Safe Diary — FAQ

Great question — trust should be earned, not assumed. Safe Diary’s security is verifiable, not just a marketing promise. Here’s how you can check for yourself:

All encryption runs inside your browser, which means you can open your browser’s developer tools (F12 → Network tab) while writing an entry and observe what data is actually sent to the server. You’ll see only an unreadable encrypted string — never your actual text.

Safe Diary uses AES-256-GCM, the same encryption standard used by governments, banks, and militaries. Your encryption key is derived from your password using PBKDF2 with 310,000 iterations — a publicly documented, widely peer-reviewed algorithm.

Zero-Knowledge means the service provider has zero knowledge of your data — they cannot read it even if they wanted to, or were forced to by law enforcement.

Traditional apps (like Google Keep, Apple Notes in basic mode, or most journaling apps) store your data on their servers in a way that they can decrypt. They hold the key, and you’re trusting them not to look.

Safe Diary flips this: your password never leaves your device. The encryption key is derived locally from your password. The server only stores the encrypted result. Safe Diary employees, hackers, governments, and subpoenas would all get the same thing: meaningless ciphertext.

End-to-End Encryption means data is encrypted on your device (one “end”) and can only be decrypted on your device (the other “end”). Nothing in between — not servers, not internet providers, not the app company — can read it.

In Safe Diary’s case: when you type an entry and hit save, your browser encrypts the text before it’s transmitted over the internet. The server receives and stores only the encrypted version. When you open the app again, the encrypted data is sent back to your browser, which then decrypts it locally using your password.

The journey looks like: Your device → [encrypts] → Encrypted blob travels → Server stores blob → Blob returns → [decrypts] → Your device

AES-256-GCM stands for Advanced Encryption Standard with a 256-bit key in Galois/Counter Mode. Breaking it down:

• AES — The gold standard block cipher, approved by the U.S. NSA for top-secret information since 2003.
• 256-bit — Refers to the key length. A 256-bit key has 2²⁵⁶ possible combinations — more than the estimated number of atoms in the observable universe. Brute-forcing it is computationally impossible.
• GCM (Galois/Counter Mode) — A modern mode that adds authentication on top of encryption. It not only scrambles your data but also detects if anyone has tampered with it.

PBKDF2 (Password-Based Key Derivation Function 2) is the algorithm that turns your password into an encryption key. Your password alone would be weak as a key — it might be short, predictable, or contain real words. PBKDF2 hashes it thousands of times to create a strong, fixed-length key.

The 310,000 iterations aren’t random — they’re calibrated so that deriving your key on a normal device takes about a second. This sounds minor, but it means an attacker trying to guess your password must spend a second per guess. A million guesses would take 11+ days on fast hardware. With a decent password, this makes brute-force cracking completely impractical.

Safe Diary never transmits or stores your password. Not in a hashed form, not in any form. The only thing the server stores is your encrypted data. So a server breach cannot expose your password.

The realistic risks to your password are:

• You reuse it elsewhere — If another service you use gets breached, attackers may try that password on Safe Diary. Use a unique password.
• Weak password — Common words, names, or short passwords can be guessed through dictionary attacks, even with PBKDF2 slowing things down.
• Keyloggers on your device — Malware recording your keystrokes as you type (covered in the next question).
• Someone watching over your shoulder — Physical observation when you type your password.
• You shared it — Intentionally or unintentionally via phishing.

A keylogger is malware that records every keystroke you type, including your password as you enter it. It’s one of the most dangerous threats to any password-protected app — including Safe Diary.

Here’s how to protect yourself:

• Use a password manager (like Bitwarden, 1Password, or Dashlane). These autofill passwords without physically typing them, which defeats most keyloggers.
• Keep your OS and browser updated. Most keyloggers exploit known vulnerabilities that patches have fixed.
• Don’t install software from untrusted sources. Most keyloggers are bundled with “free” software or pirated content.
• Use reputable antivirus/anti-malware software on your device.
• Avoid shared or public computers for accessing your diary — they are extremely high-risk environments for keyloggers.
• Enable two-step verification where possible for your device login, so even if a password is stolen, access is blocked.

This is actually one of Safe Diary’s most important security features, not a flaw. Here’s why:

Password recovery requires the service to have either a copy of your key, a way to reset your encryption, or a “master key” that can unlock your data. Any of those options means someone other than you can access your diary — which completely defeats the purpose of zero-knowledge encryption.

By having no recovery option, we guarantee there’s no backdoor. No employee, no court order, no hacker who breaks into our systems can unlock your entries. Your data belongs to you — completely and exclusively.

Requiring an email address creates a link between your real identity and your diary. Safe Diary collects no email, no name, no personal details — making your account anonymous by default.

This protects you in two important ways:

• If our servers are breached, there’s no user record to expose — no email list for attackers to harvest, no personal data to sell or leak.
• No marketing or tracking — your email won’t be sold to advertisers, used to build behavioral profiles, or targeted for phishing.

The trade-off is no email-based password recovery — but as explained above, that’s actually a security benefit, not a downside.

Safe Diary does the hard work of encryption, but your habits matter too. Here are the key practices:

• Use a strong, unique password. At least 16 characters, random or passphrase-style (e.g., sunset-marble-globe-47). Never reuse it on other sites.
• Store your password in a password manager — don’t rely on memory alone.
• Always log out when using shared devices. Use the manual lock or wait for the auto-lock to activate.
• Don’t access your diary on public or untrusted Wi-Fi without a VPN.
• Keep your browser and OS updated to patch security vulnerabilities.
• Set up Panic Lock — configure your predefined lock URL and keyboard shortcut so your diary locks automatically whenever you switch tabs or minimize.
• Export an encrypted backup periodically so you never lose your entries if something happens to your account.

Auto-Lock automatically locks your diary after 5 minutes of inactivity. Once locked, your diary is inaccessible without re-entering your password — even if someone sits down at your device.

This protects you from a common but overlooked scenario: you step away from your desk, get distracted, and forget to close the app. Without auto-lock, anyone nearby could read your diary. With it, they’d find a locked screen.

Panic Lock is a feature that instantly locks your diary the moment you look away — before anyone even gets a chance to glance at your screen. It works in two ways:

• Tab switch / window minimize — The moment you switch to another tab or minimize the browser window, your diary automatically redirects to a predefined URL of your choice and locks itself. You don’t need to do anything.
• Keyboard shortcut — You can trigger an instant lock at any moment using a predefined keyboard shortcut — without touching your mouse or navigating any menus.

The use case: imagine you’re writing in your diary at work and a colleague walks over, or you’re on a train and need to quickly switch apps. The moment you alt-tab or minimize, the diary is already locked — no reaction time needed on your part.

Safe Diary is an online platform — accessible from any browser on any device. The Export and Import features give you full control over your data beyond just the server.

Export saves all your journal entries as an encrypted file to your device. It’s not plain text — the file is protected by the same AES-256-GCM encryption that secures your entries online. You can store it anywhere: a USB drive, personal cloud storage, or an email to yourself — without worrying about exposure.

Import is particularly useful if you want to wipe your data from our servers entirely — for example, if you’re taking a long break, concerned about account security, or simply want a clean start. You can export your encrypted backup, delete everything from our servers, and come back later to restore and continue exactly where you left off by importing the file.

To import, you’ll need your original password — the same one used when you exported. Without it, the encrypted file cannot be decrypted.

No. All search in Safe Diary runs locally on your device, not on the server.

When you search for a word or tag, your browser first decrypts your entries locally, then searches through the decrypted content — entirely within your device. No search query and no entry content is ever sent to the server for processing.

This is important because many apps use server-side search, which requires them to either store your data unencrypted or decrypt it temporarily on their end — both of which create privacy risks. Safe Diary avoids this entirely.

When a product is free, the product is usually you — your data, your behavior, your attention sold to advertisers. That model fundamentally conflicts with what a private diary is supposed to be.

Safe Diary charges a one-time $15.99 lifetime fee because:

• Servers, infrastructure, and maintenance cost money. A free service without revenue either dies, shows ads, or sells data.
• There are no ads, no tracking, no data selling — meaning the only revenue source is your payment.
• A paid model creates an aligned incentive: Safe Diary’s success depends on your trust and satisfaction, not on maximizing your time-on-app or monetizing your data.

A 30-day free trial with no credit card required lets you experience the full product before deciding.

No — zero ads, zero tracking, zero behavioral profiling. We operate on a strict “No ads. No tracking. No nonsense.” policy.

Because our business model is a one-time payment rather than advertising revenue, we have no financial reason to track your behavior, analyze your writing habits, or sell data to third parties. And due to our zero-knowledge architecture, we technically can’t read your data even if we wanted to.

This is one of the most important implications of zero-knowledge architecture. If a government agency serves us with a legal order to hand over your data, we can comply — and it would still not matter.

What we’d hand over is the encrypted blob stored on our servers: k7Hx2mP9qR4vZ1nL8wB…. Without your password, this data is completely unreadable. There is no master key, no backdoor, and no way to help authorities decrypt it.

Note: this only holds if your password is not obtained through other means (e.g., seizure of your own device while logged in).

No — this is precisely what end-to-end encryption is designed to protect against. Even in the worst-case scenario of a full breach of our servers, an attacker would obtain only the encrypted ciphertext of every user’s entries.

Without the users’ individual passwords (which are never stored on our servers), the ciphertext is computationally impossible to decrypt. A hacker would spend the remainder of the universe’s lifespan trying to brute-force AES-256-GCM.

Better than most apps — but with caveats. Because all data transmitted between your browser and Safe Diary’s servers is already encrypted (ciphertext), even if someone intercepts your connection on a public network, they get nothing readable.

However, public Wi-Fi creates other risks:

• Malicious hotspots — A fake Wi-Fi network can serve a spoofed version of any website. Always verify you’re on safediary.app (look for the padlock/HTTPS).
• Shoulder surfing — People physically looking at your screen as you write.
• Session hijacking — Rare but possible; using a reputable VPN eliminates this risk.

Safe Diary works across all devices, and the same encryption protections apply on mobile. However, mobile introduces some unique considerations:

• Screen lock — Always use a PIN, fingerprint, or face lock on your phone. Physical access to an unlocked phone is the most common privacy breach.
• App screenshots — Some apps and operating systems take screenshots for the app switcher. Be mindful of what’s visible when you switch apps.
• Predictive keyboard data — Third-party keyboards may log typed text. Use your phone’s built-in keyboard for sensitive input.
• Malicious apps — Only install apps from official stores. Apps with broad permissions can sometimes access clipboard content or take screenshots.

Syncing normally requires a central server to hold and distribute your data — which in most apps means the server can read it. Safe Diary syncs your data across devices while maintaining zero-knowledge by syncing only the encrypted ciphertext.

When you write on your laptop, the encrypted data is stored on the server. When you open Safe Diary on your phone, it downloads that encrypted data and decrypts it locally using your password. The server acts purely as a storage relay — it never sees the content at any point in the sync process.

The core difference is who holds the key:

• Apple Notes / Google Keep — These encrypt your data in transit (HTTPS) and at rest on their servers — but they hold the encryption keys. Apple and Google can read your notes if required to (by law enforcement, by internal processes, or in case of a breach of their key management).
• Safe Diary — You hold the only key (your password). Our servers only hold ciphertext that we cannot decrypt. No employee, no engineer, no court order changes this.

For casual grocery lists, the difference doesn’t matter. For your most private thoughts, fears, health issues, or personal struggles — it matters enormously.

Your password is the single point of security for your diary. Here’s a complete checklist:

• Length over complexity — A 20-character passphrase is stronger than a 10-character mix of symbols. Aim for at least 16 characters.
• Use a password manager — Generate and store a random password. Never reuse it anywhere else.
• Write it down physically — Store a copy in a physically secure location (your home safe, a locked drawer). This is your only recovery option.
• Never share it — Not with family, not in any digital message.
• Don’t use personal info — Birthdays, names, pet names, or anything guessable by someone who knows you.
• Change it if compromised — If you suspect your device had malware, change your password immediately from a clean device.

Safe Diary explicitly states it has no ads, no tracking as core principles of the product. Traditional analytics services (like Google Analytics) track user behavior, pages visited, time spent, device info, and geographic location — building a profile of you even on “private” apps.

A privacy-first app that uses Google Analytics would be fundamentally contradictory. You can verify what scripts are loaded by opening your browser’s developer tools (F12 → Sources or Network tab) and inspecting what external requests the app makes.

This is a legitimate concern for any cloud-based service. Our encrypted export feature is specifically designed to protect you in this scenario.

As long as you regularly export your encrypted backup, your data lives on your own device/storage — completely independent of our servers. Even if we were to shut down tomorrow, your exported file is still your file, still encrypted with your password, and still readable with the right decryption tools and your password.

Because the encryption uses standard AES-256-GCM, even if our import tool were no longer available, a tech-savvy person could still write their own decryption tool to read your backup.

Yes. Safe Diary is a browser-based online platform, which means there’s nothing to install and nothing tied to a single device. You can open it on your laptop, desktop, tablet, or phone — any device with a modern browser — and your diary is right there.

Because your encrypted data lives on our servers (not locally on one device), switching between devices is seamless. Write an entry on your work computer in the morning and read it on your phone that evening — it’s all in sync, all encrypted.

When you delete your account, all encrypted data stored on our servers is permanently removed. Because we hold no email, no name, and no personal identifiers — there’s nothing else tied to you to delete.

Since we operate on a zero-knowledge model, even the data that gets deleted was unreadable to us in the first place. The deletion is complete and irreversible.

If you’d like to take a break without losing your entries, the recommended flow is: export your encrypted backup → delete your server data → come back later → import your backup to restore everything.

Markdown is a lightweight formatting language that lets you structure your writing using simple symbols — without needing a toolbar or formatting buttons.

In Safe Diary, you can format your entries using Markdown syntax. A few examples:

• # Heading → creates a large heading
• **bold text** → makes text bold
• - item → creates a bullet list
• *italics* → makes text italic

This makes it easy to write structured entries — journaling prompts with sections, lists of things you’re grateful for, or detailed reflections with headers — all while keeping the interface clean and distraction-free.

Safe Diary is an online platform — an active internet connection is required to load the app, sync entries, and save new content to our servers.

However, because all encryption and decryption happens in your browser, once the app has loaded and your entries are decrypted locally, you can read previously loaded entries even if your connection drops momentarily. Writing new entries or saving changes will require reconnecting to sync.

“Client-side” refers to your device — your browser, in this case. “Crypto” is short for cryptography (encryption). So “client-side crypto” simply means: the encryption happens on your device, not on our server.

In most apps, your data travels to the server first and the server handles encryption — meaning the server has access to the unencrypted version, at least briefly. With client-side crypto, your browser does the encrypting before anything leaves your device. Our server only ever receives the already-scrambled result.

We store only encrypted ciphertext — no readable content. If we were ever subpoenaed or required to produce records, what we would provide is a string of unreadable encrypted data. Without your password, it’s legally and practically useless as evidence because its contents cannot be verified or read.

The only scenario where your diary could be accessed in a legal context is if:

• Your own unlocked device is physically seized while you’re logged in.
• You are legally compelled to provide your password yourself (laws around this vary by country).
• Your password was obtained through other means (malware, coercion, etc.).

Yes, you can change your password. However, because your entries are encrypted using a key derived from your current password, changing your password means all your entries must be re-encrypted with the new key.

Safe Diary handles this automatically during the password change process: your browser decrypts all existing entries using your old password and re-encrypts them with the new one before the change is finalized. This happens entirely client-side — your decrypted content never passes through our servers during this process.