 4 June 2026.

Where your data lives

By default, everything you put into ReturnKit stays on your device, in your browser's local storage. It does not leave unless you turn on cloud sync. If you never turn sync on, there is nothing of yours on any server, full stop.

Cloud sync, if you turn it on

Cloud sync stores a mirror of your data in the EU (Cloudflare). It is encrypted in transit (HTTPS) and encrypted at rest by the storage layer. In this default mode the data is readable by the service in order to sync it across your devices. You can turn sync off, or delete the cloud copy, at any time from Settings.

End-to-end encryption, when you want it

This is the part most apps skip. ReturnKit offers an optional end-to-end mode. When you turn it on and set a passphrase, your data is encrypted on your device with a key derived from that passphrase (AES-GCM), and only the encrypted result is ever sent. The server holds ciphertext only, and we cannot read it. This is "zero-knowledge": the difference between at-rest (encrypted on disk, but the host could read it) and end-to-end (encrypted for your eyes only).

The honest trade: with end-to-end on, only you hold the key. If you forget the passphrase, no one, including us, can recover that data. That is the point.

What metadata exists

With sync on, the service can see: your email mapped to a random sign-in token, that token, sync timestamps, and the size of your data blob. With end-to-end on, it still sees timestamps and size, but not the contents. With sync off, none of this exists server-side.

The AI Copilot

When you use the Copilot, your prompt is proxied, not stored. It is sent to the AI provider (Anthropic by default), the answer comes back, and nothing about the prompt is written to our storage. Before a prompt is sent, identifying details (your name, date of birth, your kids' and partner's names, exact dates) are stripped by default. The provider's API does not train on inputs. So the only retention is the provider's own short abuse-monitoring window, not ours.

Your data outlives the company

Local-first only matters if you can take your data with you. You can export everything as a JSON file from Settings (the same complete data set sync uses), and re-import it via Settings, Backup and restore, which also keeps rolling local snapshots. The format is plain, readable JSON. If ReturnKit disappeared tomorrow, your data would still open, and still be yours.

What we never do

Verifying this yourself

Because it is local-first, you can check most of this directly: open your browser's developer tools and watch the network while you use the app. With sync off, your content stays in local storage and nothing leaves. We would rather you trust what you can see than what we claim.

Questions about data or security? privacy@returnkit.life.