Security

Last updated: 2026-04-26

Singletick is a zero-knowledge productivity app. Everything you create is encrypted on your device before it touches storage, with a key derived from a passphrase only you know. We have no copy of your data, no key to decrypt it, and no way to read it even if compelled to.

How your data is protected

• Encrypted on your device. Every entry — habit, todo, note, pledge, mood entry, focus session — is sealed with strong, modern encryption before it is written to storage.
• Key never leaves your phone. The encryption key is derived from your passphrase using a memory-hard key-derivation function and stored in your device's secure enclave. We never see it.
• Backup is yours. If you enable Pro backup, the backup blob is sealed with a key derived from the same passphrase and uploaded to your own Google Drive or iCloud as opaque ciphertext. Singletick has no access to your cloud account.
• 2FA (Pro). Optional second-factor unlock using any standard authenticator app.
• Recovery key (Pro). A printable secondary key you can store offline as a backup against a lost passphrase.

Web companion

• End-to-end encrypted. The browser companion talks directly to your phone over an encrypted peer-to-peer channel. Nothing in the middle can read the bytes.
• Pairing is short-lived. The brief pairing handshake passes through a short-lived relay so your phone and your browser can find each other; the relay only sees ephemeral pairing metadata for under 60 seconds.
• Maximum-privacy mode. Toggle in Settings → Companion → Advanced to keep your home IP off the relay entirely.

How to report a vulnerability

Email security@singletick.app with as much detail as you can — repro steps, affected version, your proposed severity. We'll acknowledge within 72 hours and work with you on a coordinated-disclosure timeline.