The Safe App Manifesto
startup
I’ve been thinking about this one for ever: apps become less and less usable, with ever more abusive practices. Now that generated content is becoming ubiquitous, I think it’s time for me to write down these principles, formalize them, so I have something to refer back to when needed.
I initially wrote the first 5 guidelines in January 2024, but they had been on my mind much, much longer than that. Each principle represents a responsibility on the part of the app owner, towards the user.
The Safe App Manifesto
Towards long-term user trust and health
Principle 1: No Soliciting. Never show the user content they haven’t explicitly requested. This includes pop-ups. Recommendation made to users must match, even if partially, what has been queried.
Principle 2: Discoverability. User has easy and unrestricted access to their data, inventory, or catalogue. Whatever the user has the right to see, they should be able to easily reach it.
Principle 3: Auditability. The user has a right to an accurate and complete history of their usage. All their views, transactions, and interactions should be recorded and available. All actions should be reversible.
Principle 4: Opt-Out By Default. All permissions, notifications, communications are disabled by default. This includes cookies. Legal correspondence is the only exception.
Principle 5: Data Stewardship. No data is ever stored outside a user’s device. This includes backups. Multi-device synchronization uses e2e encryption, keys are never sent via networks, nothing is ever stored nor logged. Data stored on the user’s device is encrypted.
Principle 6: Continuity. The right for a user to continue exactly where they left off. If a stops midway through a task, they must be able to return to the exact same point where they left off.
Principle 7: Clean Interface. User-interfaces are flat and vectorized. Border-less design whenever possible. Illustrations are accepted, but not abstract artwork. Limit the use of photos as much as possible, and when used, users are allowed to zoom-in, and download. Real-world objects can be represented in 3D if necessary, as long as the user is able to perform full 3-axis rotation, scaling, and panning.
Applying the Principles
| App | No Soliciting | Discoverability | Auditability | Opt-out By Default | Data Stewardship | Continuity | Clean Interface | Score |
|---|---|---|---|---|---|---|---|---|
| X | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | 0/7 |
| ❌ | ✅ | ✅ | ❌ | ❌ | ✅ | ✅ | 4/7 | |
| ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | 1/7 |
Technical Notes
TO DO one day I’m coming back to this section and detailing a technical implementation of these features. But for now, the time is up, and I need to start working on the next post. Cheers
Privacy Policy
Last updated: July 13, 2025
This Privacy Policy describes Our policies and procedures on the collection, use and disclosure of Your information when You use the Service and tells You about Your privacy rights and how the law protects You. We do not use Your Personal data to provide and improve the Service. By using the Service, You agree to the collection and use of information in accordance with this Privacy Policy.
Interpretation and Definitions
Interpretation
The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.
Definitions
For the purposes of this Privacy Policy:
-
Account means a unique account created for You to access our Service or parts of our Service.
-
Application refers to Cogbeat, the software program provided by the Company.
-
Company (referred to as either “the Company”, “We”, “Us” or “Our” in this Agreement) refers to Cogbeat.
-
Country refers to: Poland
-
Device means any device that can access the Service such as a computer, a cellphone or a digital tablet.
-
Personal Data is any information that relates to an identified or identifiable individual.
-
Service refers to the Application.
-
Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analyzing how the Service is used.
-
Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
-
You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.
Collecting and Using Your Personal Data
Types of Data Collected
Usage Data
Usage Data is collected automatically when using the Service.
Usage Data may include information such as Your Device’s Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers and other diagnostic data.
When You access the Service by or through a mobile device, We may collect certain information automatically, including, but not limited to, the type of mobile device You use, Your mobile device unique ID, the IP address of Your mobile device, Your mobile operating system, the type of mobile Internet browser You use, unique device identifiers and other diagnostic data.
We may also collect information that Your browser sends whenever You visit our Service or when You access the Service by or through a mobile device.
Use of Your Personal Data
Your personal data is not used.
Your personal data is not shared.
Retention of Your Personal Data
We may temporarily retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of Our Service, or We are legally obligated to retain this data for longer time periods.
Transfer of Your Personal Data
Your personal data is not transferred.
Delete Your Personal Data
Your personal data is not collected.
Disclosure of Your Personal Data
Business Transactions
Your personal data is not collected.
Law enforcement
Your personal data is not collected.
Other legal requirements
Your personal data is not collected.
Security of Your Personal Data
Your personal data is not collected.
Children’s Privacy
Our Service does not address anyone under the age of 13. We do not knowingly collect personally identifiable information from anyone under the age of 13. If We become aware that We have collected Personal Data from anyone under the age of 13 without verification of parental consent, We take steps to remove that information from Our servers. If We need to rely on consent as a legal basis for processing Your information and Your country requires consent from a parent, We may require Your parent’s consent before We collect and use that information.
Links to Other Websites
Our Service may contain links to other websites that are not operated by Us. If You click on a third party link, You will be directed to that third party’s site. We strongly advise You to review the Privacy Policy of every site You visit. We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.