I built Tarn because I believed period tracking apps had a security problem. Most of them do. They harvest data, phone home to analytics services, and store your most intimate health information in ways that make it trivially accessible to anyone with a subpoena, a shared iCloud account, or five minutes alone with your unlocked phone.
So I built the opposite. PIN-encrypted. Zero network calls. Self-destruct on brute force. Duress PIN. No telemetry. No cloud. Everything stays on the device, locked behind Argon2id key derivation with 64MB memory cost.
I was proud of it. Then I showed it to people.
The method
I created 12 customer profiles. Not personas — personas are marketing fiction. These were deeply researched composites built from real forum posts, clinical literature, domestic violence advocacy resources, and conversations with people who'd actually been in the situations I was designing for. Each profile had a name, an age, a life context, and a reason to care about privacy.
I walked each profile through three timeframes: first use, one month in, one year later. What breaks on day one is different from what breaks on day ninety. And what breaks at a year is usually the thing that makes someone quietly uninstall and never come back.
The ages ranged from 14 to 55. The situations ranged from "curious college student" to "hiding a pregnancy from a partner who checks her phone."
Here's who they are.
Maria (19, college student in Texas) stayed out of fear, not satisfaction. Priya (32, abusive partner monitoring her phone) was saved by the duress PIN but nearly exposed by system-level disguise gaps. Sarah (45, perimenopause) entered her PIN roughly 700 times a year and nearly lost everything to a failed attempt counter she didn't know existed. Fatima (26, conservative family, trying to conceive) found best-in-class privacy wrapped around a mediocre tracker. Jen (38, power user migrating from Clue, living with PMDD) got a secure container for shallow data. Aisha (22, journalist and activist) found a timing side channel in the duress PIN response. Linda (55, nurse and mother of teens) couldn't recommend the app to her own kids. Kayla (16, downloading her first period tracker) gave it 30 seconds. Dr. Elena (48, OB/GYN) praised the privacy model and called the data architecture undergraduate-level. Mei (29, PCOS) saw something small enough and principled enough to actually change. Dakota (24, non-binary, transmasc on testosterone) found an app whose gap was assumption, not hostility. Rachel (41, DV survivor) said it was designed by people who understand threat models, not by people who've lived them.
Each of them gets their own post in this series. Each of them broke something I thought was finished.
The fundamental tension
Here's what I didn't understand when I started: Tarn is a security product that happens to track periods. But users need a period tracker that happens to be secure. Security is why they choose it. Tracking is why they open it every day. And the tracking experience ranges from adequate to fundamentally broken depending on whose body we're talking about.
If your cycles are regular, 28-ish days, predictable — the app works. If you're perimenopausal, on testosterone, managing PCOS, or 14 years old with cycles that show up whenever they feel like it, the app doesn't just underperform. It fails in ways that feel like rejection.
What broke everywhere
Some problems showed up in six or more profiles. That's not an edge case. That's a pattern.
Safety features are buried in settings. The duress PIN, the self-destruct threshold, screenshot prevention — these are survival tools hidden behind three taps and a scroll. Priya shouldn't have to explore a settings menu to find the feature that keeps her safe.
Symptoms are binary. You either have a headache or you don't. There's no severity, no spectrum. For Jen tracking PMDD, for Mei tracking PCOS flares, for Dr. Elena trying to see clinical patterns — boolean symptoms are architecturally too shallow. Not a UI problem. A data model problem.
PIN entry on every app switch. Background the app for two seconds to check a text, come back, enter your PIN again. Sarah does this 700 times a year. Security that punishes the user eventually gets bypassed by the user.
No clinical export. Dr. Elena can't use any of this data. Fatima can't share cycle history with her fertility specialist. The information exists but has no way out of the app.
Stats are empty for months. You need three or more cycles before predictions appear. Nobody tells you that. You just stare at a blank screen wondering if the app is broken.
No medication tracking. For Mei on metformin, for Dakota on testosterone, for Jen managing PMDD — medication is inseparable from cycle data. Tarn treats them as unrelated.
What V2 looks like
Six design decisions came out of this process.
First: threat-model selector during onboarding. Four quadrants. One tap configures security defaults, PIN timeout, duress PIN visibility, self-destruct thresholds — all of it. No settings menu archaeology.
Second: cycle profile system. Regular. Irregular. Changing or stopping. I don't know yet. The app adapts its predictions, its empty states, and its language based on what your body is actually doing.
Third: symptom severity. Boolean becomes a 1-to-5 scale. This isn't a feature request. It's a data architecture change that touches the database schema, the prediction engine, and every chart in stats.
Fourth: clinical export. PDF and CSV. Formatted for a doctor's appointment. Shareable, deletable, and generated on-device.
Fifth: functional calculator disguise. The app looks and works like a real calculator. Actual math. Your PIN is entered as an equation. The current disguise is a skin. This is a second identity.
Sixth: compassionate failure states. When you enter the wrong PIN with shaking hands, you don't need a cold countdown timer. You need clear feedback, generous touch targets, and a pace that matches the worst moment of your day.
The hardest lesson
The people who need this app most — DV survivors, people in hostile jurisdictions, trans users facing legislation, teenagers in restrictive households — are the ones the current UX serves least well. They're the ones who can't afford to dig through settings. They're the ones entering PINs with adrenaline in their blood. They're the ones whose bodies don't fit the default model.
Security without usability isn't security. It's an obstacle course that only the technically literate can navigate.
V2 is about making security invisible so the app can be what people actually need — a health tool they use every day, built by someone who listened when 12 strangers told him everything that was wrong with it.
They were right. All of them.
This is the first post in a 13-part series. Each of the 12 profiles gets their own deep dive. Links will be added as they publish.