End-to-End Encrypted

How Snugg Keeps Your Conversations Private

We designed Snugg so that we literally cannot read your posts, messages, or photos—even if we wanted to. Here's how it works.

The Short Version

When you post something on Snugg, it gets scrambled into unreadable code before it ever leaves your device. Only people in your group have the key to unscramble it. We don't have that key. We can't have that key.

This is called end-to-end encryption, and it's the same technology used by Signal and WhatsApp—except we've built our entire platform around it, not bolted it on as an afterthought.

Why We Chose This Approach

Most social platforms store your posts, photos, and messages in plain text on their servers. They could read everything if they wanted to. They promise not to, but promises can be broken—by hackers, by employees, by governments, by new management, by changing business models.

We didn't want to make promises. We wanted to make it impossible.

When we designed Snugg, we asked ourselves: "What if we couldn't spy on our users even if we tried?" That constraint shaped everything.

How It Actually Works

1

When you join Snugg

Your device creates a pair of cryptographic keys—think of them as a lock and key that only work together. The "lock" (public key) gets shared with our servers. The "key" (private key) never leaves your device.

2

When you join a group

You receive the group's shared secret—encrypted so only your private key can unlock it. Now you can read everything in that group, and post to it.

3

When you post

Your message is encrypted with the group's shared secret before it leaves your phone. What arrives at our servers is indecipherable. We store it, we deliver it to your group members, but we cannot read it.

4

When your group opens Snugg

Their devices use their private keys to unlock the group secret, then use that to decrypt your post. The readable version only ever exists on devices—never on our servers.

The Tradeoffs We Made (And Why)

End-to-end encryption isn't free. It comes with real tradeoffs, and we want to be honest about them.

We can't recover your account for you

If you lose your device and haven't set up a recovery method, your encrypted data is gone. We can't reset your password and give you access, because we don't have access to give.

This is a feature, not a bug. It's the same reason we can't hand your data to hackers, rogue employees, or anyone else. The lock that keeps others out also means we can't let you back in. That's why we encourage you to set up a recovery password.

We can't search your posts for you (yet)

Because we can't read your content, we can't build a search index of it. Search has to happen on your device, which is slower and only works with content you've already downloaded. We're working on privacy-preserving search techniques.

We can't moderate content automatically

We can't scan for policy violations because we can't see the content. We rely on user reports. For private groups of friends and family, this is rarely an issue.

What Happens When You Leave

When you delete your account:

  1. 1We delete your public key from our servers
  2. 2We delete all your encrypted posts and media
  3. 3We delete your encrypted key bundles
  4. 4Your private key (which was only ever on your device) is deleted locally

Even if old backups of our database exist somewhere, the encrypted content is useless without keys. This is true deletion—not because we promise to delete things, but because the cryptography makes the data unrecoverable.

Why Not Just Trust Your Password?

Some apps say they're "encrypted" but what they mean is: your password protects your account, and they encrypt data "at rest" on their servers. This is better than nothing, but it means:

The problems with password-only protection:

  • They can read your data whenever they want
  • A database breach exposes everything
  • They can be compelled to hand over readable data
  • A rogue employee could access your content

Our approach is different. Your password gets you into the app. But the encryption keys are separate, generated on your device, never shared with us. Password authentication and content encryption are independent layers.

Verifying Our Claims

We're open source. Our encryption code is public, auditable, and built on well-established libraries that have been reviewed by cryptographers. We also commission regular third-party security audits and publish the results, including any issues found and how we fixed them.

Don't trust us—verify.

Questions?

If something here doesn't make sense, or you want to understand more, we'd rather over-explain than leave you wondering.

security@snugg.social

This page was last updated January 2025. We'll update it if our approach changes.