How your privacy works

This is the page where we explain, in plain language, exactly how private your entries are.

The short version

Open Heart is built so that we — the company — can never read your journal entries. Not by accident. Not by a curious employee. Not even if a court asks us to.

When you write an entry on your phone, it gets scrambled before it leaves the device. The only thing that arrives on our servers is a jumble of letters and numbers. Without the key, there's no way to turn that jumble back into words. The key never leaves your phone.

What that means in everyday terms

• If you write "I felt invisible at dinner last night" on your phone, what reaches our servers is something like "x9k2n8j1p4..." — gibberish without the key.
• If our database were stolen tomorrow, the thief would have a pile of gibberish. They couldn't read a single entry.
• If we got a legal request asking us to hand over what someone wrote, we genuinely have nothing to hand over except gibberish. We can't unscramble it. Nobody at Open Heart can.

This isn't a marketing claim. It's a property of how the app is built.

How your partner sees your entries

When you pair with your partner, both phones quietly agree on a shared secret. Think of it like the two of you whispering a password to each other that nobody else hears.

From that point on:

• Your entries are scrambled with that shared secret.
• Your partner's phone is the only other device in the world with the matching secret.
• When the reveal happens, their phone unscrambles your entries — locally, on their device.

Our servers move the scrambled bundles between you, but we can't open them.

What we can see

We're not going to claim "we see nothing" because that's not quite true. Some basic information has to stay readable for the app to work:

• An anonymous ID for your account. Not your name, not your email — just a random string of characters.
• Which week an entry belongs to. Needed to group entries into the right check-in.
• Whether an entry is marked "shared" or "private." Needed so your partner only sees the ones you chose to share.
• The time an entry was created. Needed to show entries in order.

These details tell us that you wrote, when, and whether you marked it shared. They tell us nothing about what you wrote or how you felt. That part stays locked.

What's locked (always)

• The words you write
• The feeling you tagged
• The category (appreciation, growth, feeling, moment)
• How intense it was (1 to 5)
• Whether you marked it private, shared, or unsend
• Your partner's name, love language, attachment style, and photo

The trade-off

This level of privacy comes with one consequence we want you to understand:

If you lose your phone and you don't have a recovery phrase, your past entries cannot be brought back.

Not by us. Not by anyone. The keys live on your phone. Without them, the scrambled entries on our servers stay scrambled forever.

This is why we ask you to save a recovery phrase — 24 words on paper that can rebuild your key on a new phone. It's the only way back in.

We could have skipped this. We could have kept a master key on our servers that lets us recover anyone's data on demand. Most apps do. But that master key would be the obvious target for anyone breaking into our systems — including us, if we ever got compelled to use it. So we don't have one.

Why we built it this way

Open Heart is for the partner who has things to say but fears the consequences of saying them. The thing you write at 2am about a feeling you didn't know how to bring up — that's the most sensitive content you'd ever write into an app.

If we could read it, even technically, you'd be right to hold back. So we made sure we can't.

Related

• What we collect (and don't)
• Recovery phrase
• Crisis resources