Privacy & Data
Scope is built around end-to-end encryption of your private content. Your habits, tasks, goals, projects, and journals are readable only on your devices - not on Scope's servers, not by Scope's engineers, not by anyone else. Public data (your username, avatar class, level, equipment) is unencrypted because features like the leaderboard and arena matchmaking need it.
What Is Private
End-to-end encrypted at rest:
- Journal entries - headlines and full bodies.
- Goals - name, description, motivation, desired outcome.
- Tasks - name and description.
- Habits - name, description, and completion notes.
- Projects - name and description.
- Wishlist items - name and description.
Everything above is encrypted on your device before it's ever sent anywhere. The server stores only the ciphertext - gibberish that can only be decrypted with your key.
What Is Public
Unencrypted, because features need to read it:
- Username, avatar class, level, XP total.
- Profile picture.
- Game stats - attack power, max HP, etc.
- Equipment loadout - equipped items visible on your public profile.
- Arena fight history - opponents, wins/losses, turn counts.
- Leaderboard rank.
These are the pieces the system needs to compare you against other players, match you into the arena, show your profile, and run the leaderboard.
Why This Split Exists
The core principle
Scope's deeply personal content is your habits, journals, goals, and tasks. None of that has any business being readable by anyone but you - not server operators, not engineers, not other players. Encrypting it at the client level means even in the worst case (server breach, rogue employee, government subpoena), your private thoughts stay private. The public data is what the game's competitive features actually need - you can't have a leaderboard without comparing levels, you can't have arena matchmaking without class info. Keeping only those pieces unencrypted is the principled trade-off.
One Exception: AI Stat Analysis
The one time your private content leaves your device unencrypted is AI stat analysis on daily journal entries. You explicitly confirm before each analysis - no auto-analyze setting exists - and only the specific entry being analyzed is sent.
The AI provider sees that entry's text; our servers don't store the plaintext back. You can decline the analysis on any entry and the entry stays fully encrypted.
This is the one feature where the value (turning reflection into real-life stat progress) required leaving the pure-encryption model. The opt-in design makes sure you're always aware when it happens.
Encryption Key Management
Your encryption key lives on your device. It's never sent to our servers in readable form. Sync between your own devices uses a key-transfer mechanism (recovery codes or QR transfer) so both devices share the same key - and each device can decrypt the ciphertext the server holds.
See Recovery Codes for the recovery path.
If You Lose Your Key With No Recovery Code
This is the trade-off of real end-to-end encryption: there's no backdoor. If you lose access to your key on your last device and you haven't saved a recovery code, your encrypted content is permanently unreadable.
We can't help. Even our engineers can't decrypt it. The encryption is strong because no one has a backdoor, and that strength cuts both ways. Save your recovery code.