Private Mode keeps a subset of fields client-encrypted: only the holder can read them. Used for entries marked 'private only', family-only heirlooms, and the reserved-for-myself pane.
Target: 2027Q2Status: design
Honest posture. If we can't keep a promise yet, we say so here first.
Scope
What Private Mode will and will not cover.
In scope
Entry bodies marked private-only
Voice memos marked private-only
Attachment body bytes (metadata stays server-readable)
Excluded by design
Public profile fields (visible by design)
Memorial page content (moderation requires server read)
Shared space content (group read requires server decrypt hints)
Trade-offs
Honest downsides.
Lost key = lost data. We publish a paper recovery-key ceremony before any field is opted into Private Mode.
Server-side search is unavailable on private fields. We offer client-side search with an opt-in index.
Cross-device sync requires user-held key material; we design for a 2-device minimum.
Why not now?
E2EE done badly is worse than no E2EE. We want moderation + legacy transfer paths to land first so Private Mode does not break them.
The recovery-key ceremony needs user-research validation with grief-counsellor input.
Key rotation UX for 20-year archives is not a solved problem; we will not ship until we have an answer we can defend.
More honesty
Looking for more?
The Trust Centre indexes every honest doc we publish. The binding legal sits below it.