Scope RPG

End-to-End Encryption

Your personal content - journals, goals, habits, tasks, projects, wishlist items - is encrypted end-to-end. It's encrypted on your device before it's ever sent anywhere, and only devices holding your encryption key can read it. Not our servers, not our engineers, not anyone else.

Encryption

What End-to-End Means

End-to-end encryption (E2EE) is a specific guarantee: the data is encrypted at the source and only decrypted at the destination, with no intermediary - including the service provider - ever able to read the plaintext.

Most cloud apps encrypt data "in transit" and "at rest," but they still hold the encryption key themselves, meaning the provider can read your content. Scope doesn't. Your key never leaves your device in readable form.

When you write a journal entry:

  1. You type the entry on your device.
  2. Your device encrypts it using your key.
  3. The ciphertext is uploaded to Scope's server for sync.
  4. The server stores ciphertext - unreadable gibberish.
  5. When another of your devices pulls the entry, it downloads the ciphertext.
  6. That device decrypts it using your (shared) key.
  7. The plaintext appears on the new device.

At no point does our server have readable access to the entry.

What Gets Encrypted

All of the following is encrypted at rest (stored only as ciphertext on the server):

  • Journal entries - headlines and full bodies.
  • Goals - names, descriptions, motivations, desired outcomes.
  • Tasks - names, descriptions.
  • Habits - names, descriptions, and any notes on completion logs.
  • Projects - names, descriptions.
  • Wishlist items - names, descriptions.

Anything you can consider "personal content" falls under encryption.

What Stays Unencrypted (and Why)

Some data has to be readable for the system to function:

  • Your username, avatar class, level, XP - needed for the leaderboard and arena matchmaking.
  • Your equipment loadout - needed for the arena's battle engine to construct opponents.
  • Game stats (derived combat numbers) - needed for public profiles.
  • Profile picture - visible to other players.
  • Arena fight records - match history.
  • Timestamps, completion flags, counts, foreign keys - structural data that makes the system work.

This data is public (or at least not encrypted from our servers' view). The design trade-off is: features that need comparison across users require unencrypted data for those specific pieces.

Notably, the names of your habits, tasks, goals, etc. are encrypted even though their existence and counts aren't. Another player can see you have 8 habits; they can't see what they're called.

How Encryption Keys Are Stored

Your encryption key is generated on your first device and stored locally on that device. It's:

  • Never sent to the server in readable form. The server genuinely cannot read it.
  • Never visible to you directly in the app - it's a long string of bytes, not something you'd type.
  • Transferable to new devices via recovery codes or QR transfer.
  • Backed up by you, not us. We can't recover it if you lose it.

The last point is the core trade-off of E2EE: real privacy means no backdoor, means if you lose the key and haven't saved a recovery, your data is unreadable. Save your recovery code.

Private in Practice

What this means day to day:

  • Your journal entries are your business. No one at Scope can read what you wrote last Tuesday.
  • Your habits, goals, tasks are private. Other players know you have them; they don't know what they are.
  • Your wishlist is private. Even though it's part of the public-facing shop UI, the content of what you've listed is encrypted.
  • Team operators can't help with a lost key. If you contact support to recover a lost key, we can tell you what to try, but we don't have a way to decrypt for you.

One Exception: AI Stat Analysis

The one time your private content is sent unencrypted is AI analysis on daily journal entries. Every analysis is opt-in per entry - the prompt explicitly asks you to confirm before the entry is decrypted and sent to the AI provider.

You can decline every time. The entry stays fully encrypted if you do.

See AI Stat Analysis for the flow.