Pennen · Writing
Where Is My Journal Data Stored?
Your private pages live in one of three places: only on your device, on the app maker's own servers, or in your own iCloud. The difference decides who can read them — so it's worth knowing how to tell.
Key takeaways
- Journal apps store data in one of three ways: on-device only, on the maker's own servers, or in your own personal iCloud — and that choice decides who can read your entries.
- "Encrypted" is not the same as "end-to-end encrypted." Only end-to-end encryption keeps the keys on your devices so the provider physically can't read your pages.
- By default, iCloud end-to-end encrypts 15 data categories; Advanced Data Protection raises that to 25, covering the CloudKit private databases apps use for journal data.
- Check the App Store privacy label and privacy policy: look for "your iCloud" vs the company's servers, the phrase "end-to-end encryption," and any AI "analyze/train" clauses.
- Pennen stores entries on-device and in your own iCloud private database with no Pennen servers, no analytics, no AI, and a passcode lock — private by structure, not just by promise.
Where does my journal app actually keep my data?
Every journaling app stores your entries in one of three architectures: on-device only, on the maker's own cloud servers, or in your own personal iCloud (or Google Drive) account. Which one your app uses determines whether the company can read what you write.
These aren't marketing distinctions — they're concrete differences in where the bytes physically sit and who holds the keys:
- On-device only: entries never leave your iPad or iPhone. Maximum privacy, but no backup and no sync — lose or wipe the device and the journal is gone.
- The maker's servers: the app runs its own cloud (often on Amazon Web Services or Google Cloud) and your entries sync through it. Convenient, but the company's infrastructure touches your data — and unless it's end-to-end encrypted, the company can technically read it.
- Your own iCloud: the app writes to your personal iCloud account using Apple's CloudKit, with no servers of its own. You get cross-device sync and backup without handing entries to a third party.
Most people never check which model they're trusting. The rest of this guide makes each one legible — and shows you how to verify it yourself.
What does "on-device only" storage mean?
On-device storage means your journal entries are written to your iPad or iPhone's local storage and nowhere else — no server, no cloud, no sync. It's the most private model and the most fragile.
Nothing leaves the device, so there is no company server to subpoena, breach, or train an AI on. The trade-off is brutal if it's the only option: there's no backup. A dropped iPad, a botched restore, or a factory reset takes the journal with it. There's also no way to read yesterday's page on a second device.
This is why most serious journaling apps don't stop at on-device — they pair local storage with a sync-and-backup layer. The honest question then becomes: where does that backup go, and who can read it? That's where the next two models diverge sharply.
What's the difference between the app maker's servers and my own iCloud?
On the maker's-servers model, your entries pass through and rest on infrastructure the company controls. On the own-iCloud model, the app writes straight into your personal Apple account and runs no servers at all. The second model removes the company as a middleman entirely.
Plenty of well-regarded apps use their own cloud responsibly. Day One, for example, syncs through its own servers and, when end-to-end encryption is enabled, encrypts entries on your device with the AES-256 cipher before they leave it — so that, as Day One puts it, "Day One employees will never be able to read encrypted entries" (Day One, End-to-End Encryption documentation, 2025). That's a strong posture. But note the dependency: a separate account, a separate company's infrastructure, and a feature you may have to turn on.
The own-iCloud model sidesteps all of that. Apps built on Apple's CloudKit store each user's data in a private database tied to that user's Apple Account. The developer never operates a server, never sees an account, and — for private CloudKit data with the right protections enabled — never holds the keys. Pennen, the iPad journaling app, uses exactly this model: entries live on your device and in your own iCloud private database, with no Pennen servers in between.
How are the three storage models compared?
The clearest way to choose is to line up who holds your data, who can read it, and what happens if you lose your device.
| Model | Where entries live | Who can read them | Backup & sync | Example |
|---|---|---|---|---|
| On-device only | Your device's local storage | Only you | None (lose device = lose journal) | Some offline-first apps |
| Maker's own servers | Company cloud (e.g. AWS/Google Cloud) | The company, unless end-to-end encrypted | Yes, via the company's account | Day One, Journey |
| Your own iCloud (CloudKit) | Your device + your personal iCloud private DB | Only you (no developer servers) | Yes, via your Apple Account | Pennen, Apple Journal |
None of these is universally "best" — but for a private diary, the own-iCloud model gives you sync and backup with the smallest number of parties who could ever read the pages: just you.
What does end-to-end encryption actually mean?
End-to-end encryption (E2EE) means your data is scrambled on your device with a key only your devices hold, so the company storing it — and anyone who breaches that company — sees only unreadable ciphertext. It's the difference between a vault you alone can open and a locker the staff has a master key to.
It helps to separate three things that sound similar:
- Encrypted in transit: protected while traveling over the network (standard HTTPS). Good, but the server still decrypts it on arrival.
- Encrypted at rest: stored in scrambled form on disk. Also good — but the provider holds the keys, so they (and anyone with legal or unlawful access to those keys) can decrypt it.
- End-to-end encrypted: the keys live only on your trusted devices. The provider physically cannot read the content. Even a full server breach yields nothing.
For a journal — the most candid thing many people ever write — E2EE is the property that actually matters. "Encrypted" alone, without "end-to-end," usually means the company can still read your pages. This is the same reasoning behind the case for a genuinely private page: a diary you self-censor isn't an honest one.
Is my data in iCloud end-to-end encrypted?
By default, iCloud encrypts everything in transit and at rest, and end-to-end encrypts 15 specific data categories. Turn on Advanced Data Protection and that rises to 25 categories — covering iCloud Backup, Photos, Notes, and the CloudKit private databases that apps like Pennen use.
Apple's own documentation is precise here. Under Standard Data Protection (the default), "your iCloud data is encrypted in transit and stored in an encrypted format at rest," and "15 data categories — including Health and passwords in iCloud Keychain — are end-to-end encrypted." Apple holds keys for the rest so it can help you recover them (Apple, iCloud data security overview, 2025).
Turn on Advanced Data Protection and "the number of data categories that use end-to-end encryption rises to 25," including iCloud Backup, Photos, Notes, and iCloud Drive (Apple, iCloud data security overview, 2025). With it enabled, no one else can access your end-to-end encrypted data — not even Apple. The catch worth knowing: Apple won't hold recovery keys either, so you must set up a recovery contact or recovery key first.
A few categories — iCloud Mail, Contacts, and Calendar — are never end-to-end encrypted, because they must interoperate with global email and CalDAV/CardDAV standards. Your private journal, written to a CloudKit private database, is not one of those exceptions.
How is journal data protected inside iCloud's CloudKit?
When a journaling app writes to your iCloud private database, CloudKit wraps it in a hierarchy of keys generated on your own device — and for end-to-end encrypted data, the private keys are never given to Apple's servers.
Apple's security documentation describes it directly: each container's private database is "protected by a key hierarchy, rooted in an asymmetric key called a CloudKit Service key," which is "unique to each iCloud user and generated on their trusted device." Crucially, "for end-to-end encrypted iCloud services, the relevant CloudKit service private keys are never made available to Apple servers" — they're created locally and moved between your devices through iCloud Keychain (Apple, CloudKit encryption, Apple Platform Security, 2025).
This is the architecture Pennen relies on. Your pages are written to your own CloudKit private database; Pennen operates no servers, runs no analytics, and no AI reads or trains on your entries. On top of Apple's encryption, the app adds its own passcode lock (stored in iCloud Keychain), so even physical access to the device hits one more door. The result is a journal that is private by structure, not just by promise.
How do I check where a journaling app stores my data?
Read the App Store privacy label, the app's privacy policy, and look for two specific phrases: whether sync uses "your iCloud" or the company's own servers, and whether content is "end-to-end encrypted." Vague language usually means the company can read your data.
A practical checklist before you trust an app with a diary:
- Open the App Store privacy label. On the app's listing, scroll to "App Privacy" and tap "See Details." Apple groups disclosures into categories such as Data Used to Track You, Data Linked to You, and Data Not Linked to You. A truly private journal should collect little or nothing tied to your identity (Apple, App privacy details on the App Store, Apple Developer, 2025).
- Check the storage model. Does the policy say it syncs through "your iCloud" / CloudKit, or through the company's servers? Both can be fine — but only the first means no third party holds your data.
- Look for "end-to-end encryption," not just "encrypted." If a server-based app doesn't offer E2EE, assume staff can technically read entries.
- Check for AI clauses. Search the policy for "analyze," "train," "machine learning," or "summarize." Some journals feed entries to AI features by default.
- Confirm there's a device-level lock — a passcode or Face ID — so a borrowed iPad doesn't expose everything.
If you want the unglamorous-but-safe answer, an on-device-plus-own-iCloud app with no servers and a passcode (Pennen, the iPad journaling app, is built this way) gives you sync, backup, and end-to-end-encryptable storage without putting your pages on anyone else's machine. For a fuller picture of the trade-offs, see our look at analog versus digital journaling and the best handwritten journal apps for iPad.
Frequently asked questions
Where is my journal app data actually stored?
In one of three places: only on your device, on the app maker's own cloud servers, or in your own personal iCloud account. The model determines who can read your entries. Apps built on Apple's CloudKit store data in your private iCloud database with no developer servers involved.
Is iCloud journal data end-to-end encrypted?
It can be. By default, iCloud end-to-end encrypts 15 data categories and encrypts the rest in transit and at rest. Turning on Advanced Data Protection raises end-to-end encryption to 25 categories, including the CloudKit private databases and iCloud Drive that hold app journal data.
What's the difference between "encrypted" and "end-to-end encrypted"?
"Encrypted" usually means protected in transit or at rest, with the provider still holding the keys — so they can decrypt it. "End-to-end encrypted" means only your trusted devices hold the keys, so the company storing your data, and anyone who breaches it, sees only unreadable ciphertext.
Can a journaling app company read my private entries?
If the app stores entries on its own servers without end-to-end encryption, yes — technically it can. If it uses end-to-end encryption (like Day One when enabled) or writes only to your own iCloud private database (like Pennen), the company cannot read your content.
How do I check where an app stores my data?
Open the app's App Store privacy label and tap "See Details," then read its privacy policy. Look for whether it syncs through "your iCloud" or the company's servers, whether it says "end-to-end encryption," and whether any clause mentions analyzing or training AI on your entries.
Where does Pennen store my journal?
On your device and in your own iCloud private database via Apple's CloudKit. Pennen runs no servers of its own, collects no analytics, and never lets AI read or train on your entries. A passcode lock stored in iCloud Keychain adds device-level protection.
Sources
- iCloud data security overview — Apple Support, 2025 — official counts: 15 end-to-end encrypted categories under Standard Data Protection, 25 with Advanced Data Protection; encrypted in transit and at rest by default; Mail/Contacts/Calendar exceptions. Verified.
- Advanced Data Protection for iCloud — Apple Platform Security — how ADP gives trusted devices sole access to keys and the recovery-key requirement.
- iCloud encryption (CloudKit) — Apple Platform Security — CloudKit private-database key hierarchy rooted in the CloudKit Service key, generated on a trusted device; service private keys never made available to Apple servers for E2EE data. Verified.
- CloudKit — iCloud — Apple Developer — CloudKit private databases store each user's iCloud data; the model Pennen and similar apps use.
- End-to-End Encryption FAQ — Day One, 2025 — confirms Day One syncs via its own servers and offers AES-256 (AES256-GCM) end-to-end encryption so employees can't read encrypted entries; cited fairly for the maker's-servers model. Verified.
- App privacy details on the App Store — Apple Developer — how App Store privacy labels classify data collection (tracking / linked / not linked), used for the how-to-check section.