The app can't read your messages. Neither can we.

End-to-end encrypted

Messages, journal entries, shared reflections, survey answers, promises, mood notes — every piece of content you write in SharedCalm is encrypted on your device before it leaves your phone. We use modern, standard public-key cryptography (TweetNaCl: X25519 key exchange + XSalsa20-Poly1305 authenticated encryption). We hold only ciphertext and nonces.

Smart Rewrite exception. If you tap Smart Rewrite on a draft, that one message goes to our cloud rewriter to suggest softer wording. We don't store the draft or the suggestion on our servers.

Metadata also encrypted

Sensitive metadata that used to be visible to the database is now encrypted per connection, too — including many of the small structured signals around each message, like what kind of moment it is and how it was acknowledged.

For encrypted message content and sensitive interaction details, the server stores ciphertext or minimal routing data — not the underlying words.

Account routing

To deliver messages, we keep your account email, your public key and password-wrapped master key, your connection codes, and which two accounts are paired.

If we were served a subpoena, the most we could turn over is which two accounts are connected and when. Not what you said.

Quiet notifications

We need device push tokens to send notifications. Notifications never carry the message — they just say "something is here for you" and bring you back to the app, where the message decrypts with your local key.

Your partner's words never travel across someone else's notification servers in readable form.

Periodic key rotation

Encryption keys rotate quietly over time. Older keys may be pruned from your device to limit damage from a future compromise.

If you want long-term access across reinstalls or device changes, export an encrypted backup from Profile. Without that backup, some old encrypted history may become unreadable — and that is part of the privacy tradeoff.

App lock

On your phone, the app can require Face ID, fingerprint, or your passcode to open. Locally-stored keys are protected by the system keystore. Treat the web app as a softer surface — use the installed app for sensitive history.

Row-level isolation

The database enforces, at the row level, that a signed-in account only sees its own data and rows shared with it by an accepted partner. Every release runs an automated test that tries to break this isolation. We do not claim a perfect score — the test is a regression gate, not a substitute for an independent audit.

Encrypted backup

Export an encrypted backup from your Profile if you might replace your device. Restore on the new one with your passphrase and keep reading history. Without backup, a reinstall means lost history — and that's by design.

Right to delete

Account deletion removes your profile, your private journal, and your half of any shared records on our servers. Content already delivered to your partner's device stays under their control until they delete it.

No third-party tracking

No third-party tracking scripts. No ad networks. We don't sell your data. We don't have a relationship score to sell.