Two clear privacy modes
Learn how OneLine keeps your words private
Everything you write is encrypted with a unique AES-256 key before storage. Automatic Vault lets your signed-in devices recover that key through OneLine's protected key service. Optional Private Vault replaces automatic recovery with your passphrase and recovery key, making the journal zero-knowledge.
The path of your data
- Unique vault key: OneLine uses a random AES-256 data key for your journal instead of encrypting every entry directly with an account password.
- Encrypted transit & storage: Entries are encrypted with AES-GCM before storage, then synced as ciphertext with an independent IV for every payload.
- Protected key envelope: Automatic Vault protects the data key with an external key service. Private Vault protects the same key with your passphrase and recovery key.
- Backed by Supabase: All encrypted rows live in Supabase’s managed Postgres. You can export or delete them anytime to meet EU data rights.
What servers see
{
"content_cipher": "b64...",
"iv": "b64...",
"created_at": "2024-10-14T21:10:00Z"
}Journal rows are stored as ciphertext. Automatic Vault and Private Vault differ in who can recover the key that opens them.
Decryption flow
When you return to read
- Restore the key: Automatic Vault opens after authentication. Private Vault asks for your passphrase when this device has not remembered it.
- Decrypt client-side: The app pulls ciphertext from storage and decrypts it in the active client using the restored data key.
- Stay offline-friendly: If the data is cached, you can read locally until you sign out or clear storage.
Your privacy choice
Automatic or exclusively yours
Automatic Vault prioritizes effortless access across signed-in devices and can be recovered by OneLine's controlled backend. Private Vault is zero-knowledge: only your passphrase or recovery key can unwrap the journal key.
Where data lives
Supabase hosting
Encrypted entries, IVs, and metadata are stored in Supabase (managed Postgres) within your configured region. Export and delete tools help you comply with EU and Spanish privacy requirements.
Science-backed storytelling
How your story is generated
Stories and reflections are optional. When you request one, OneLine decrypts the required context, sends it securely for processing, returns the result, and encrypts saved journal-backed output again.
- Decrypt only what is needed: The selected journal context is decrypted for the feature you explicitly request.
- Process with consent: That selected context is sent over TLS to the configured model service to produce the result.
- Receive and re-encrypt: The result is returned to OneLine and encrypted again before saved journal-backed content is synced.
Transparency snapshot
Where plaintext exists
- Only while your vault is open in the active client.
- Temporarily inside Gemini's secure runtime to produce the response.
- Never as the stored journal body—saved journal-backed content is encrypted before database storage.
What about Supabase?
Encrypted vault storage
Supabase stores ciphertext rows plus metadata such as IVs and timestamps. Automatic Vault key envelopes are protected outside Supabase. You can export or delete your account data at any time.
Why this matters
Privacy requires honest trade-offs. Automatic Vault removes setup and recovery friction. Private Vault removes OneLine's ability to recover the key. Both keep journal rows encrypted in storage.
You can begin automatically and move to Private Vault later without re-encrypting every entry. The same data key is simply protected by a different envelope.
Questions? Reach out and we'll explain Automatic Vault, Private Vault, storage, and consent-first AI processing plainly.