Security & Privacy

Locked on your device. Unreadable everywhere else.

Everything your family writes in Nuthatch Family — every list, note, recipe, and chat message — is encrypted on your device before it ever leaves it. A server carries it between your phones, but it only ever sees scrambled bytes. We literally cannot read your family's life, and that's the whole point.

Yes, there's a server — and it's deliberately blind.

Your devices need a way to reach each other, so a relay server passes messages along. But it's a courier carrying sealed envelopes, not a vault of your secrets. It forwards ciphertext it has no key to open.

How a message flows through the relay A message is readable on your device, encrypted before it is sent, passes through the relay server as ciphertext the server cannot read, stays encrypted in transit, and is decrypted again on each family member's device. Jeff · you Dinner at 6? 🔓 Readable on your device Relay server 8f3a c1b7 22e0 9d… a4e9 0c2f 77b1 3e… 🔒 Only ciphertext — no key Maude Dinner at 6? 🔓 Decrypted on device Walter Dinner at 6? 🔓 Decrypted on device 🔒 b7Q9f2 🔒 b7Q9f2 🔒 b7Q9f2
🔓 Readable — only on your family's own devices 🔒 Encrypted — through the relay and in transit
The honest breakdown

What the server sees — and what it never can.

True privacy means being honest about the edges. Here's exactly where the line is.

What it can never see

  • The contents of your lists, notes, and recipes.
  • Your chat messages.
  • Your document titles and member display names — encrypted too.

The "envelope" it does see

The unavoidable routing details — the writing on the outside of the envelope, kept to the minimum needed to deliver your data.

  • That a message or update exists, and roughly how big it is.
  • When it was sent, and which device sent it.
  • Plain labels needed to route data — an internal ID, a channel name, a member's role.
How it works

The key never leaves your family.

Encrypted on your device

The moment you add a list item or send a message, your device locks it with AES-256-GCM — the same standard banks, militaries, and governments trust. Only then does it travel.

One key, only on your devices

Your family shares a single secret key that locks and unlocks everything. It's created on a device and never sent to our servers in a form we can read.

A sealed handshake to add members

When someone joins, an X25519 key exchange wraps the family key just for their device. It passes through the server as more scrambled bytes the server can't open.

You are not the product

Built to keep corporations out of your home.

Most "free" family apps run on the same business model: read everything you put in, build a profile on you and your kids, and sell access to your attention. Nuthatch Family can't do that — not because we promise not to, but because the data reaches us already encrypted.

No ad network. No analytics company. No algorithm deciding what your family sees. There's no central pool of readable family data to mine, sell, or lose in a breach.

No profiling — we have nothing to build a profile from.

Offline-first — the real copy of your family's life lives on your own devices.

Strict Content Security Policy — the app runs only its own code, blocking injected trackers and scripts.

Nothing to breach — a server that holds only ciphertext is a poor target.

Read this twice

What Nuthatch Family does not protect you from.

We'd rather be honest than oversell what strong encryption means.

Everyone in your family sees everything

There's one shared key, so every member on every family device can read all of your family's lists, notes, and chats — past and future. There's no "private to me." Only invite people you genuinely trust.

A logged-in device is an open door

Because the key lives on the device, anyone holding an unlocked, logged-in phone can read your family's data. Protect your devices like a key to your house: screen locks, and remove access you no longer control.

Not a tool for hiding crimes

Encryption keeps advertisers and snoops out — it will not hide you from law enforcement. They don't break the math; they seize or unlock a device that already holds the key. A phone can be subpoenaed or searched at a border. If your threat model is a criminal investigation or a nation-state, this is the wrong tool, and we won't pretend otherwise.

Privacy that used to be impossible.

A shared space for your family's daily life that we genuinely cannot read, backed by the same encryption trusted with the world's most sensitive secrets. Guard who you let in and guard your devices — and your family's life stays your family's business.

Open Nuthatch Family Back to Nuthatch Family