We were curious, so we read the privacy policies of every couples app we could find. Most of them follow one of three patterns. None of them describe it this clearly.

Pattern 1: Stored in the clear, monetized

The free apps. Your messages, photos, and entries land on their server in plaintext. The company can read them. Their employees with admin access can read them. Their analytics tools can read them. If a third party buys the company, the new owner can read them.

How do they make money? Some sell ads against your activity. Some sell anonymized "engagement signals" to data brokers. Some are loss leaders for upsells. The exact model varies, but if you're not paying, your data is paying instead.

The privacy policies are usually 4,000 words long and bury this in section 7.

Pattern 2: Encrypted-at-rest, but they have the key

A step better. The data on the server is encrypted, so a casual breach exposes ciphertext instead of plaintext.

But the encryption key sits on the same server, or at least on infrastructure the company controls. Internally, they can decrypt anything they want — the encryption is mostly for "data at rest" compliance, not for keeping the company itself out.

This is the most common setup for paid apps that don't advertise end-to-end encryption. It protects against a thief stealing a hard drive. It does not protect against a subpoena, a curious engineer, or a future change in the company's business model.

Pattern 3: End-to-end encrypted, keys on your devices

The rare model. The encryption key is generated on your phone when you sign up and never leaves it. Anything you save is encrypted before it's sent. The server stores ciphertext. The company genuinely cannot read what's there.

The cost: if you lose your phone and don't have a backup of your key, your data is gone. The company can't recover it because they don't have the key. Some apps mitigate this with social recovery (your partner can re-grant access) or recovery phrases stored offline.

This is the pattern we picked for Arcov, and we wrote about why in more detail.

What to actually ask before you trust an app

If you're reading a couples app's privacy policy and want to figure out which pattern they use, three questions cut through the marketing:

1. "Can your employees read my messages and photos if they wanted to?" A clear "no" with technical detail (e.g., "the keys are on your device") = pattern 3. Anything hedged, vague, or about "policies and access controls" = pattern 1 or 2.
2. "What happens if a court orders you to hand over my account contents?" If they say "we'd comply with the order and provide what we have," they have the data. If they say "we don't have the keys, so we can't decrypt — we'd hand over ciphertext," that's pattern 3.
3. "How are you funded?" If the answer is ads or "data partnerships," the business model is at odds with your privacy. If it's a small subscription fee, the incentives line up.

Most apps will dance around these. The ones that answer plainly are the ones worth trusting.

Why this matters for couples specifically

For most apps, "your data" is browsing history or step counts. For a couples app, your data is the most intimate stuff you've ever written down — moods, fears, photos you wouldn't share with anyone else, the specific texture of your relationship.

That deserves a different bar.

If you're choosing a couples app, ask the three questions above before you put six months of your life inside it. And if your current app's privacy policy is vague on any of them, that's worth knowing.

We are going to be specific, because vague claims are how privacy-washing works.

What end-to-end encryption actually means

When you and your partner pair, your two phones generate a shared 256-bit encryption key. Each side derives one half of it on-device, and the key never gets sent to our servers — not on signup, not on backup, not ever.

So when you write something to your partner in Arcov, your phone wraps it in that key before it leaves your device. What travels from your phone to ours is a sealed envelope of ciphertext. We forward it to your partner's device, where their phone uses the matching key to unseal it. The whole time it sits on our servers, in our database, in our backups, it's gibberish that we can't read.

That's "end-to-end": encrypted at one end (your phone), decrypted at the other end (your partner's phone), and unreadable everywhere in between, including by us. Under the hood we use XChaCha20-Poly1305, the same family of authenticated encryption used by Cloudflare, WireGuard, and 1Password.

Exactly what we cannot see

This is the honest list. These fields are encrypted on your device before upload, with a key only your two phones hold:

• Memory Vault photos.
• Memory Vault voice notes.
• Memory Vault captions (the line you write under a photo).
• Photo thumbnails (we generate these on your device too, then encrypt them as a separate file).
• The free-text note you optionally attach to a mood check-in.
• Daily highlights — the one-line "best part of today" you share with your partner.
• Your answers to the shared daily question.

If a court ordered us to hand over the contents of any of those fields, we couldn't. The keys aren't ours to hand over. That's not a marketing promise — it's a property of the math.

Exactly what we can see (and why)

We're not going to pretend Arcov is invisible. Some things have to be readable on the server for the app to work at all. Here's the full list:

• Your email, display name, avatar, timezone, check-in time, push-notification token, and notification preferences. These power your account, partner-side rendering, scheduled reminders, and routing pushes to your phone.
• Your IP address when you connect, like every other server you talk to.
• The mood number you pick (1, 2, 3, 4, or 5). The optional note that goes with it is encrypted; the number itself is plaintext on purpose. If we encrypted the number, the partner-mood home-screen widget couldn't show your partner anything when they glance at their phone, the mood-match notification couldn't fire when you both check in, and weekly trend insights ("you both tend to feel great on Saturdays") would have to vanish too. We made a deliberate trade: numbers stay readable, words stay private.
• Metadata about activity, but not its contents. We can see that you wrote a highlight today, that you saved a memory, that you sent a buzz to your partner — but not what any of it says. A buzz has no content of its own — it's just a haptic ping — so "I sent a buzz at 3:14pm" is the entire story. The fact that a highlight or note exists is what powers the couple streak and the "shared a highlight every day this week" insight; we never read the words.
• Reactions and presence taps. The 🔥 emoji you tapped on your partner's memory and the "Good morning ☀️ / Good night 🌙" presence taps are plaintext — they're a single emoji or a single enum value, with no free text to encrypt.
• Aggregated usage stats, like "how many total users this week" — never tied to specific accounts, never sold.

That last one matters. We run on revenue from a small subscription fee — not from selling data. The whole reason we built Arcov as a paid app for two people is so we don't have to monetize what you say to each other.

Why on-device keys matter

You'll see a lot of apps claim they "encrypt your data." Most of them mean: they encrypt the data, and they hold the keys.

That kind of encryption protects you against someone breaking into the office and stealing the hard drives. It does not protect you against:

• A government request that the company decrypt your data and hand it over.
• A rogue employee with admin access.
• A breach where attackers get the keys along with the data.
• The company itself, if it ever decided to scan your messages to train an AI model, build a recommendation engine, or "improve the experience."

End-to-end encryption with on-device keys protects you against all of those, because the keys aren't on our servers in the first place.

What happens if you lose your phone

This is the part most "we encrypt everything" pitches skip past. When you hold the keys, you are responsible for them. We tried to soften that without breaking the math, so Arcov has two recovery paths:

Primary — your partner restores you. When you and your partner first set up encryption, your master seed is split into three pieces using Shamir's Secret Sharing. One piece lives on your phone, one on our server, and one is sealed to your partner's public key. Any two of the three can reconstruct your seed; no single party — including us — can do it alone.

So if you lose your phone, you sign in on a new one, tap "I lost my phone," and your partner gets a notification. They tap "approve" in their app, our server combines the partner-held share with the server-held share, and your encrypted content comes back within seconds. The math is what guarantees this is safe: even though our server holds one share, we can't recover anything without your partner's device also approving.

Fallback — a 12-word recovery phrase. For the rare case where both of you lose your phones at the same time, you can view a 12-word phrase (BIP39 standard) in Settings → Privacy & Security and write it down. With that phrase, you can restore on a new device without your partner's help. Without it and without your partner's device, your encrypted content really is gone — and yes, that's an inherent property of end-to-end encryption, not a flaw in Arcov. The whole point is that we don't have a master key to reset yours with.

Some apps handle this by keeping a backup key on their server. That's exactly what makes their "encryption" something they can decrypt. We don't.

Why we built it this way

Most apps for couples treat "your relationship data" as the product. The free ones sell it to advertisers. The paid ones store it on servers they could be compelled to turn over. Either way, the most intimate things you write to your partner are sitting on someone else's computer, readable.

That bothered us. So we built Arcov as the version we'd want to use ourselves — encrypted in a way where, if you don't trust us, you don't have to. The math protects you either way.

If that matters to you too, the beta is open. Free for the first 50 couples to pair up, 12 months free for the next 200. iOS and Android.

A short note on what this is for. I'll write about two things here:

• Privacy — why Arcov is end-to-end encrypted, where your keys live (on your device, not our servers), and why we don't sell data even though that's how most apps in our category make money.
• Couples and small rituals — what we're learning from people using the beta, what the research actually says about daily check-ins, and what we're trying ourselves.

No AI-generated filler. Just things worth writing down.

If you want to try the app, the beta is open.