Zero-Access Architecture

Your data is encrypted on your device before it ever reaches our servers. We couldn't read your habit data even if we wanted to.

AES-256-CTR

We use the Advanced Encryption Standard with a 256-bit key in Counter Mode. This is the same standard used by governments to protect top-secret information.

  • Unique 128-bit random IV per write
  • No block padding attacks

PBKDF2 Key Derivation

Your password never leaves your device. Instead, we derive a cryptographic key from it using PBKDF2 with 50,000 rounds of SHA-256 hashing.

  • Unique 128-bit Salt per user
  • Resistant to Rainbow Table attacks

How It Works

1

Local Encryption

When you track a habit, your phone generates a unique Initialization Vector (IV) and encrypts the data locally using your derived key.

2

Integrity Signing

An HMAC-SHA256 signature is generated and appended to the encrypted blob. This ensures that no one—not even a server administrator—can tamper with your data without breaking the signature.

3

Secure Sync

Only the unintelligible, encrypted blob is sent to our servers. We store it, but we can never read it.

"Cipher Tracker" refers to the specific application logic protecting your data. Because we use End-to-End Encryption, there is no "Forgot Password" feature. If you lose your password, your data is gone forever. This is a feature, not a bug.

Get Protected Now →