DEV Community

Cover image for I built a note-taking app where I literally can't access your data
Niklas Ekman
Niklas Ekman

Posted on

I built a note-taking app where I literally can't access your data

#privacy #webdev #svelte #showdev

Hey everyone! I wanted to share a side project I've been working on called Mindpad.

The backstory

I've been trying to move away from free note-taking apps because, let's be honest, if it's free you're probably the product. Your notes getting sold to advertisers or used to train AI models doesn't sit right with me. I wanted something I could actually trust with my private thoughts.

What it is

A simple note-taking app with actual end-to-end encryption using OpenPGP.js (battle-tested, open source, used by major privacy-focused companies). Your notes never leave your device unencrypted. Ever. Not "encrypted at rest" or "encrypted in transit" (well, that too), but rather your device encrypts them before they even sync.

The privacy setup

I've made a conscious effort to use only European companies throughout the stack (EU has some of the world's strongest privacy laws). Managed to pull it off for everything except one service but even then, all data stays hosted in EU servers.

The catch

If you lose your encryption key, you lose your notes. No exceptions. No password reset. No "contact support to recover." This is the trade-off for real privacy — I can't help you because I literally can't access your data.

The results

Currently, It works and I use it daily. The landing page and some UX bits need polish, but it's functional enough that I wanted to see if anyone else cares about this kind of thing. I built it for me, but figured I'd share it.

Would love to hear your thoughts, especially on the UX/privacy trade-offs.

https://www.mindpad.eu?utm_source=dev.to&utm_campaign=initial-commit

Top comments (4)

Collapse
 
maxxmini profile image
MaxxMini

The "lose your key, lose your notes" trade-off is the honest version of privacy that most apps won't admit to.

I went even more extreme with a browser-only finance tool — no server at all, everything in IndexedDB. Zero sync, zero encryption needed because the data literally never leaves the device. The upside is there's nothing to breach. The downside is no cross-device access whatsoever (export/import JSON is the "sync").

Curious about your key derivation flow — are you doing OpenPGP.js key generation directly from the user's passphrase, or is there a separate master key with PBKDF2/Argon2id stretching before it hits OpenPGP? The passphrase strength becomes the entire security boundary when there's no server-side rate limiting on decryption attempts (someone who grabs the encrypted blob from the EU server can brute-force offline).

Also, how are you handling the "new device" flow? If the encryption key lives only in the browser, does adding a second device require manually transferring the private key (QR code? file download?), or is there a key-wrapping scheme where the server holds an encrypted copy of the private key that only the passphrase can unwrap?

The EU-only infrastructure choice is underrated — GDPR gives actual teeth to privacy promises that are just pinky-swears in other jurisdictions.

Some comments may only be visible to logged-in visitors. Sign in to view all comments.