r/dataprivacy

Hi everyone,

We’ve built a minimal, privacy-focused personal data vault and are looking for beta testers for iOS.

Fields is designed to securely store personal information completely on-device with encryption. The app focuses on simplicity, privacy, and organization without accounts, ads, or cloud dependency by default.

Current features include:
• Encrypted on-device storage
• Face ID / Touch ID protection
• Custom fields and nested subfields for organizing data
• Secure vault-style UI for IDs, documents, notes, and sensitive info
• Export & import encrypted backups
• Privacy overlay when switching apps
• Minimal and clean design
• Offline-first experience

We’re especially looking for feedback on:
• Security & privacy behavior
• Face ID / Touch ID reliability
• Export/import flow
• App lock & overlay behavior while multitasking
• UI/UX consistency
• Performance and stability with lots of data

Please try adding random data, long notes, many fields/subfields, and stress test the app however you can.

If you’re interested in testing or giving feedback, feel free to comment or DM. Your feedback would really help us improve the app before launch.

At this point I am fairly certain that if we add one more compliance badge to our homepage, the website will collapse under its own moral superiority.

Not explode. Not crash. Just quietly give up. Like: "Mate, I cannot carry ISO 27001, 27018, 42001, NIST, CIS, CSA STAR, GDPR, EU AI Act, EU Data Act and your ego. Pick a struggle."

None of this was the plan.

Nobody wakes up one day and thinks "you know what I'd like to do professionally? Collect regulatory frameworks like rare artefacts, except the artefacts are PDFs and the reward is more PDFs."

This is what happens when you sell into enterprise environments.

One customer wants GDPR (totally agree). Another prefers CSA STAR registry (makes sense). Someone else insists on NIST CSF (fair enough). Then CIS Controls joins (alright…), followed by regional frameworks, some personal data protection variants, and, if you are not careful, the temptation to add frameworks from jurisdictions you can only reach with two stopovers and an mild panic attack at immigration becomes real - not because anyone actually needs them, but because at some point the list itself starts to feel like the product.

And because we enjoy radical luxuries like “revenue” and “remaining in business,” we say yes to what is required - and try very hard not to drift into what merely looks impressive.

The awkward truth nobody wants to say out loud: most modern privacy frameworks are not wildly different creatures. They are variations. Some stricter, some more relaxed, some reorganising concepts, others renaming them so they sound more official or slightly more intimidating when read aloud in a boardroom. Many will confidently explain that they are entirely unique, independent frameworks. Which is impressive, because a surprising number of them look like GDPR wearing a different outfit and insisting they are a completely unrelated alter ego. A lot of these frameworks are GDPR with a new haircut, a regional accent, and a very strong opinion about being original.

Claiming coverage is not the same as demonstrating capability. In the same way that saying "No hablo español" does not make you bilingual, listing frameworks does not mean you have operationalised them. It just means you have learned how to sound convincing while exiting the conversation. Give it enough time and you could probably justify adding a framework from somewhere that sounds vaguely fictional, supported by a regulator nobody has ever spoken to, governing a scenario your product will never encounter. At that point you are no longer communicating your security posture. You are assembling a compliance-themed trading card collection and hoping nobody asks you to actually play the game.

And now, our favourite punching bags. Yes, the usual suspects. Yes, everyone knows them.

Equifax - deeply regulated, thoroughly audited, fully certified. A known vulnerability did not get patched. Not obscure. Not advanced. Known. 147 million people. Not a framework failure. A system forgetting to do something so basic it borders on insulting.

British Airways - strict compliance regimes, PCI standards, the full enterprise security starter pack. Attackers skimmed payment data from their website for months. Not hours. Not days. Months. At that point it is less of a breach and more of a long-term arrangement.

Both had impressive lists. The lists did not help.

Frameworks describe what a secure system should look like. They do not guarantee the system will behave that way when it matters. If your foundation is solid, aligning with additional frameworks is largely mapping and documentation. If your foundation is not solid, adding frameworks is decoration. Very expensive decoration, but decoration nonetheless.

Honestly? We will keep expanding our list because customers expect it, procurement requires it, and principles have a remarkable tendency to become flexible when invoices arrive. But the expansion does not make the system more secure. It actually only makes us more fluent in describing the same system in multiple regulatory languages.

At some point the more relevant question is not how many frameworks are listed, but whether the system itself is understandable, controllable, and capable of behaving correctly under pressure.

Because if explaining your compliance posture becomes more complex than your system itself, you have not increased trust.

You have simply made it harder to see what is actually going on.

Do you fancy to read more articles and blogs? If yes, here you go: https://kolsetu.com/blog

Is anyone using Claude code or codex to organize their computer or notes ?

My computer is a mess and I would love to use AI to be more organized but I am afraid of the privacy angle

Maybe someone’s knows more about this subject