How privacy works in Kept
Plain language, no jargon. This page is maintained by Kept and explains the technical privacy model — it isn't an independent audit or certification.
The promise, in one line
Kept stores your journal as ciphertext only. Nobody at Kept can read it. Nobody with database access can read it. A subpoena of our backend yields encrypted bytes — never your words.
Two secrets, two jobs
Your password proves to the server that you're you. It signs you in and is recoverable by email reset, like any normal account.
Your passphrase is different. It never leaves your browser. It's used locally to derive the key that decrypts your journal. We never see it, never store it, and physically cannot reset it.
Mental model: the password is the key to the building, and we hold a copy. The passphrase is the key to the safe inside your flat — only you have it, and we can't make another.
What we hold versus what only you hold
On our servers: your account, a public per-user salt, a wrapped (encrypted) data key, your encrypted entries, and your encrypted audio. All of that is useless without the passphrase.
Only in your head: the passphrase itself.
Only in your browser's memory, and only while the vault is unlocked: the data key that actually decrypts entries. It's discarded when you lock or close the tab.
Using Kept on more than one device
Sign in on your phone, your laptop, any browser — your entries follow you, because the encrypted blobs live on the server. Each new device asks you for your passphrase once, derives the key locally, and decrypts in place.
We never push the passphrase between devices, because we don't have it to push. You're the synchronisation mechanism.
Voice passphrase entry
On browsers where speech recognition is known to run fully on-device — Safari on macOS and iOS, and recent Chrome with the on-device flag — a microphone appears next to the passphrase field. The audio and the transcript stay on your device.
Everywhere else, the mic is hidden and the field is type-only. That's deliberate: we won't quietly route your passphrase through a cloud speech-to-text service.
Crisis support, stated honestly
Kept is not a medical, therapy, or crisis service. If you're in danger, please reach out to a local helpline.
A keyword tripwire runs in your browser, before your entry is encrypted and sent. If it matches, Kept surfaces local resources immediately. That check happens on your device — we still don't see the entry itself.
If you forget your passphrase
There is one — and only one — escape hatch: a recovery keyyou generate in Settings. It's a 24-character code that wraps a second, independent copy of your data key on the server. If you generate one, print it, and keep it somewhere safe (a drawer, a safe, a password manager), you can use it at /auth/recovery to unlock your vault and set a new passphrase. Using the key consumes it — you generate a fresh one afterwards.
If you never generated a recovery key and you forget your passphrase, your entries are unrecoverable. We physically cannot reset it, and your other devices can't either — the wrapped key on the server is just noise without either the passphrase or a valid recovery key.
Treat the passphrase like the only key to a safe, and the recovery key like the spare you lock in a different drawer.
Deleting your account
In Settings, Wipe deletes your entries, your audio, your vault metadata, and your authentication record. There is no soft-delete and no separate backup that Kept retains.
What this page is not
This is a plain-language explainer of how Kept is built. It isn't an independent certification, audit report, or claim of compliance with any specific standard or regulation.