How Tucked Protects You
A private space for couples, with privacy built into the architecture.
Why Tucked cannot decrypt your content
Photos and videos shared through Tucked are encrypted on your device before they leave it.
Tucked stores encrypted content temporarily for delivery, along with sealed key envelopes needed for future viewing. Those sealed keys are useless to us. Only the intended recipient’s device can unseal the key needed to view that content.
Our servers never have the private keys required to decrypt your photos or videos. That means Tucked can mediate access and enforce revocation, but our servers cannot decrypt your content themselves. This is an architectural limit, not a promise based on policy.
Access and encryption on your device
How access works
Viewing received content requires an internet connection. When someone opens a received photo or video, their device requests the sealed key envelope needed for access. That online step is how Tucked works, and it is also what makes revocation possible.
Tucked stores encrypted photos and videos temporarily so delivery does not depend on both devices being online at the same moment. Delivered ciphertext is removed from our servers. If encrypted content is never delivered, it is automatically cleaned up after 7 days.
We also store limited unencrypted metadata needed to deliver and display content correctly, such as image size and video duration.
What stays encrypted
Photos and videos you create inside Tucked are stored encrypted too.
Encrypted received material is also kept on the device. When received content is viewed, Tucked is designed to decrypt it for viewing rather than write a plaintext copy back to device storage.
Three layers of protection
Tucked is designed to fail closed, not stay permissive by default.
Revoking one item
Every photo or video shared through Tucked has its own future access path.
When you revoke one item, Tucked deletes the sealed key envelope and associated server-side access path for that item. Without that, the encrypted content can no longer be opened through Tucked. We also send a deletion signal so the app can remove received material from the other device.
If usable data was not extracted while the content was being viewed, revocation blocks future access.
Ending sharing
Ending sharing is broader than revoking one item.
When you end sharing, Tucked deletes encrypted content, messages, and future access paths for that pairing from our servers. Tucked then attempts to delete all received photos, videos, and messages on both devices.
The photos and videos each person created for themselves remain in their own library, but they are no longer shared.
Inactivity safeguard
If Tucked stops hearing from the sender for 7 days, access to shared content is paused until they return.
This is a deliberate safeguard. If a device is lost, an account is abandoned, or something changes, Tucked stops granting fresh access rather than assuming continued consent.
Device protections
- Tucked locks when you leave the app and clears sensitive in-memory data after a short time away.
- Access to protected content is gated by biometric authentication or your device passcode.
- Tucked uses general notifications only. Notifications do not include message contents, photo previews, or video previews.
- Tucked also blocks screenshots and screen recording where iOS allows.
Limitations
No app can guarantee perfect protection, and we will never pretend otherwise.
Tucked is built to make unauthorized retention and later access as difficult as possible. We do not write decrypted content to disk, we minimize how long sensitive material exists in memory, and we make revocation central to the system. But no software can eliminate every attack path.
A determined recipient may still try to capture what they see, or attempt to extract usable data while content is being viewed. Tucked is designed to narrow that window as much as possible, not to deny that it exists.
What matters is what happens after that window closes. If usable data has not been extracted by the time access is revoked and in-memory state is gone, the content cannot be recovered afterward. That is the protection Tucked is built around: not a promise of perfect safety in every moment, but strong protection against future access once consent has been withdrawn.
Technical details
Tucked’s current iOS app uses on-device encryption built around ChaChaPoly, Curve25519, and HPKE.
In plain English:
- The content is encrypted on your device
- The key needed to open it is sealed for the intended recipient’s device
- Only that device can unseal it
- The server can mediate future access, but cannot decrypt the content itself
Common questions about Tucked’s security
No. Tucked stores encrypted content and sealed key envelopes, but our servers never have the private keys required to open them. Only the intended recipient's device can unseal the key needed for viewing.
Because the receiving device must request the sealed key envelope needed for access. That online step is part of how Tucked works, and it is what makes revocation possible.
Tucked deletes the future access path for that photo or video and attempts to remove received material from the other device. If usable data was not extracted before revocation, the content can no longer be opened through Tucked.
Tucked deletes encrypted content, messages, and future access paths for that pairing from our servers, and attempts to delete received photos, videos, and messages on both devices. Each person keeps the photos and videos they created for themselves, but they are no longer shared.
After a period of inactivity, access to shared content is paused until the sender returns. This is designed to avoid assuming continued consent when something may be wrong.
No. Tucked uses general notifications only. They do not include message contents, photo previews, or video previews.
Yes. No software can make that impossible. Tucked is designed to reduce risk and protect against future access, not to claim perfect protection in every moment.