Encryption
How the encryption works
The short version: what you write is locked on your phone before it’s sent, and our server only ever holds a scrambled copy it can’t open. This page spells out what’s locked, the few things that aren’t, and how the locking works. There’s a way to check all of it near the bottom.
What’s locked
When you log something, the words and details you type get encrypted on your phone before they go anywhere. That covers your notes, the feed details, the nappy details, the weights, the milestones, your baby’s profile (meaning their name and date of birth), and the names household members give themselves. All of it leaves your phone already scrambled, and our server stores it that way. We don’t have the key, so we can’t turn any of it back into anything readable.
What the server can see
Not everything can be hidden. For the app to sync between phones and remind you about a feed while it’s closed, a few things have to travel in the clear. Here’s the honest list of what our server can see:
- The type of each entry, like a feed, a nappy or a sleep.
- When it happened.
- The state of a running timer, so a feed you start on one phone shows up on the other.
- An id for which person in your household logged it. It’s a random-looking string, not a name.
- How many people are in your household.
- A label for the kind of device, like a phone or a tablet.
- One brief exception: when someone joins your household, the name they type travels in the clear until the pairing finishes, because their phone doesn’t hold the key yet. It’s scrubbed once the pairing is approved or denied, and their name is stored encrypted like everyone else’s.
Here’s what that looks like in practice. This is the shape of the request that logs a feed:
"client_id": "b1f04c…",a random id so a retry on bad signal can’t create a duplicate"category": "feed",the type of entry, in the clear, so reminders can work"occurred_at": "2026-07-08T14:02:11Z",when it happened, in the clear, same reason"ciphertext": "qL3vN8…",your note and every detail, locked with your household key"iv": "9dKf2A…"the fresh random value used for this one entryWhy the type and time aren’t hidden
Paige can remind you when a feed’s due, and that reminder is a push notification our server sends while the app is shut on your phone. A server can’t remind you about a feed whose time it can’t see. So the type of entry and when it happened travel in the clear. That’s the trade-off: the reminders work, and in exchange the server knows a feed happened at 2pm, but not a single word you wrote about it.
How the locking works
Your household has one key. It’s made on your phone the moment you set Paige up, and it stays on your devices. You never see it or type it. When you log something, Paige takes your note and details, locks them with the key, and picks a fresh random value each time so that two identical notes never produce the same locked blob. The locked blob and that random value are what get sent. That’s the whole of it.
For the technical reader
If you’d rather see the actual algorithms, here they are.
- Event contents (your note and the tagged details) are encrypted with AES-GCM, a 256-bit key, a fresh random 96-bit IV per message, and the default 128-bit authentication tag.
- The household key is generated on-device with the browser’s Web Crypto and kept in IndexedDB. It never leaves in the clear.
- Getting the key onto a second phone uses an ECDH P-256 handshake to derive a one-time wrapping key. Only the wrapped key ever crosses the wire.
- Each device has its own ECDSA P-256 keypair for signing in. The private key is non-extractable and never leaves the device; signing in means signing a server’s one-time number, nothing more.
- Recovery uses a 12-word BIP-39 phrase (128 bits of entropy). HKDF-SHA-256 turns it into two keys: one that unwraps your data key, and one secret the server only ever holds as a SHA-256 hash.
- The sign-in cookie is an HMAC-SHA-256 signed token. There’s no password stored anywhere.
Getting the key onto a second phone
When your partner joins, or you add a tablet, the two phones do a short handshake so the key can move across without our server ever seeing it. The new phone shows a short code, which you type into a phone that already has the key. On its own the code does nothing. Both phones then show the same four-word phrase, and you check out loud that they match. If they do, the phone with the key wraps it up sealed so that only the new phone can open it, and our server just passes the sealed bundle along. If someone tried to sit in the middle of that handover, the four words wouldn’t match, and you’d stop.
If you lose your phone
When you first set up, Paige shows you twelve recovery words, once. They’re the way back if you lose every device. Our server keeps two things to make that work: a locked-up copy of your household key, and a hash of a secret those words produce. Neither is any use without the words themselves. Type the words on a new phone and it unlocks the key and pulls your log back.
There’s no softer version of this to offer. If you lose every device and you don’t have the words, the data is gone. We can’t get it back, because we never had a key to it. Keep the words somewhere safe.
Check it yourself
You don’t have to take our word for any of this. Here’s how to watch what leaves your phone:
- Open Paige in a desktop browser and sign in to your household.
- Open the browser’s developer tools and go to the Network tab. (Right-click the page, choose Inspect, then Network.)
- Log a feed, and put a note on it, something you’ll recognise.
- Find the request to /api/events and look at what it sent.
You’ll see the type (feed) and the time in plain text, and then two scrambled blobs: the ciphertext and the iv. It’s the same shape as the request pictured further up this page. Your note is inside the ciphertext, and you won’t be able to read it there. That’s the whole claim, sat in front of you. Hold this page to that standard.
What this means we can’t build
Not being able to read your data rules a couple of things out, and that’s on purpose.
- No insights or analysis built on our side. We can’t chart your content or find patterns in it on the server, because to us it’s a sealed box. Anything like that has to happen on your own phone, where the key lives.
- No password reset in the usual sense. There’s no account and no password to reset, and no way for us to recover your data if the words are gone. The recovery words are it.
Questions
This page is about how the locking works. For the wider picture, what we collect, cookies, website analytics, and how to export or delete your data, see the privacy page.
And if you want to poke holes in any of this, please do. Email [email protected] and a real person will reply.