Docs · Your data · Confidential notes

Confidential notes

Some notes deserve a second lock even on your own machine. The Confidential group encrypts its notes at rest, unlocks with biometrics or a passphrase, and renders as blanked placeholders while locked. It lives alongside the broader note-lifecycle controls in Settings → Privacy + Lifecycle.

The Confidential group

  • Setup is a three-step wizard: choose a passphrase, confirm it, optionally enable biometric unlock.
  • Encryption: your passphrase is stretched with Argon2id and the notes are sealed with AES-256-GCM. Without the passphrase, the data on disk is ciphertext.
  • Unlock with Touch ID on macOS, Windows Hello on Windows, or the system secret service on Linux — with the passphrase as the universal fallback.
  • While locked, confidential notes appear as blank placeholder cards: no titles, no previews, excluded from search, chat retrieval, and previews.
  • Forgotten passphrase = unrecoverable notes. There is no reset email and no backdoor, by design. Choose a passphrase you can keep.

Confidential notes sync in encrypted form and remain encrypted inside backups.

Trash — deletion is reversible by default

Deleting a note (Delete) is a soft delete: it moves to Trash and stays restorable until the retention window you choose expires. From Privacy + Lifecycle → Trash you can bulk-restore, delete forever, or empty the whole bin — emptying requires typing the word out, so it can’t happen by accident. (On Windows and Linux, read ⌘ as Ctrl.)

Timed notes

Give any note an expiry: it warns you before the deadline (system notification), then soft-deletes itself into Trash on schedule. Useful for genuinely temporary material — parking spots, one-time codes, drafts that shouldn’t outlive their week.

Audit log

The same settings tab keeps a local audit log of lifecycle events — unlocks, trash purges, timed-note expiries — so you can always reconstruct what happened to a note. Like everything else here, the log never leaves your machine.