Encryption Architecture
PinkyBond vs Signal vs WhatsApp: How We Protect Your Most Intimate Data
Signal protects your messages from governments. PinkyBond protects her most intimate health data from everyone — including us. Same cryptographic standard. Different threat model.
Built on Apple CryptoKit
We didn't write our own crypto. We use Apple's CryptoKit — the same framework that secures iMessage, FaceTime, and Apple Pay. Curve25519, AES-256-GCM, HKDF-SHA256 — all battle-tested by Apple.
Key Exchange
Curve25519 ECDH
Encryption
AES-256-GCM
Key Derivation
HKDF-SHA256
Side-by-side comparison
| Dimension | Signal | PinkyBond | |
|---|---|---|---|
| Encryption algorithm | AES-256 | AES-256 | AES-256-GCM |
| Key exchange | X3DH / PQXDH | X3DH (Signal Protocol) | Curve25519 ECDH via in-person QR |
| Forward secrecy | Yes (Double Ratchet) | Yes | Planned for v2 |
| Key storage | On device | On device | iOS Keychain (Secure Enclave) |
| Server access to plaintext | No | No* | No |
| Metadata collection | Minimal | Extensive (Meta) | Minimal (pairing ID + timestamp) |
| Account required | Phone number | Phone number | None |
| Pairing method | Phone number exchange | Phone number | In-person QR code |
| Open source | Yes | No | Apple CryptoKit (open framework) |
| Safety Mode | No | No | Yes — sends synthetic data |
| Owned by | Signal Foundation (non-profit) | Meta (Facebook) | Independent |
| Data purge policy | Minimal storage | Cloud backups | Encrypted blobs purged after 30 days |
*WhatsApp uses Signal Protocol for message encryption but is owned by Meta, which collects extensive metadata (who you message, when, how often, device info, IP address, location data).
How QR Code Pairing Works
No servers. No phone numbers. No accounts. Just two phones, face to face. Compare: Signal requires a phone number. WhatsApp requires a phone number + Meta account. PinkyBond requires nothing but physical proximity.
She taps “Pair with Partner” in PinkyBloom
PinkyBloom generates a Curve25519 key pair (Apple CryptoKit)
QR code displayed with her public key + device fingerprint
You scan her QR code with PinkyBond
PinkyBond generates its own key pair
PinkyBond displays QR code with your public key
She scans your QR code
Both devices perform ECDH to derive shared secret
Shared secret stored in iOS Keychain
Matching fingerprints confirmed visually
The Blind Relay
Our server is a mailbox. It passes sealed envelopes it cannot open.
PinkyBloom
Encrypts locally
Blind Relay (Convex)
Stores encrypted blobs
Cannot decrypt
PinkyBond
Decrypts locally
pairingId
SHA256 hash of sorted public keys
ciphertext
Base64-encoded AES-256-GCM blob
messageType
"chat" or "snapshot"
What happens if we're subpoenaed
We hand over encrypted data we cannot decrypt. We don't have your partner's health data. We never did.
Safety Mode: Something Signal Doesn't Need
Signal protects against external threats. PinkyBond also protects against intimate partner threats. Safety Mode sends fake, neutral data. No notification. No trace. The partner sees normal-looking updates with no indication Safety Mode is active.
When Safety Mode is active, the partner sees:
Phase
“Follicular”
Mood
“Good”
Energy
3 (Moderate)
Synthetic data is encrypted and sent via the normal relay — indistinguishable from real data.
Forward Secrecy Roadmap
Transparency builds trust. Here's where we are and where we're going.
v1 (Current)
Static shared secret derived from Curve25519 ECDH. All messages encrypted with AES-256-GCM using this shared key. Keys stored in iOS Keychain.
v2 (Planned)
Double Ratchet protocol (like Signal). Each message gets a unique key. Compromise of one key doesn't compromise past or future messages.
Her most intimate data deserves Signal-level protection.
PinkyBond delivers it. Same cryptographic standard. Zero-knowledge architecture. Built on Apple CryptoKit.
Coming Soon to the App Store