← All posts

Your week, yours alone: what zero-knowledge actually means

When weekkii says we can't read your tasks, we mean it literally. Here's the architecture, and what it costs us.

Most planner apps say they're "private" or "secure." That almost always means your data is encrypted in transit (HTTPS) and at rest on a server disk. Both are good. Neither prevents the company from reading your tasks whenever they want: to power AI features, to fine-tune ranking, to investigate abuse, to comply with subpoenas. The encryption is between the company and the rest of the internet, not between the company and you.

weekkii is different in one specific way: your task title, your notes, your tags, and your recurrence rules are encrypted on your device with a key derived from a passphrase we never see. The server stores ciphertext. We could not read your tasks if we wanted to.

Concretely: when you sign up you set a passphrase. Your browser runs Argon2id over it (m=19 MiB, t=2, p=1) plus a random salt to derive a 32-byte symmetric key. We use that key with NaCl's secretbox (XSalsa20-Poly1305 AEAD) to encrypt every task you write. The ciphertext, a fresh 24-byte nonce, and a few plaintext fields needed for sorting (the date, a LexoRank position string, the completion timestamp) get pushed to Postgres via Supabase. Pull works the same way in reverse: ciphertext lands in your client, the in-memory key decrypts it, you see plaintext.

What's the cost? Three things.

First, we cannot offer a password reset. If you lose your passphrase, your data is gone. No recovery code, no key escrow, no backdoor. We warn you twice during onboarding, but at the end of the day, the trade is: you get real privacy, you get real responsibility. We chose to make this an explicit contract instead of a vague "don't worry, we got you."

Second, we cannot ship server-side AI. No "summarize my week," no "suggest tasks based on history," no LLM features that read your data. Anything AI-shaped will run on your device, with on-device models. We're okay with that. It's also why we don't ship any AI today.

Third, integrations get harder. Two-way Google Calendar sync, for instance, would require us to read event titles and re-write them as tasks. We don't do it. v2 ships an outbound iCal feed (your week shows up in your calendar app, no inbound reads) and an encrypted shareable read-only week link, where the decryption key lives in the URL fragment and never hits our server.

We think these trade-offs are worth it. If you don't, that's fine. There are great task apps that take a different deal. weekkii is for the people who want their planner to mean what it says.