Every other porn blocker can leak your data. Here's why I built mine not to.
In early 2026, one of the most-downloaded porn-recovery apps in the world had a data leak.
Over 600,000 users. Ages. Masturbation frequency. The specific things they typed in as "triggers." Personal confessions they wrote into the app thinking nobody else would ever see them.
All of it sitting in a misconfigured database that a random security researcher stumbled into. The company had been warned about the vulnerability months earlier. They did nothing. Then a journalist wrote about it. Then it was everyone.
Imagine being one of those users. You downloaded the app to get free of something. You typed in your shame, your patterns, the times of day you slip. You did it because the app said it was safe. Then one day it was on the internet for anyone to read.
I'm not naming the app to be cruel. I'm naming it because it's the one most people in this space would have downloaded. If you've ever Googled "best porn blocker app," you've probably downloaded it. The breach is well documented. It happened. It can happen again, to that app or to any of the others.
This post is about why it can't happen with the app I built.
The thing nobody tells you about recovery apps
Every other app in this space has a server. Has to. The way they make their product work is by:
- You sign up with an email. The email goes into their database.
- You log your streak. The streak goes into their database.
- You write a journal entry. The journal entry goes into their database.
- You select which apps to block. That selection goes into their database.
- You tap "I had an urge" or "I slipped." That tap goes into their database.
Once it's in their database, it's their database. They promise to keep it safe. They write that in their privacy policy. They mean it, mostly. But promises are not the same as architecture.
The way to know whether a company can leak your data is not to read their privacy policy. It's to ask one question. Do they have a server? Because if they do, they can be hacked, they can be subpoenaed, an employee can misconfigure something, a contractor can take a database backup home. Every promise in the world about "we take security seriously" comes apart the day one of those things happens.
The recovery space is especially bad for this. The data is more sensitive than almost anything else you store online. The apps are built fast, mostly by small teams. They don't have a security department. They use third-party analytics, third-party crash reporting, third-party support chat. Every one of those is another way the data leaves their server. And nobody who downloads the app reads the legal docs to figure out which ones are in the chain.
That breach was not the first one in this space. Last year a mental health and addiction recovery company called Confidant Health left a 5.3 terabyte database exposed. Therapy session audio. Video. Transcripts. Drivers license scans. Five point three terabytes. Of recovery patients. Just sitting there.
These are not edge cases. These are what happens when sensitive personal data sits on a server.
What I built differently
When I started building Escape three years ago, I made one decision early that everything else flows from.
I would not have a server.
Not "I'll have a server but be careful with it." Not "I'll have a server but encrypt everything." Not "I'll have a server but promise to delete data when you ask."
No server. None. There is nothing in the company for me to leak. There is nothing for a hacker to break into. There is nothing for a future me to sell. There is nothing.
This was not a small decision. Going server-less on iOS in 2023 meant giving up:
- User accounts (so I can't have a login screen)
- Cross-device sync that I control (Apple's iCloud does it, between your own devices, encrypted with keys Apple holds, not me)
- Push notifications based on what you do in the app (those would need a server)
- Server-side analytics on what people use (I get aggregate anonymous counts, nothing else)
- Easy ability to sell the company someday (most acquisitions value the user database, and I don't have one)
What I got in exchange:
You can use Escape and I have literally no idea who you are.
I cannot see your streak. I cannot see what you blocked. I cannot see your journal. I cannot see when you opened the app, what page you were on, how long you stayed. I cannot see if you slipped. I cannot see your name because there is no field where you typed your name. I cannot see your email because there is no field where you typed your email.
It is not that I promise not to look. It is that there is no thing on my side to look at.
How the app works without a server
This is the part most people I meet do not believe at first. They think there has to be a server somewhere. They think there has to be a database I am pretending not to have.
Here is the honest mechanical explanation, in plain language.
When you install Escape, the app lives on your phone. All the data the app creates, your streak, your journal, your selected apps to block, your settings, lives on your phone. In a place iOS calls "the sandbox," which is just a folder on your device that only this app can read.
If you have iCloud turned on in your iOS settings, some of that data may sync between your own Apple devices. Your iPhone to your iPad, for instance. That sync is between your devices, through Apple's infrastructure, encrypted by Apple, with the keys Apple holds. I am not in the loop. I cannot read it. Apple cannot read it for me. If you turn iCloud off, the data does not leave your phone at all.
The Safari content blocker, which is the most useful part of the app for most people, is interesting. iOS handles the actual blocking. Escape gives iOS a list of websites. iOS does the blocking. Escape never sees which sites you visit. The list goes one way. iOS one way blocks. Nothing reports back.
The app blocking, which lets you block Instagram and TikTok and whatever else, uses an Apple framework called Family Controls. Same shape. I send iOS a list of apps. iOS blocks them. I never see when you tap a blocked app. I never see when you unblock one. The "tokens" iOS gives me for which apps you blocked are encrypted in a way that even I cannot decode, by design.
The 90-second urge ritual, which is the thing some people use the app for the most, runs entirely on your phone. The timer is local. The breathing instructions are local. The button you tap at the end is local. There is no "I had an urge" event that gets sent to me. There is no analytics on this. There is no anything.
There is exactly one piece of data that leaves the app. Anonymous product events through a service called TelemetryDeck, which is a German privacy-focused analytics tool. It tells me things like "the average user opened the app 4 times this week." It cannot tell me anything about you specifically. There is no identifier on these events. There is no IP address. There is no device id. It is hashed in a way that even I cannot reverse, and the salt is unique per install, so even if I tried, I could not tell that two events came from the same phone.
If I am ever hacked tomorrow, the worst thing the hackers get is "the user base opened the app a lot this week." They get nothing about you. Because I have nothing about you.
The comparison nobody puts in their marketing
Here is a category comparison. Not by app name, by what kind of app does what.
| Typical recovery app | A few privacy-conscious ones | Escape | |
|---|---|---|---|
| Account required | Yes (email + password) | Sometimes | No |
| Server stores your data | Yes | Limited | No, none exists |
| Has community or AI chat | Often | Usually no | No |
| Knows what you block | Yes | Yes (server-side state) | Architecturally cannot |
That last column is the one I want you to look at. Every other category could be subpoenaed, could be hacked, could be sold, could be acquired by someone with worse intentions. Even the most privacy-conscious of the bunch has a server somewhere with state on it.
Escape architecturally cannot. It is not that I promise not to know what you block. It is that the iOS frameworks I use do not tell me what you block. The information does not exist outside your phone.
The honest limits
I want to be honest about what this does not protect you from.
It does not protect you from someone with physical access to your phone. If your partner picks up your unlocked phone and opens Escape, they see your streak. Your data is on your device. Use a device passcode.
It does not protect you from yourself, in a determined moment. Anyone who wants to badly enough can uninstall the app and reinstall a different way of accessing the content. The point of blockers is not to make access impossible. It is to add enough friction at 11pm on a Tuesday that the easy default is the right one.
It does not protect you from Apple. Apple's iCloud is good but it is not zero-knowledge end-to-end encrypted by default for everything. If you turn on Advanced Data Protection in your iCloud settings, it becomes that. I recommend doing that regardless of whether you use my app.
It does not mean I have zero technical risk. I could ship a buggy update tomorrow that crashes your phone. I could mess up. I am one person. I have backups and tests and process, but I am one person.
What it means is the specific thing that happened in that breach cannot happen to Escape. There is no database to leak. There is no list of users to sell. There is no journal of yours that ends up screenshotted on a forum.
Why I built it this way
I am going to tell you the personal version, because the architectural version reads as a sales pitch if you do not know me.
I was someone who spent a long time stuck on porn. I tried every kind of blocker. I downloaded the recovery apps. I read the forums.
What I noticed was that every app I tried wanted me to give it something. My email. My age. My specific habits. The times I slipped. A confession box where I was supposed to write what was wrong with me.
I do not know if you have had this experience but I did. I sat with my thumb over the "create account" button and asked myself a question. Do I trust this random Delaware LLC with the most embarrassing thing in my life. Forever. With no real recourse if they leak it.
The answer was no. Every time. And so I bounced off every app I tried, not because they did not work, but because the entry price was too high.
When I started building Escape, the first thing I designed was the no-account part. Before the blocker. Before the courses. Before anything. The fundamental promise was: you can use this without becoming a row in someone's database. Everything else flows from that.
This is not a marketing position. This is the entire reason the app exists. If I had to add accounts tomorrow to grow faster, I would not. If I had to add a community feature that required a server, I would not. If I had to add an AI chatbot that streamed your messages to some third-party AI provider, I absolutely would not.
The architectural privacy is the product. Not a feature of the product. The product itself.
What to do if you don't believe me
You should not believe me. You should believe what you can verify.
The verifiable things, in order of how much trouble it would be:
1. Open the app's privacy nutrition label on the App Store. It shows "Data Not Collected." This is enforced by Apple. Lying gets the app removed.
2. Read the privacy policy at escapethegrip.com/privacy. The full version, the one with the GDPR carve-outs and the Quebec specifics. It is long because it is honest, not because it is hiding something.
3. Open a packet sniffer like Charles Proxy or Little Snitch and watch what the app talks to. You will see iCloud (your account, encrypted by Apple), the App Store (for purchase verification), and one telemetry endpoint in Germany. That is it.
4. Look at the iOS frameworks the app uses. Family Controls is Apple's. ManagedSettings is Apple's. The Safari content blocker is Apple's. These frameworks are documented. Their data-flow contracts are documented. They do not give the developer information about what the user does.
You do not have to trust me. You can verify it. That is the entire point.
The thing I want you to take from this
I do not think every app needs to be built this way. There are good arguments for cloud-backed apps. Cross-device sync is harder without a server. Personalization is harder without a server. Community features are harder without a server.
I am saying that for recovery apps specifically, where the data is the most sensitive thing you might ever store in software, the default should be local-first and account-less.
The users in that breach did not deserve what happened to them. They downloaded an app to get free of something. They were doing the right thing for themselves. Someone else's bad architectural choices made them pay for it.
This is not a thing the world will fix. The economics push every recovery app toward more data collection, not less. Investors want metrics. Marketers want segmentation. Engineers want analytics. Add up enough of those pressures and you get a database with 600,000 people's masturbation frequency in it, sitting on the internet with the lock off.
I built Escape so I would have one option in the world that did not work that way. You are welcome to use it. You are welcome to not use it. The point is that an option exists.
Where to read more
The privacy policy at escapethegrip.com/privacy is the authoritative version. Hedge-free, jurisdiction-by-jurisdiction. Long. Worth reading if you are the kind of person who reads privacy policies.
The companion posts:
- How do recovery apps handle privacy?, the broader landscape
- Why does this app not require an account?, the specific architectural choice
- How to evaluate any recovery app's privacy, what to look for in others
- On-device vs cloud, what changes, the deeper technical contrast
- Telemetry in recovery apps, what TelemetryDeck actually sends
And the app itself is at escapethegrip.com if you want to try it.
- Sam
Escape is a Safari content blocker, a 90-second urge ritual, practice games that retrain how you meet an urge, and 27 short courses on identity and the long arc of recovery. No account, no personal tracking.
