We built Preserve U on a single principle: we should never be able to read your capsules. Here is exactly how we make that guarantee.
We cannot read your capsule content under any circumstances
We cannot decrypt your media files — encrypted before upload
We cannot recover lost capsule passwords — designed to be irrecoverable
We do not sell or share your personal information with third parties
We do not use your content for AI training, marketing, or profiling
Your capsule metadata is never publicly accessible
Each layer independently protects your data. Together they form a defence-in-depth architecture.
Layer 1 — AES-256-GCM Encryption
All text capsule content is encrypted in your browser using AES-256-GCM — the same encryption standard used by governments, banks, and militaries worldwide. The raw message never touches our servers in readable form. Only the ciphertext is transmitted and stored.
Layer 2 — PBKDF2 Key Derivation
When you set a capsule password, we use PBKDF2 (Password-Based Key Derivation Function 2) with SHA-256 and 100,000 iterations to derive an encryption key locally. We store only the salt and IV, never the password itself. Even a brute-force attack against our database reveals nothing usable without exhaustive per-salt cracking.
Layer 3 — Zero-Knowledge Architecture
We have architected Preserve U so that it is technically impossible for our team to read the content of any text or media capsule. We store only encrypted ciphertext. If you lose your password, the content is permanently unrecoverable — even by us.
Layer 4 — Encrypted Media Storage
Media capsules (images, videos, audio recordings, documents) are encrypted client-side using AES-256-GCM before they are uploaded. We store only the encrypted binary blob. Our infrastructure team cannot inspect or reconstruct the original file.
Layer 5 — bcrypt Password Hashing
Your Preserve U account password is hashed using bcrypt with a cost factor of 12 before storage. bcrypt is designed to be computationally expensive, making brute-force attacks impractical even if our database were ever compromised. We never store plaintext passwords.
Layer 6 — TLS / HTTPS in Transit
All communication between your browser and our servers uses TLS 1.3 — the latest version of Transport Layer Security. Our domain enforces HTTPS with HSTS (HTTP Strict Transport Security), preventing downgrade attacks and ensuring every byte is encrypted in transit.
Layer 7 — Automatic Key Rotation
Every capsule has its own independently generated salt and Initialisation Vector (IV). This means a compromised key for one capsule has zero bearing on the security of any other capsule — even from the same user.
Step-by-step walkthrough of what happens when you create a text capsule.
You enter your message and set a password
This all happens locally in your browser — nothing is sent to our servers yet.
We generate a unique cryptographic salt and IV
A random 128-bit salt and a 96-bit Initialisation Vector (IV) are generated client-side using the browser's Crypto API.
PBKDF2 derives an encryption key from your password
Your password + salt → PBKDF2 (100,000 iterations, SHA-256) → a 256-bit AES key. The key exists only in browser memory.
AES-256-GCM encrypts your message
The AES key encrypts your plaintext message. GCM mode also produces an authentication tag, ensuring tamper-detection.
Only the ciphertext, salt, and IV are sent to our server
Your password and the AES key are never transmitted. We receive only the encrypted payload.
At delivery time, your recipient decrypts with the password
The recipient enters the password. Their browser runs the same PBKDF2 + AES-256-GCM process locally to decrypt the message. Our servers never see the plaintext.
If you discover a security vulnerability in Preserve U, we ask that you disclose it responsibly. Please email us at security@preserveu.com with details of the vulnerability. Do not publicly disclose the issue until we have had a reasonable opportunity to investigate and remediate it.
We take all security reports seriously and will acknowledge your report within 48 hours.
Even in the worst-case scenario where our database is fully compromised, attackers would obtain only encrypted ciphertext. Without your capsule password, the data is computationally unrecoverable. Text content is encrypted with AES-256-GCM — a cipher with no known practical weaknesses.
No. Our engineering team has no capability to read capsule content. The decryption key is derived from your password, which we never see or store. The architecture is zero-knowledge by design, not just by policy.
The content is unrecoverable — this is a feature, not a bug. If we could recover your content without your password, that would mean we (or an attacker) could too. The irrecoverability is the security guarantee.
Yes. All media capsules are encrypted client-side using AES-256-GCM before upload. We store only the encrypted binary — the original file is never on our servers in readable form.
Account passwords (used to log in) are hashed with bcrypt at cost factor 12 before storage. They are never stored in plaintext or recoverable form. If you forget your account password, a reset email is required.
We comply with valid legal orders in the jurisdictions we operate in. However, even if compelled to produce data, we can only provide encrypted ciphertext — we have no ability to deliver decrypted capsule content, because we do not possess the decryption keys.
Start creating encrypted time capsules — your first capsule is completely free.