Baxnet Blog · founder-note
Trust Has to Be Inspectable
TL;DR: Trust is easier to earn when the product gives users and reviewers something concrete to inspect.
Another question that comes up a lot with Mimoto is simple to ask and hard to answer well:
How do you earn the user’s trust when the product touches private message data?
Part of the answer is the architecture. Part of it is the copy. But a big part is the distribution path and the constraints we deliberately accept.
Mimoto is distributed through the App Store, not as a random download from the internet. That choice adds friction. It means review cycles, privacy declarations, sandbox rules, and permission language that can be challenged before the product reaches users.
That process is not perfect, and it is not a substitute for building the product responsibly. But it does create useful obstacles. Apple can ask why a permission is needed. The review team can reject flows that do not explain themselves clearly enough. The privacy details have to say what data the app collects and how it is used. Those requirements force product decisions that are easy to avoid when the only standard is “trust us.”
For a normal app, some of those decisions are obvious. You might add analytics. You might add a server connection for diagnostics. You might track which buttons people click, where they get stuck, how often they return, and which screens fail.
For Mimoto, that would create the wrong trust boundary.
On macOS, apps can request sandbox entitlements for network access, including outgoing and incoming server connections. Mimoto does not request those entitlements. If we are saying that message analysis happens on device and does not require external servers, the product should be constrained in a way that supports that claim.
The proof is partly in what the app is not allowed to do.
That matters because privacy promises are easy to write and hard for users to verify. A stronger promise is one the system can make inspectable: no server dependency, no outbound analytics path, no hidden product telemetry around private message analysis.
There is a cost to that.
We do not get the normal analytics loop that many product teams rely on. We cannot quietly measure every usage path. We do not get to see which reports people open most often, which buttons they hesitate on, or where they abandon a workflow. We rely on the limited reporting that Apple provides through App Store Connect, plus direct user feedback.
That is less convenient for the business. It is cleaner for the user.
The same principle applies to permissions. Mimoto needs access to sensitive local material to do its job. Contacts can help link people to message history. The Messages folder is the source material for the analysis. Those should be explicit gates, not background assumptions.
Where we can offer an alternative, we should. Contact access is useful, but a user can also manually link contacts if they prefer. That route is more work. It is not the slickest version of the product. But it respects the fact that some users will want a narrower permission boundary even if it costs them convenience.
This is the shape of the tradeoff: product decisions weighted toward earning trust, even when they remove advantages a business would normally want.
I also think users should feel comfortable auditing apps themselves. Tools like Little Snitch exist because network behavior should not be invisible. If someone wants to check that Mimoto is not phoning home, we should welcome that. I would encourage people to do that with any application that handles sensitive personal material.
That is not adversarial. It is healthy.
The internet has made people used to vague privacy reassurance. Sensitive products need something better. They need constraints the user can understand, permissions the user can decline, and claims that line up with how the app is actually packaged and allowed to run.
Mimoto is still a young product, and trust is not earned by one distribution choice or one privacy page. It is earned over time, by making the same kind of decision repeatedly.
Sometimes that means choosing the harder route.
Further reading: Apple App Store Review Guidelines, Apple App Privacy Details, Apple App Sandbox documentation, and Little Snitch.