You can't leak users' data if you don't hold it

We adopted user privacy as a core value, and how we think about this informs many other decisions we make with the app and the whole ecosystem handling our users' data. We need to build trust with our users so they can believe what we say when it comes to how we handle their data we need to protect our users from mistakes we might make even if we are competent enough to prevent a leak from ever happening, and even if our users trust us to do what we say, we must be resilient to being strong-armed by a future controlling power. "We can have the best intentions, but we can't always rely on those intentions. If one of our users' data became valuable to an evil nation state and they kidnapped my family, I'll be honest, I'd probably have to hand over the data." Given these criteria and extremes, we decided that our best course of action is to just never have our users' private data. In the future, we may allow users to opt in to self-identifying, but even then we'll continue to be careful about never collecting private data. We store data for users, here, but to us it looks like random noise, never like a photo of whatever it is you're storing a photo of. Right now the app has backup/restore functionality and we expect users to use that to protect themselves from data loss.