Privacy & Security
Patchwork is designed from the ground up to keep your system data private. Here’s exactly what lives where, what the server can and cannot see, and how the encryption works.
Core Principles
Local-first. Your system data — members, categories, fronting history — lives only on your device. The server is never given your member list, pronouns, or history. There is nothing on the server to leak, subpoena, or breach.
Dumb postbox model. The server’s only job is to hold and route sealed, encrypted messages between users. It cannot read any message content. If the server were compromised, an attacker would obtain only ciphertext addressed to specific users — unreadable without the recipient’s private key, which never leaves their device.
No telemetry. Patchwork does not collect analytics, crash reports, or usage statistics. The only network traffic the app generates is authentication (sign-in) and friend messaging (if you use the friend system).
Where Your Data Lives
| Data | Location | Notes |
|---|---|---|
| Member profiles | Your device | Stored in .patchwork/pw_*.json in the app directory. |
| Fronting history | Your device | Stored in system.db (SQLite). Never synced or uploaded. |
| Category structure | Your device | Stored in the same JSON as member profiles. |
| Your RSA private key | Your device | Generated locally on first sign-in. Never leaves your device. |
| Your RSA public key | Server (public) | Shared with friends so they can encrypt messages to you. This is intentionally public. |
| Friend list | Server | The server knows which user IDs are friends with which, in order to route messages. |
| Fronting notifications | Server (encrypted) | Stored temporarily as ciphertext until the recipient fetches them. Server cannot read content. |
| Auth token | Your device | OAuth token from Logto/Discord. Used only to prove identity to the Patchwork server. |
End-to-End Encryption
All content shared between users (fronting notifications) is encrypted end-to-end using a hybrid scheme:
Key generation (one time)
On first sign-in, your device generates an RSA-2048 key pair. The private key is stored locally and never shared. The public key is uploaded to the server so friends can encrypt messages to you.
Encrypting a notification
When you switch fronters, Patchwork generates a fresh random AES-256-GCM key. Your fronting data is encrypted with this key. The AES key is then encrypted with each recipient’s RSA public key separately.
Server routing
The server receives a collection of sealed envelopes — one per friend. It stores them and delivers them when each recipient next fetches their messages. The server cannot open any envelope.
Decryption by recipient
The recipient fetches their envelope. Their device uses their local RSA private key to unwrap the AES key, then decrypts the payload. Decryption happens entirely on-device.
Discord Sign-In
Patchwork uses Discord as an identity provider via Logto OIDC. Here’s exactly what happens and what each party learns:
What Discord knows
That you authorised a third-party app called “Patchwork” to read your basic profile (username and avatar). Discord does not learn anything about your system data.
What Logto knows
Your Discord user ID and the fact that you signed in. Logto issues a JWT token that Patchwork uses to prove your identity to the Patchwork server. Logto does not receive or store your system data.
What the Patchwork server knows
Your user ID (derived from your Discord identity) and your public key. It knows who your friends are (routing metadata). It does not receive your member list, pronouns, history, or any decryptable content.
What stays on your device
Everything else. Members, history, categories, your private key, your system JSON files. None of this is ever sent to any server.
OAuth callback: During sign-in, Patchwork briefly starts a local HTTP server on a random port to receive the OAuth redirect. This server is closed immediately after the token is received. Nothing is stored in your browser.
Your Data, Your Control
Because all system data lives locally, you are always in control:
- Back up your data by copying the
.patchwork/folder andsystem.db. - Move to a new computer by copying these same files.
- Delete all your data by deleting these files. Nothing remains on the server.
- Uninstalling Patchwork removes the app but does not automatically delete your data files.
Deleting your account: To remove your presence from the Patchwork server entirely, use Settings → Delete Account. This removes your public key, friend associations, and any pending encrypted messages from the server.