The security model
BITS can't read your bits, can't leak them, can't be made to hand them over, and can't use them to train anything. Not won't — can't. This page shows the machinery behind that sentence: what happens to your words, where the keys live, what we can see, what we can't, and the honest limits. Written to be checked, not believed.
Start here
Most services work like a hotel safe — your things are locked away, but the staff hold a master key. That's why they can reset your password, and it's also why your data is readable by their systems, their staff, anyone who breaks in, and anyone who buys the company.
A test that works on any app: if "forgot password" can bring your data back without a code only you kept, the company holds a key. It cannot be any other way — someone opened the safe to let you back in.
BITS fails that recovery on purpose. Your password becomes a key on your device and never leaves it. Lose the password and the recovery code, and nobody — including us — can open your vault. That inconvenience is the proof that nobody else has a way in either.
The journey of a bit
The moment a bit is saved, it's encrypted right there on your device with AES-256 — the cipher trusted for bank transfers and state secrets. The key came from your password, stretched through 600,000 rounds so that guessing is deliberately expensive.
If sync is on, the sealed record travels to the cloud and is stored under a random vault ID — no name, no email attached. What sits on the server is indistinguishable from random noise. There is nothing to "crack"; there is just noise with no way in.
Your other devices derive the same key from the same password and unseal their copy locally. Search, reading, editing — all of it happens on your devices, because nowhere else can read a single word.
The numbers
The machinery
Small design decisions, each closing a whole class of problem.
A random master key seals every record and never changes; your password locks that key. Changing your password re-locks the envelope — it never means re-encrypting your life.
Sealed records live under a random vault ID. The storage layer doesn't know whose noise it's holding.
Attachments and images are encrypted on your device before upload and stored under random names.
Search runs on your device. There is no server-side search, because the server can't read anything.
Two devices edit at once? The newer wins and the other is kept as a visible copy. Nothing is ever silently discarded.
A backup isn't trusted until it's read back and verified — and risky operations refuse to run without a verified safety net in place.
One tap flushes the key from memory. Nothing on the device is readable again until you unlock.
No analytics on your data, nothing sold on, no third-party scripts on your bits. The only counters anywhere are anonymous rate-limit tallies.
The intelligence
An intelligence must see something to help — it can't plan a day it's blind to. So the real questions are: how much does it see, when, who decides, and is there a record? BITS answers all four, in the product.
Each request sends only what that one job needs — today's list, one page, one email. The sealed store is never handed over, and nothing is used to train any model.
The intelligence runs when you ask. The one automatic exception — ranking new email into a priority view — is named in the open, and has its own off switch and a never-show list for senders whose mail must stay between you.
A disclosure log on your device records what was sent, what came back and what changed — readable in Settings, clearable any time. You audit the trade; you don't take our word for it.
Bring your own API key and your device talks to the model provider directly — no BITS server in the path at all. No other organiser offers you the option of our absence.
Privacy is never the price of intelligence. That's the whole product in one sentence.
No other product publishes this table. Here's ours.
| When you… | EI is shown | And afterwards |
|---|---|---|
| Capture a thought | The words you just said, your life areas | Nothing is stored by the model, nothing trains anything, and the exchange is written to your on-device disclosure log |
| Ask it to plan your day | Titles, areas and dates of open bits — not notes, not history | |
| Leave EI Priority on | Each new email, once — unless the sender is on your never-show list | |
| Run a review | The period's goals and activity summary | |
| Do nothing | Nothing. EI has no background access to the vault |
The bridges
Google and your mailboxes connect to BITS as optional bridges — your device talks to the provider directly, the connection keys stay sealed in your vault, and each bridge has its own controls.
Share your calendar with Google as plain "Busy" blocks: booking tools and invites keep working, but Google learns only the shape of your day — never the words. Your real calendar, one of the most revealing documents you own, stays sealed.
Gmail is read and sent entirely on your device. Your own domains work through a stateless relay that holds credentials for one errand at a time and stores nothing. Any mailbox can be set send-only, so its inbox is never fetched at all.
The honest limits
A security page you can trust is one that tells you where the edges are.
Even a perfectly sealed letter shows its outside. Any server — ours or anyone's — can see that a device connected, and when, even when it can't read a byte. Perfect invisibility is not on offer anywhere; sealed contents plus named edges is.
The other side of every message holds a plain copy, and providers along the way handle mail in the open. BITS seals your copy and minimises what moves — no app can honestly promise more.
If you keep BITS signed in on a device, anyone holding that device can read your bits until you lock it. The lock is one tap; devices you don't fully control deserve it.
BITS is young. There's no third-party audit yet and the code isn't public yet — we'd rather say that than imply otherwise. What we offer in the meantime is below: the claims you can verify yourself, today.
The threat model, in plain words
Security pages usually skip this. It's the most useful part.
No trust required
And if BITS ever disappears? You hold the export, the off-cloud backups on your own disk, and an own-key mode that needs no server of ours. Your data survives us.
Take this with you
If they can reset your password without a code you kept, they can read your data. BITS: you hold it — and we fail the reset on purpose.
BITS: sealed records for sync, and per-request slices for the intelligence — each one named on this page and in the app.
BITS: yes — the disclosure log, on your device, clearable any time.
BITS: every bridge has its own dial — including free–busy-only calendar sharing, send-only mailboxes, and an AI-off switch for mail.
BITS: one tap exports the whole vault. No lock-in, no export tax.
Ask these five of every product you're considering — including ours. The answers tell you more than any privacy policy.
On the record
No product we know of keeps a public log of changes to its data handling. This one starts today.
Also on the record: BITS is not yet independently audited and not yet open source — when an audit lands, the report will be linked from this page. Our business plan is subscriptions, not data: you'll always be the customer, never the product.
Start with an empty page, and a vault only you can open.
Start free