Privacy

Architecture, not policy.

If I could read what you write, I'd be a liability the moment someone asked. So I made it impossible. The keys are on your device. The server holds locked boxes. I hold nothing.

How it works

One trip. Only you can open it.

Picture writing a letter, putting it in a locked box, and being the only person with a key. Your phone does the locking before the box leaves. The server holds the box. Nobody can open it but you.

01
On device
You type.
The words exist in memory on your laptop or phone while you edit. They never leave in plaintext.
02
In transit
It is encrypted before it leaves.
A key derived from your passphrase encrypts the text in your browser. Only ciphertext travels over the wire.
03
At rest
The server stores a blob.
No key, no plaintext. Reading the file yields noise. Zero-knowledge by geometry, not policy.

Four guarantees

Four guarantees. Verifiable, not promised.

Your phone does the locking.

Each entry is scrambled with AES-256-GCM before it leaves. The server only ever sees ciphertext, never words.

I never see your password.

Your password is the key. It stays on your device. There's no master copy on my side, and no admin panel where I can peek.

The AI forgets as soon as it answers.

Messages to the AI get deleted by the AI company the second the reply is generated. No retention. No training. No "we may use anonymized" loophole.

No trackers where you write.

The chat and journal pages don't load analytics, ad pixels, or tag managers. The marketing pages do, so I can see what's working. The pages where you write stay quiet.

The trade-off

If you lose your password, your data is gone.

There's no "forgot password" button that gets your stuff back. That's the cost of being the only person who can read it. Pick a password you won't lose. Save the recovery code somewhere safe.

Technical appendix

The full technical version, for the people who want it.

If you're a security researcher, journalist, or engineer, this is the rest of the story. If not, the four cards above are the whole story.

Cipher: Journal entries and chat transcripts are encrypted with AES-256-GCM. Each payload has a unique 96-bit IV. GCM's authentication tag guards against tampering.
Key derivation: The data-encryption key is derived from your passphrase using PBKDF2 (310,000 iterations, SHA-256, 16-byte salt). The derivation happens in the browser; the passphrase never leaves your device.
Zero knowledge: The server sees ciphertext, IVs, and sync metadata (blob IDs, revision numbers). It does not see passphrases, keys, plaintext, or anything derived from plaintext.
Reflection requests: Messages sent to the AI travel over TLS 1.3 and are not written to disk. The AI provider is contractually forbidden from logging, retaining, or training on the content. Requests are proxied through a thin gateway that strips identifying headers before forwarding.
Retention: Journal entries live until you delete them. Reflection transcripts live on your device only. Account deletion purges ciphertext within 24 hours.
Crypto package: The cryptographic primitives and the client-side encryption layer live in a separate @mune/crypto package, kept narrow on purpose so it's small enough to reason about. The package isn't public yet; the full architecture is in /docs/architecture/passphrase-and-recovery.md.
Threat model: The model assumes a compromised server, a subpoena, and a curious operator. It does not, and cannot, protect against a compromised client (keylogger, malicious extension) or a weak password. Pick a strong one.
Subpoena posture: If a government asks, the most I can produce is ciphertext and account metadata (email, timestamps). A transparency report goes up the first time I receive a request.
Full architecture: The full design lives in the repo at /docs/architecture/passphrase-and-recovery.md. Every box, every arrow.

That's the architecture. Want to try it?

Mune is in pre-alpha. Get on the list and you'll hear when it opens.

Get on the list The in-depth version