Privacy Policy

Last updated: June 7, 2026 ยท Obscura Security Model v1.0

Obscura is built on a zero-knowledge security architecture. Your password never leaves your device, and your notes are encrypted locally in your browser. Our servers only ever store encrypted ciphertext blobs. We cannot decrypt, view, or share your note data.

1. Information We Collect

Because our goal is to maximize user privacy, we minimize the data we collect to the minimum necessary to provide the service:

  • Account Information: When you register using Google OAuth, we receive your email address, full name, and profile picture. This is used solely to identify your account and associate it with your encrypted database rows.
  • Cryptographic Master Key Salt: To perform local key derivation (PBKDF2), we generate a unique, cryptographically secure random salt for your account and store it in our database. This salt is public knowledge but is crucial for local password processing.
  • Encrypted Content: We store encrypted note payloads (ciphertext), initialization vectors (IVs), and your encrypted master key. None of these elements contain plaintext data.

While note contents remain encrypted, account metadata such as email address, authentication records, and database identifiers may be visible to infrastructure providers and project maintainers as required to operate the service.

2. How Your Data is Secured (The Crypto Layer)

Traditional notes apps decrypt your notes on their servers to display them to you. Obscura does all heavy lifting inside your web browser:

  • Client Side (Browser): Your password derives an encryption key via PBKDF2 (600,000 iterations), which decrypts your master key directly in your browser's memory. Each note is encrypted with a fresh random IV using AES-256-GCM before it leaves your device.
  • Server Side (Database): We authenticate your session using Google OAuth and store only the resulting encrypted ciphertext and key salts. Our servers have no access to the plaintext content of your notes or your master password.

3. Limits of Cryptography & No Guarantees

Although Obscura is designed around modern cryptographic practices, no software system can guarantee absolute security against all threats, vulnerabilities, or future cryptographic advances. Secure local storage of your master passphrase and proper device-level security are essential to protect your note data.

4. Data Hosting & Third Parties

Your data is hosted and managed using the following infrastructure:

  • Supabase: We utilize Supabase as our backend database and authentication provider. Supabase holds the encrypted records, authentication logs, and user profile information. Supabase operates under strict industry compliance and data privacy regulations.
  • Google Identity Services: We use Google OAuth to securely sign you in. We do not receive or store your Google password.

5. Cookies and Session Storage

We use standard session cookies and browser storage (such as LocalStorage and SessionStorage) to keep you logged in and support local cryptographic operations:

  • Auth Cookies: Managed by Supabase to handle user authentication state.
  • Local Cache: Derived keys are intended to remain only in browser memory during active use and are not transmitted to our servers.

6. Auditability and Open Source

We believe that privacy should be verified, not trusted. The complete codebase of Obscura is open-source. Anyone can review the source files to verify that our cryptographic assertions are accurate, that the encryption key never leaves the client boundary, and that we do not deploy trackers or hidden analytics.

You can review the repository at github.com/thepushkaraj/obscura.

7. Your Rights and Data Deletion

You maintain full ownership and control of your notes. You may request account deletion at any time. We will delete active account data associated with your account. Residual copies may remain temporarily in backups or logs until those systems are rotated or expire.

8. Contact Us

If you have any questions or security feedback regarding this Privacy Policy or our encryption practices, please open an issue on our GitHub repository or contact the project maintainers.