BITS

The security model

Only you can read it.
Here's exactly why that's true.

BITS can't read your bits, can't leak them, can't be made to hand them over, and can't use them to train anything. Not won't — can't. This page shows the machinery behind that sentence: what happens to your words, where the keys live, what we can see, what we can't, and the honest limits. Written to be checked, not believed.

Start here

One question decides everything: who holds the key?

Most services work like a hotel safe — your things are locked away, but the staff hold a master key. That's why they can reset your password, and it's also why your data is readable by their systems, their staff, anyone who breaks in, and anyone who buys the company.

A test that works on any app: if "forgot password" can bring your data back without a code only you kept, the company holds a key. It cannot be any other way — someone opened the safe to let you back in.

BITS fails that recovery on purpose. Your password becomes a key on your device and never leaves it. Lose the password and the recovery code, and nobody — including us — can open your vault. That inconvenience is the proof that nobody else has a way in either.

The journey of a bit

What happens when you write something down.

Sealed on your device

The moment a bit is saved, it's encrypted right there on your device with AES-256 — the cipher trusted for bank transfers and state secrets. The key came from your password, stretched through 600,000 rounds so that guessing is deliberately expensive.

Noise in transit, noise at rest

If sync is on, the sealed record travels to the cloud and is stored under a random vault ID — no name, no email attached. What sits on the server is indistinguishable from random noise. There is nothing to "crack"; there is just noise with no way in.

Readable only where you are

Your other devices derive the same key from the same password and unseal their copy locally. Search, reading, editing — all of it happens on your devices, because nowhere else can read a single word.

The numbers

Measured, not promised.

600,000rounds of key-stretchingbetween your password and the key — every guess an attacker makes pays the same toll
AES-256on every recordindustry-standard, hardware-accelerated, native WebCrypto — no home-made cipher anywhere
~99 bitsrecovery-code strengthharder to guess than fifteen random letters — and we never hold a copy
0readable copies elsewhereyour vault is ciphertext everywhere except your own unlocked device

The machinery

The habits the system keeps.

Small design decisions, each closing a whole class of problem.

Envelope encryption

A random master key seals every record and never changes; your password locks that key. Changing your password re-locks the envelope — it never means re-encrypting your life.

No name on the box

Sealed records live under a random vault ID. The storage layer doesn't know whose noise it's holding.

Sealed files too

Attachments and images are encrypted on your device before upload and stored under random names.

Search stays home

Search runs on your device. There is no server-side search, because the server can't read anything.

Conflicts keep both

Two devices edit at once? The newer wins and the other is kept as a visible copy. Nothing is ever silently discarded.

Backups prove themselves

A backup isn't trusted until it's read back and verified — and risky operations refuse to run without a verified safety net in place.

Lock, instantly

One tap flushes the key from memory. Nothing on the device is readable again until you unlock.

No adverts, no trackers

No analytics on your data, nothing sold on, no third-party scripts on your bits. The only counters anywhere are anonymous rate-limit tallies.

The intelligence

Privacy and AI, built as layers that never have to meet.

An intelligence must see something to help — it can't plan a day it's blind to. So the real questions are: how much does it see, when, who decides, and is there a record? BITS answers all four, in the product.

A slice, never the vault

Each request sends only what that one job needs — today's list, one page, one email. The sealed store is never handed over, and nothing is used to train any model.

Only when invited

The intelligence runs when you ask. The one automatic exception — ranking new email into a priority view — is named in the open, and has its own off switch and a never-show list for senders whose mail must stay between you.

Every exchange on the record

A disclosure log on your device records what was sent, what came back and what changed — readable in Settings, clearable any time. You audit the trade; you don't take our word for it.

Or cut us out entirely

Bring your own API key and your device talks to the model provider directly — no BITS server in the path at all. No other organiser offers you the option of our absence.

Privacy is never the price of intelligence. That's the whole product in one sentence.

What the intelligence sees, feature by feature

No other product publishes this table. Here's ours.

When you…EI is shownAnd afterwards
Capture a thoughtThe words you just said, your life areasNothing is stored by the model, nothing trains anything, and the exchange is written to your on-device disclosure log
Ask it to plan your dayTitles, areas and dates of open bits — not notes, not history
Leave EI Priority onEach new email, once — unless the sender is on your never-show list
Run a reviewThe period's goals and activity summary
Do nothingNothing. EI has no background access to the vault

The bridges

Connections are dials, not floodgates.

Google and your mailboxes connect to BITS as optional bridges — your device talks to the provider directly, the connection keys stay sealed in your vault, and each bridge has its own controls.

The calendar's free–busy mode

Share your calendar with Google as plain "Busy" blocks: booking tools and invites keep working, but Google learns only the shape of your day — never the words. Your real calendar, one of the most revealing documents you own, stays sealed.

Mail on your terms

Gmail is read and sent entirely on your device. Your own domains work through a stateless relay that holds credentials for one errand at a time and stores nothing. Any mailbox can be set send-only, so its inbox is never fetched at all.

The honest limits

What sealing can't do — said plainly.

A security page you can trust is one that tells you where the edges are.

Metadata exists

Even a perfectly sealed letter shows its outside. Any server — ours or anyone's — can see that a device connected, and when, even when it can't read a byte. Perfect invisibility is not on offer anywhere; sealed contents plus named edges is.

Email is email

The other side of every message holds a plain copy, and providers along the way handle mail in the open. BITS seals your copy and minimises what moves — no app can honestly promise more.

An unlocked device is unlocked

If you keep BITS signed in on a device, anyone holding that device can read your bits until you lock it. The lock is one tap; devices you don't fully control deserve it.

Not yet audited, not yet open source

BITS is young. There's no third-party audit yet and the code isn't public yet — we'd rather say that than imply otherwise. What we offer in the meantime is below: the claims you can verify yourself, today.

The threat model, in plain words

Who this protects you from — and who it can't.

Security pages usually skip this. It's the most useful part.

Sealing protects you from

  • Us.We hold noise and no key. Curiosity, a rogue employee, a bad future owner — none of it can read your bits.
  • A breach of our servers.An attacker who takes everything takes ciphertext under random IDs. There is nothing readable to steal.
  • Legal demands for content.We can't hand over what we can't read. What exists on our side: sealed records, connection timing, anonymous rate-limit tallies. If you set up email login, your email finds your locked keyfile — and unlocks nothing.
  • A lost or stolen device that's locked.Locked means the key isn't in memory. Without your password, the device holds noise.

Sealing can't protect you from

  • Someone holding your unlocked device.An open vault is open. The Lock is one tap — use it on devices other hands can reach.
  • A compromised device.Malware that watches your screen or keyboard sees what you see. No app survives a broken device; keep yours updated.
  • Losing both your password and recovery code.Then nobody can open the vault — including us. That's the deal, stated up front.
  • The far side of your emails.Every message you send exists in plain form at the other end. Sealing your copy can't reach theirs.

No trust required

Five claims you can check yourself.

  • Go quiet, network silent. One tap in the menu stops every connection this device makes — sync, Google, mail, intelligence. Open the network tab and watch: nothing. No other organiser can even function silent; BITS is built to.
  • The password reset that can't. Try to recover a vault without your recovery code. We fail, by design — the failure is the proof.
  • Your own key, our absence. Switch the intelligence to your own API key and watch requests go straight from your device to the provider.
  • The disclosure log. Ask the intelligence anything, then read exactly what was sent in Settings. Compare it with what any other AI product shows you: nothing.
  • Leave, completely. Export the whole vault to a file, any time, no export tax. An app confident you'll stay doesn't need to lock the doors.

And if BITS ever disappears? You hold the export, the off-cloud backups on your own disk, and an own-key mode that needs no server of ours. Your data survives us.

Take this with you

Five questions to ask any app that wants your life inside it.

1 · Who holds the key?

If they can reset your password without a code you kept, they can read your data. BITS: you hold it — and we fail the reset on purpose.

2 · What exactly leaves my device, and when?

BITS: sealed records for sync, and per-request slices for the intelligence — each one named on this page and in the app.

3 · Can I see a record of what was shared?

BITS: yes — the disclosure log, on your device, clearable any time.

4 · Can I turn each connection off, separately?

BITS: every bridge has its own dial — including free–busy-only calendar sharing, send-only mailboxes, and an AI-off switch for mail.

5 · Can I leave, with everything, in a form I can use?

BITS: one tap exports the whole vault. No lock-in, no export tax.

Ask these five of every product you're considering — including ours. The answers tell you more than any privacy policy.

On the record

When what leaves your device changes, it's dated here.

No product we know of keeps a public log of changes to its data handling. This one starts today.

  • Go quiet shipped: one switch that stops every outbound connection this device makes — sync, Google, mail relay, intelligence — enforced at a single choke point over all network calls, reversible in one tap with nothing to reconfigure.
  • New controls shipped: EI Priority switch (the intelligence's mail reading can be turned off entirely), a never-show-EI list for protected senders, send-only mailboxes, and free–busy-only calendar sharing with Google. Net effect: less can leave, and every path that does now has its own off switch.
  • Baseline model as described on this page: envelope encryption on device, sealed sync under random IDs, per-request slices for the intelligence with an on-device disclosure log, stateless mail relay, sealed and off-cloud backups.

Also on the record: BITS is not yet independently audited and not yet open source — when an audit lands, the report will be linked from this page. Our business plan is subscriptions, not data: you'll always be the customer, never the product.

Sealed by default. Yours by design.

Start with an empty page, and a vault only you can open.

Start free