Privacy Architecture

Why Boris has no backend (and what that costs us)

The honest engineering story of how Boris™ protects your data — by not having it.

Last updated: 2026-05-01

The deal

The promise

Your phone is the only place Boris stores anything about you.

Boris doesn’t have your data because Boris never asked for it. There’s no account to create, no email to enter, no password to remember. The app works the moment you open it, and everything you do — every task you check off, every business you save, every preference you set — stays on your device. Nothing is uploaded. Nothing is synced. Nothing is shared.

If you delete the app, your data goes with it. If your phone breaks, we can’t restore it. If Boris is sold or shut down tomorrow, no one inherits anything about you, because there’s nothing to inherit.

That’s the deal. The rest of this page is the honest version of how it works, what it costs you, and what it costs us to keep it that way.

What we don't do

What this means in practice

Things Boris does not do, by design:

  • No account, no login, no email, no password
  • No analytics — we don’t count installs, we don’t measure feature usage, we don’t track sessions
  • No advertising IDs, no fingerprinting, no third-party trackers
  • No location tracking
  • No push notifications driven by anything we know about you (the notifications you get are scheduled locally on your phone for tasks you set up — they never leave your device)
  • No data sales, no “anonymized data shared with partners,” no data-broker pipeline
  • No marketing emails, because we don’t have your email
  • No re-engagement campaigns, because we don’t know who’s stopped using the app
  • No A/B tests on your behaviour, because we can’t see your behaviour

We didn’t disable these things or turn them off. We never built them.

Every network call, named

The six things Boris talks to the internet for

Boris is not a fully offline app. There are six specific things the app fetches from the internet, and we want to name every one of them honestly.

Read-only fetches (anonymous)

These five fetches request public information and identify nothing about you. The request body contains no user ID, session ID, account, or fingerprint.

  1. Currency rates. The exchange-rate widget on the home screen fetches the current USD/EUR rate from the Frankfurter API (api.frankfurter.dev), which wraps European Central Bank reference rates. Anonymous, cached for the day.
  2. Directory updates. The KMC business directory fetches the latest verified listings as a static JSON file from Boris’s content host. Anonymous; the same file is fetched by every Boris install.
  3. Checklist content. Task descriptions, hours, addresses, and tip text get pulled as a static JSON file when content updates ship between app releases. Anonymous.
  4. Splash configuration. A small JSON file that controls the welcome screen content (e.g. seasonal updates, important community-wide notices). Anonymous.
  5. Community alerts. Active KMC-wide notices (e.g. major office closures, region-wide warnings) are fetched on app open as a static JSON file. Anonymous.

Boris’s content host (Cloudflare Pages) and the Frankfurter API receive the standard HTTP metadata that any web request includes — IP address, user-agent, request time — but no Boris-specific identifier that would let them link your fetch today to your fetch yesterday or to anyone else’s fetch. The JSON files served back are identical for every install.

Voluntary write (you trigger it)

  1. Corrections. If you tap “Report a problem” on a checklist task — for example because a phone number is wrong or hours have changed — the app sends four things: the task identifier, the task title, the correction text you typed, and an optional source citation you typed (e.g. a URL or “told at VAT office”). That’s it. No name, no email, no device ID, no location, no account. The submission lands in a private GitHub issue tracker that only the Boris team can see, and it gets used to fix the content for everyone. You see exactly what gets sent before you send it. Both text fields are filled in by you. You opt in to each correction.

That’s the complete list. Six network calls. Nothing else leaves your phone, ever.

The honest tradeoff

What this costs us

The privacy posture above is not free. It’s a real engineering and business constraint, and it costs us things you should know about:

  • We can’t tell you how many families use Boris. When we say “the app is being used in the KMC,” we mean it the way you’d mean it about a restaurant — we hear about it from people, we don’t have a counter.
  • We can’t fix bugs based on what users do. If a task is confusing and people skip it, we have no way to learn that from data. We learn from people telling us, the way you’d tell a friend.
  • We can’t improve features based on usage signals. Most apps optimize what they show you using behavioural data. We optimize using judgment, conversations, and careful documentation about what KMC families actually need.
  • We can’t market to lapsed users. If someone stops using Boris, we can’t reach them, because we don’t know who they are.
  • We may grow more slowly than a product that captures everything and optimizes for engagement. We’re betting that’s worth it.
  • We’re slower at detecting stale content because we don’t see signals like “this address is the most-clicked one and last week 30 people reported it broken.” We rely on a separate verification cadence that re-checks content on a schedule whether anyone reports it or not.

We chose to pay these costs. We think the trade is the right one for a product KMC families use during one of the most exposed periods of their lives. But we owe you the honest version of what we gave up to make it true.

What you get back

What this gives you

  • Your PCS journey is yours alone. No one knows you’re moving except the people you tell. Boris doesn’t know.
  • No one knows what tasks you’ve checked off, what businesses you’ve saved, or what mode of the app you’re in. That state lives only on your device.
  • Your data is not on a server that could be hacked, because there is no server with your data on it. There’s nothing for an attacker to steal at our end. Even Boris’s own infrastructure has none of your information on it.
  • If Boris is acquired, sold, or shut down, no successor inherits anything about you. There’s nothing to inherit.
  • If a government agency in any country issues a subpoena for “all Boris user data,” the honest answer is that there is none to hand over. We engineered the absence on purpose.
  • You can use Boris under SOFA status, as a contractor, as a NAF civilian, as a German national, or as a curious civilian without any of those statuses leaving your device. Boris doesn’t ask, doesn’t collect, and doesn’t tell.

Don't take our word

How you can verify this is true

We don’t expect you to take our word for it. Here’s how to check:

  • Watch the network. Any technical reader can put Boris through a network proxy (Charles, mitmproxy, Wireshark) and observe every byte the app sends. The six requests described above are the only ones you’ll see.
  • Read the legal documents. The Datenschutzerklärung and Impressum are public, dated, and lay out the same posture in legally precise language. They’re aligned with this document, not in tension with it.
  • Compare claims to behaviour. If we ever describe a feature here that involves data leaving your phone, this document tells you exactly what data and exactly when. If you ever observe a network call we haven’t disclosed, that’s a bug — please report it through the corrections form in the app.

The why

The principle underneath this

Trust is not a marketing word at Boris. It’s an architectural choice we made before writing the first line of code, and one we keep paying to maintain.

The principle is simple: most apps treat your data as the asset and your trust as the cost. Boris does the opposite. Your trust is what makes Boris worth using. The absence of your data on our infrastructure is the proof that the trust is earned, not asked for.

This is the same principle that made us:

  • Refuse to add Google Analytics, Facebook Pixel, or any tracker
  • Refuse to integrate ad networks, even ones that “respect privacy”
  • Refuse to require an account, even though it would have made some features (sync across devices, recovery after phone loss) much easier to ship
  • Refuse to sell, share, or “monetize” the directory of KMC businesses by selling access to “user intent data”
  • Choose the legal posture of operating fully under German DSGVO and TMG rules, not the lighter footprint of a US-based startup

Each of those decisions was a real cost. We wrote them down so future versions of Boris stay honest.

The technical choice

What we built instead of accounts

The technical choice underneath all of this: every piece of state Boris keeps about you lives in AsyncStorage — the standard local-storage mechanism React Native apps use on iOS and Android. Your tenure date, your selected status (active duty / GS / contractor / NAF civilian / German civilian), your saved places, your completed tasks, your dismissed banners — all of it lives in the Boris app’s private sandbox on your phone, isolated from other apps by the operating system.

The cost: lose your phone, lose your Boris state. We have nothing to restore from. There is no “log in on a new device” because there is no account.

The benefit: nothing about you exists anywhere except on the device you hold in your hand.

We considered building a sync feature with end-to-end encryption. We chose not to. Even with end-to-end encryption, the metadata of “Boris user X has Y devices that sync at time Z” is information we don’t want to have. The simpler choice — no sync, no recovery, no infrastructure — is the more honest one.

If you want belt-and-suspenders before switching phones, take a screenshot of your checklist progress. Lo-fi, but it works, and it costs you nothing in privacy.

Specifically for the KMC

Why this matters for KMC families

You are already living a life with more data exposure than most. Your information sits in DEERS, MyPay, AAFES, OPM, the Defense Health Agency, USAFE / EUCOM / U.S. Army Garrison systems, the German Bürgeramt and Krankenkasse, your housing portal, your car insurance database, your TLA receipt records, your school enrolment systems, and more. Each of those is necessary. Each requires trust.

The last thing you need is another app quietly adding to that pile.

Boris is the one place in your KMC stack that simply doesn’t need anything from you. You can use it during your most chaotic week, your most stressful task, your most uncertain decision — and it will help without taking. That is the contract.

Our public commitment

Holding ourselves accountable

This document is dated 2026-05-01.

If our architecture changes — if we ever add a network call, change what data is collected, modify the corrections payload, or add any kind of account or sync — we will update this document, date the change, and say what changed and why. Old versions will remain accessible.

If a future version of Boris ever takes a step away from the posture described here, that step will be visible, dated, and explained — not hidden in a privacy-policy update at the bottom of an email. We hold ourselves to that standard, and we want the standard public so you can hold us to it.

For ACS / FSS / LRMC / garrison

A note for institutional readers

If you’re evaluating Boris on behalf of an organization that supports KMC families (ACS, FSS, LRMC, garrison welcome programs, AFTB, command sponsorship offices), the privacy posture above is intentional and durable. It’s not a phase, not a limitation we plan to “grow out of,” and not contingent on funding.

Boris was built specifically so that any institution recommending it to families could do so without a third-party data review, because there is no third-party data flow to review. We can’t share data we don’t have.

We are happy to walk through the architecture in detail, demonstrate the network behaviour live, and answer specific questions from institutional evaluators. Reach us through the corrections form in the app or through the Impressum contact at borispcs.com/impressum.

For engineers + auditors

A note for technical readers

The architecture summarised here:

  • State management: React Native + AsyncStorage. No remote persistence layer, no sync, no cloud backup integration with the user’s iCloud or Google account.
  • Network layer: Six explicitly defined endpoints, all read-only except the corrections submission. No telemetry SDK, no crash reporter that uploads, no third-party analytics.
  • Build pipeline: No injection of tracking libraries during build. Production builds contain only the code in the source.
  • Notifications: All scheduled locally via the OS notification scheduler (Apple’s UNUserNotificationCenter / Android’s local notifications). No push tokens are registered with Boris servers because there are no Boris servers to register them with.
  • Font loading: Fonts (Inter, Plus Jakarta Sans, JetBrains Mono) are loaded from @expo-google-fonts/* npm packages that bundle the font files into the app binary. No runtime fetch from fonts.googleapis.com or fonts.gstatic.com. The same fonts are self-hosted on Cloudflare Pages for the website (no CDN dependency for fonts there either).
  • Compliance posture: DSGVO + TMG aligned. The website’s Datenschutzerklärung is the legally precise version of this document and discloses that Cloudflare Pages (the host for both the website and the app’s content JSON files) processes standard server-log metadata under Art. 6(1)(f) DSGVO.
  • Corrections endpoint: A Cloudflare Worker that proxies the four-field payload (taskId + taskTitle + correctionText + source) into a private GitHub issue. The Worker logs nothing it doesn’t need; the GitHub repo is not public.

If anything in the live app behaves differently than what’s described here, that’s a bug we want to know about. Network proxy traces are the canonical evidence; please send them through the corrections endpoint or via the Impressum contact.

← Back to borispcs.com