Your Device Only
Your notes never leave this device. There is no login, telemetry, or remote database. All encryption, decryption, and storage happen locally in your browser.
Encryption
A unique 256-bit AES-GCM key is generated the first time you use the app, using the browser’s built-in WebCrypto API for high-entropy randomness. Each save operation uses a new 96-bit IV to ensure cryptographic freshness. The key never leaves your device and cannot be retrieved remotely.
Storage
Encrypted note data and timestamps are stored in your browser’s iDB. Only ciphertext is written, no plaintext or metadata is exposed. Clearing site data or using private-mode resets the key and removes all notes permanently.
Threat Model
This design protects against network interception, server breaches, and compromised HTTPS endpoints. It does not protect against local threats such as malware, keyloggers, or browser extensions capable of reading your DOM or clipboard.
Good Practice
- Use a modern browser and keep it updated
- Avoid risky extensions on this site
- Press Win +
L to lock your device when away
- Remember that clearing site data wipes the vaults
Transparency
No analytics, no remote scripts, no tracking pixels. The site enforces a strict Content Security Policy (CSP) and Subresource Integrity (SRI) on all assets. The full source is available for inspection, nothing hidden and nothing sent.
Shortcuts
Auto save runs shortly after you stop typing. Press
Ctrl +
S any time to save.
Version v0.8