Most apps say they're "secure" or "encrypted." Almost none of them tell you what that actually means in plain English. So here's what end-to-end encryption means in Arcov — exactly what's encrypted, exactly what isn't, why we drew the line where we did, and what happens if you lose your phone.
We are going to be specific, because vague claims are how privacy-washing works.
What end-to-end encryption actually means
When you and your partner pair, your two phones generate a shared 256-bit encryption key. Each side derives one half of it on-device, and the key never gets sent to our servers — not on signup, not on backup, not ever.
So when you write something to your partner in Arcov, your phone wraps it in that key before it leaves your device. What travels from your phone to ours is a sealed envelope of ciphertext. We forward it to your partner's device, where their phone uses the matching key to unseal it. The whole time it sits on our servers, in our database, in our backups, it's gibberish that we can't read.
That's "end-to-end": encrypted at one end (your phone), decrypted at the other end (your partner's phone), and unreadable everywhere in between, including by us. Under the hood we use XChaCha20-Poly1305, the same family of authenticated encryption used by Cloudflare, WireGuard, and 1Password.
Exactly what we cannot see
This is the honest list. These fields are encrypted on your device before upload, with a key only your two phones hold:
- Memory Vault photos.
- Memory Vault voice notes.
- Memory Vault captions (the line you write under a photo).
- Photo thumbnails (we generate these on your device too, then encrypt them as a separate file).
- The free-text note you optionally attach to a mood check-in.
- Daily highlights — the one-line "best part of today" you share with your partner.
- Your answers to the shared daily question.
- Daily letters — both the body text (up to 1000 characters) and the optional photo attached to a letter.
If a court ordered us to hand over the contents of any of those fields, we couldn't. The keys aren't ours to hand over. That's not a marketing promise — it's a property of the math.
Exactly what we can see (and why)
We're not going to pretend Arcov is invisible. Some things have to be readable on the server for the app to work at all. Here's the full list:
- Your email, display name, avatar, timezone, check-in time, push-notification token, and notification preferences. These power your account, partner-side rendering, scheduled reminders, and routing pushes to your phone.
- Your IP address when you connect, like every other server you talk to.
- The mood number you pick (1, 2, 3, 4, or 5). The optional note that goes with it is encrypted; the number itself is plaintext on purpose. If we encrypted the number, the partner-mood home-screen widget couldn't show your partner anything when they glance at their phone, the mood-match notification couldn't fire when you both check in, and weekly trend insights ("you both tend to feel great on Saturdays") would have to vanish too. We made a deliberate trade: numbers stay readable, words stay private.
- Metadata about activity, but not its contents. We can see that you wrote a highlight today, that you saved a memory, that you sent a buzz to your partner — but not what any of it says. A buzz has no content of its own — it's just a haptic ping — so "I sent a buzz at 3:14pm" is the entire story. The fact that a highlight or note exists is what powers the couple streak and the "shared a highlight every day this week" insight; we never read the words.
- Reactions and presence taps. The 🔥 emoji you tapped on your partner's memory and the "Good morning ☀️ / Good night 🌙" presence taps are plaintext — they're a single emoji or a single enum value, with no free text to encrypt.
- Aggregated usage stats, like "how many total users this week" — never tied to specific accounts, never sold.
That last one matters. We run on revenue from a small subscription fee — not from selling data. The whole reason we built Arcov as a paid app for two people is so we don't have to monetize what you say to each other.
Why on-device keys matter
You'll see a lot of apps claim they "encrypt your data." Most of them mean: they encrypt the data, and they hold the keys.
That kind of encryption protects you against someone breaking into the office and stealing the hard drives. It does not protect you against:
- A government request that the company decrypt your data and hand it over.
- A rogue employee with admin access.
- A breach where attackers get the keys along with the data.
- The company itself, if it ever decided to scan your messages to train an AI model, build a recommendation engine, or "improve the experience."
End-to-end encryption with on-device keys protects you against all of those, because the keys aren't on our servers in the first place.
What happens if you lose your phone
This is the part most "we encrypt everything" pitches skip past. When you hold the keys, you are responsible for them. We tried to soften that without breaking the math, so Arcov has two recovery paths:
Primary — your partner restores you. When you and your partner first set up encryption, your master seed is split into three pieces using Shamir's Secret Sharing. One piece lives on your phone, one on our server, and one is sealed to your partner's public key. Any two of the three can reconstruct your seed; no single party — including us — can do it alone.
So if you lose your phone, you sign in on a new one, tap "I lost my phone," and your partner gets a notification. They tap "approve" in their app, our server combines the partner-held share with the server-held share, and your encrypted content comes back within seconds. The math is what guarantees this is safe: even though our server holds one share, we can't recover anything without your partner's device also approving.
Fallback — a 12-word recovery phrase. For the rare case where both of you lose your phones at the same time, you can view a 12-word phrase (BIP39 standard) in Settings → Privacy & Security and write it down. With that phrase, you can restore on a new device without your partner's help.
Last resort — a mutual fresh start. If you've both lost your phones AND neither of you saved the recovery phrase, the encrypted content from before is genuinely unreadable — that's an inherent property of end-to-end encryption, not a flaw in Arcov. The whole point is that we don't have a master key to reset yours with. But you don't have to start over with new accounts: from inside the app, you and your partner can both opt into a "fresh start." Once both of you have explicitly confirmed, the encrypted vault state is reset together and a new pair key is generated. Anything you wrote before is gone; your accounts, pairing, and shared history of dates carry on. It takes both of you to do it — neither partner can wipe the other's vault unilaterally.
Some apps handle the "lost the key" case by keeping a backup key on their server. That's exactly what makes their "encryption" something they can decrypt. We don't.
Why we built it this way
Most apps for couples treat "your relationship data" as the product. The free ones sell it to advertisers. The paid ones store it on servers they could be compelled to turn over. Either way, the most intimate things you write to your partner are sitting on someone else's computer, readable.
That bothered us. So we built Arcov as the version we'd want to use ourselves — encrypted in a way where, if you don't trust us, you don't have to. The math protects you either way.
If that matters to you too, the beta is open. Free for the first 50 couples to pair up, 12 months free for the next 200. iOS and Android.