Private Mode keeps a subset of fields client-encrypted: only the holder can read them. Used for entries marked 'private only', family-only heirlooms, and the reserved-for-myself pane.
Target: 2027Q2Status: design
Scope
What Private Mode will and will not cover.
In scope
Entry bodies marked private-only
Voice memos marked private-only
Attachment body bytes (metadata stays server-readable)
Excluded by design
Public profile fields (visible by design)
Memorial page content (moderation requires server read)
Shared space content (group read requires server decrypt hints)
Trade-offs
Honest downsides.
Lost key = lost data. We publish a paper recovery-key ceremony before any field is opted into Private Mode.
Server-side search is unavailable on private fields. We offer client-side search with an opt-in index.
Cross-device sync requires user-held key material; we design for a 2-device minimum.
Why not now?
E2EE done badly is worse than no E2EE. We want moderation + legacy transfer paths to land first so Private Mode does not break them.
The recovery-key ceremony needs user-research validation with grief-counsellor input.
Key rotation UX for 20-year archives is not a solved problem; we will not ship until we have an answer we can defend.
Looking for more?
The Trust Centre indexes every honest doc we publish. The binding legal sits below it.