Story

Why We Built PileStack with Privacy First

Story 5 min read By Temuri Chitashvili

When I started building PileStack, the first technical decision I made wasn't about the UI, the feature set, or even the pricing model. It was about where to store data.

The answer felt obvious to me, but it turned out to be one of the most consequential choices I'd make: data lives on the user's device, synced via iCloud — not on my servers.

What I noticed about existing apps

I'd been using Pocket for years. It's a well-built product. But somewhere along the way I started feeling uneasy about it — not because it did anything obviously wrong, but because of what it could do.

Every article I saved, every link I clipped, every reading pattern — all of it was stored on Pocket's servers. My reading habits were a product. The fact that a company could see exactly what I was interested in, how often I read, what topics I returned to — that bothered me more the longer I thought about it.

If you're not paying for the product, you are the product. But increasingly, even when you're paying, you might still be the product.

I'm not suggesting Pocket or any other app is doing something malicious. But I started to ask: does it have to be this way?

The iCloud-first decision

Apple's CloudKit gave me a way out. With CloudKit, data lives in the user's own iCloud account. I — as the developer — have zero access to it. I can't see what you've saved, I can't analyse your reading habits, and I can't sell that data to anyone because I simply don't have it.

This came with real tradeoffs. I can't do server-side search. I can't send personalised recommendations based on reading history. I can't build ML features trained on aggregate user data. Every "intelligent" feature has to work purely on-device.

For a lot of app developers, those are showstopper constraints. For me, they became design principles.

What this means in practice: When you delete PileStack, your data is gone from your device. When you disable iCloud sync, your data stops syncing. I have no copy of it anywhere. That's the guarantee — not a policy that could change, but an architectural reality.

Building features without your data

The most interesting engineering challenge was the daily resurface picks feature. I wanted PileStack to surface forgotten saves at the right moment — the kind of thing that feels almost magical when it works. Every other app does this with server-side ML trained on user behaviour.

I had to do it entirely on-device, with no telemetry, no feedback loop, and no knowledge of what you've saved.

The solution was a combination of recency weighting, save frequency signals, and a small amount of intentional randomness — all running locally on your iPhone. It's not as sophisticated as what a large engineering team with your full reading history could build. But it's yours, privately, without any of that data leaving your device.

The business model had to match the values

Privacy-first also meant rethinking monetisation from scratch. Ads were obviously out — you can't run ads without knowing something about users. Usage-based pricing was out too, since I'd need to track usage. The only honest model was a flat subscription: you pay for the app, the app works for you, full stop.

This is also why RevenueCat for subscription management was an easy choice — they only handle subscription state, not user data. The privacy model stays intact all the way down the stack.

The honest pitch: PileStack costs $2.99/month or $17.99/year. That's it. There's no freemium trap, no upsell dark patterns, no data harvesting quietly happening in the background. You pay, you get the app, your data is yours.

What privacy-first actually costs you

I want to be honest: there are things PileStack can't do because of this architecture, and probably never will.

Cross-device sync requires iCloud — if you don't have an Apple ID or iCloud storage, sync won't work. Server-side features like AI-powered categorisation or personalised recommendations aren't possible without data leaving your device. Sharing collections publicly isn't something I can build without a backend.

These aren't bugs. They're the honest cost of the privacy model. I think most users will find the tradeoff worth it. Some won't — and that's fine.

Why this matters more than ever

We're living through a moment where it's becoming clear that the "free in exchange for your data" model has costs that weren't apparent at the start. We're more aware of filter bubbles, of how interest graphs get sold, of how "personalisation" can slide into manipulation.

I'm one developer building one small app. I can't fix any of that. But I can build a tool that opts out of the whole model — one where the only thing that matters is whether the app is useful enough that you'll pay for it honestly.

That's the bet PileStack is making.