Safety · privacy by default
Safety is a default — not a setting buried four screens deep.
Block, report, and audience scope are at the point of action. Presence is opt-in. Photos are audience-scoped. Device storage is encrypted at rest. Age verification gates adult content.
At the point of action
Block · report
Long-press anywhere a person appears.
The same QuickActions sheet — on mobile a long-press, on desktop a right-click — exposes Block, Report, Hide from this person, and Add to a list. No menu archaeology.
Audience
Every post chooses who can see it.
The five-kind audience picker — global, community, list, chat, actor set — appears anywhere you can share. The default is the smaller audience, not the larger one.
Presence
Online dots are opt-in, per device.
You can browse without lighting up a green dot for everyone else. The system favors "active in last 24h" over a "online now" race.
Storage + transport
At rest
AES-256 device storage, hardware-backed key.
On iOS the key is held in the Secure Enclave, on Android in the Keystore. Signing out regenerates the key so any residual cache tail on disk is unreadable.
In transit
TLS, modern ciphers, no fallback.
Every API call is TLS. Auth tokens are short-lived and refreshed on connect; on web they are never persisted to disk.
Telemetry
PII never reaches the logs.
A deny-list at the foundation strips emails, phone numbers, coordinates, display names, and photo URLs from every telemetry event before it leaves the device.
Adult content
Adult-content variants are explicit: full, blurred, blocked pending age verify, blocked by the user, blocked by region, owner-private. The viewer always knows why a tile is blurred — never just an unexplained gray box.