Privacy you can verify by architecture, not just by promise.
When sync is enabled, a 256-bit key is derived from your passphrase on your device using a memory-hard KDF. Every note is encrypted with an authenticated cipher (XChaCha20-Poly1305) before it leaves the device. Our relay receives, stores and forwards only ciphertext.
Your passphrase and your key never reach our servers. We can’t decrypt your notes, hand them over readable, or lose them in a breach in a usable form. Account credentials are stored separately from note data and never unlock note contents.
All connections use TLS 1.3. The web app is served over HTTPS with HSTS, and sync uses a modern, forward-secret channel on top of the same encryption.
Local note storage is encrypted at rest with a device key. Signing out removes the key and the local cache. We collect no analytics on note content — there is nothing readable to collect.
Found a vulnerability? We’d genuinely like to hear from you. Email security@notewright.app with details and we’ll respond quickly. We don’t pursue good-faith researchers.