Skip to content
All posts

4 min read

A privacy threat model for couples

When you think about 'privacy,' you're probably thinking about the wrong threat. A simple framework for figuring out what your couples-app data actually needs to be protected from.

An antique key resting on dried lavender — the question of what's worth locking, and from whom.

When most people think about "privacy" in an app, they're imagining a single threat: a faceless hacker stealing data. That threat is real, but it's also the least likely one for the most intimate things in a relationship app.

A more useful framing — borrowed from how security people think — is a threat model. It's a fancy name for a simple question: who, specifically, are you keeping this data away from?

If you can answer that, you can pick tools that actually work for your situation. If you can't answer it, you'll either over-spend on protections you don't need or under-protect against the threat that actually matters.

The four threats most couples should think about

When we designed Arcov, we kept four kinds of threats in mind. They overlap, but they have different shapes.

1. A future stranger

This is the threat most apps think about: a hacker who breaks into the company's servers and dumps the database. It's also the rarest threat, in the sense that it happens to most people approximately once a decade.

Mitigations: encryption at rest, secure infrastructure, pen-tests, etc. Standard server-side hygiene. Almost any paid app does this acceptably; many free apps don't.

The thing this threat doesn't reach: the company's own employees. If the data is encrypted with a key the company holds, a stranger can't read it, but the company itself can.

2. A future ex

This one is under-discussed. The person who knows the most about your relationship, your fears, your bad days, is your partner. If the relationship ends badly, the most realistic threat to your private data is them.

Most relationship apps store both partners' data in a shared account. After a breakup, that's a single login that exposes everything one partner ever wrote.

Mitigations:

  • Per-user encryption keys, so even within a paired account, your private moods/notes aren't readable by your ex without your device.
  • Account split features that let one partner cleanly remove themselves and take their data with them.
  • Practical paranoia: don't write things in a couples app you wouldn't be OK with your ex reading. Even with great encryption, devices get unlocked.

In Arcov, we treat the pair as two devices, not one account — so each person's private side stays on their phone.

3. A future government

This sounds dramatic, but it's a real consideration in some jurisdictions and for some kinds of relationships. If your government changes its mind about your relationship, the data on a server controlled by a US-based or other-jurisdiction company may be subject to subpoena.

Mitigations:

  • End-to-end encryption with on-device keys (the company can't decrypt even with a court order — they can hand over ciphertext, that's all).
  • Data minimization (the company doesn't keep what it doesn't need).
  • Jurisdiction-aware hosting, but this is a thinner protection than people think.

For most US couples, this threat is theoretical. For couples in other jurisdictions — especially LGBTQ+ couples in places where rights are contested — this threat is operational.

4. A future you

The least dramatic, most certain threat: future-you will forget about this app in five years. The account will sit somewhere with a password you don't remember. The company may pivot, get acquired, or change its policies. You won't notice.

Mitigations:

  • Easy export, so you can periodically take your stuff out.
  • Easy deletion, so when you're done with an app, you're done.
  • Self-imposed limits on what you put in. The most private things in your life don't need to be in any app.

This is the threat that data minimization actually protects against — by not storing things, you protect future-you from forgetting they exist.

What end-to-end encryption helps with — and what it doesn't

E2E encryption with on-device keys (which we walked through here) protects against threats 1 and 3 well, threat 4 partially (less data exists in the first place), and threat 2 only if the app uses per-device keys.

It does not protect against:

  • Your partner reading your unlocked phone.
  • A device-level vulnerability (jailbreak, malware) that scrapes data after decryption.
  • You accidentally screenshotting a private note and texting it.
  • Future-you giving someone your password.

Most threats to relationship data are ultimately about the humans involved, not the cryptography. The cryptography just stops the company from being a useful target for anyone trying to attack the humans.

A two-minute personal threat model

If you want to do a real threat model for your own couples-app use, here's a small exercise:

  1. Write down the three most sensitive things in the app right now.
  2. For each, ask: who would I most fear seeing this?
  3. Then ask: would the protections in this app actually stop that person?

Most of the time, the answer is "my partner's bad day or our future ex." That's a clue about which features actually matter.

Privacy isn't a slider that goes from 0 to 10. It's a set of choices about who you're keeping things away from, and whether the app's tools match your actual list.

  • privacy
  • security
  • frameworks

Arcov is a private app for couples. Share moods, send buzzes, save memories in an end-to-end encrypted vault. The beta is open now: free for the first 50 couples, 12 months free for the next 200.

Join the beta →