Confidential notes
Some notes deserve a second lock even on your own machine. The Confidential group encrypts its notes at rest, unlocks with biometrics or a passphrase, and renders as blanked placeholders while locked. It lives alongside the broader note-lifecycle controls in Settings → Privacy + Lifecycle.
The Confidential group
- Setup is a three-step wizard: choose a passphrase, confirm it, optionally enable biometric unlock.
- Encryption: your passphrase is stretched with Argon2id and the notes are sealed with AES-256-GCM. Without the passphrase, the data on disk is ciphertext.
- Unlock with Touch ID on macOS, Windows Hello on Windows, or the system secret service on Linux — with the passphrase as the universal fallback.
- While locked, confidential notes appear as blank placeholder cards: no titles, no previews, excluded from search, chat retrieval, and previews.
- Forgotten passphrase = unrecoverable notes. There is no reset email and no backdoor, by design. Choose a passphrase you can keep.
Confidential notes sync in encrypted form and remain encrypted inside backups.
Trash — deletion is reversible by default
Deleting a note (Delete) is a soft delete: it moves to Trash and stays restorable until the retention window you choose expires. From Privacy + Lifecycle → Trash you can bulk-restore, delete forever, or empty the whole bin — emptying requires typing the word out, so it can’t happen by accident. (On Windows and Linux, read ⌘ as Ctrl.)
Timed notes
Give any note an expiry: it warns you before the deadline (system notification), then soft-deletes itself into Trash on schedule. Useful for genuinely temporary material — parking spots, one-time codes, drafts that shouldn’t outlive their week.
Audit log
The same settings tab keeps a local audit log of lifecycle events — unlocks, trash purges, timed-note expiries — so you can always reconstruct what happened to a note. Like everything else here, the log never leaves your machine.