Privacy Policy

Last updated: May 1, 2026

Relief is a private, end-to-end encrypted app for couples. This policy describes what we collect, what we don't, and why.

Who we are

Relief is operated by the Relief team, who are responsible for the data described in this policy. References to "we," "us," and "our" mean the Relief team. You can reach us through the support form.

The encryption model

Almost everything you and your partner write or upload is encrypted on your device before it leaves it. Notes, photos, intimate content, your display names, and your email address are transformed into ciphertext using AES-GCM with a key derived from your couple code (PBKDF2-SHA256, 200,000 iterations, per-couple salt). The decrypted form exists only on your device. Our server holds the ciphertext and never persistently stores the key, so we cannot read your private content even if compelled to.

A small carve-out: the server briefly derives the encryption key in memory during two specific paths so it can actually deliver email you asked for — sending a verification code to a new email address, and alerting you when an unrecognized device tries to sign in. The key is dropped at the end of each request and never written to disk.

What we collect

Display names — the names you and your partner choose. End-to-end encrypted on your device with the same key that protects your messages.
Optional gender — used only to filter mood emoji. Plaintext.
Optional email address — per partner, used solely for security alerts (new device sign-ins, account-recovery flows). End-to-end encrypted at rest; only readable when one of those alerts is being sent. You can add or remove your email from Settings at any time. We don't market to you, share it with anyone, or use it for anything beyond app-driven alerts.
Couple code hash — a one-way bcrypt hash of your shared code so you can sign in.
Encrypted blobs — note bodies, photos, and similar. Stored as ciphertext; we cannot decrypt these.
Mood and act vocabulary — the labels and emoji you and your partner add to your shared mood and act lists are stored in plaintext. They sit alongside an opaque couple ID with no link back to a real person, and we may aggregate this vocabulary across couples to inform what defaults the app suggests to new users. Specific labels are never associated with names, emails, or any identifying field.
Timestamps and metadata — created-at dates, tap counters, and similar housekeeping data needed to render the app.
Push notification tokens — provided by your device's OS so we can deliver the generic alerts you opt into.
Auth attempt logs — IP address and endpoint, kept for up to 24 hours for rate limiting. Auto-deleted after that window.

What we don't collect

No analytics. No third-party trackers. No ad SDKs.
No location data.
No contact list, calendar, or other device data.
No plaintext copy of your couple code, ever. Only its bcrypt hash.
No marketing or newsletter emails. The email address you add (if any) is used only for security alerts.

Push notifications

When the app surfaces a push notification on your device, the visible text is intentionally generic (e.g. "💕 a moment from your love · Open Relief to see"). Sensitive content lives behind authentication inside the app, never on the lock screen.

Data retention

We hold your data until you delete it. Specific photos, notes, moods, or memories you remove from the app are deleted immediately on our server. If you delete your couple's account from Settings, every couple-scoped record is removed permanently.

Account deletion

Open Settings inside the app and tap "Delete account." You'll be asked to type your couple code to confirm. Both partners' accounts, every photo, message, mood, and memory are removed. This is permanent.

Children

Relief is intended for adult couples. The app is not directed at anyone under 18, and we do not knowingly collect data from them.

Couple code is the key

Your couple code is what derives your encryption key. Anyone you give it to can read your private content. Treat it like a password — share it only with the partner you intend to use the app with, and not by storing it in plaintext anywhere a third party could see (a sticky note, an unlocked notes app, a shared browser tab).

To soften the consequences of a leaked code, the app refuses to activate a new device until either an already-approved device approves it, or 24 hours pass with no rejection. New device sign-ins also trigger a notification to the affected partner's email. If a third party tries to use a leaked code on their device, you'll see and can reject it.

Where data lives

Application data is stored on shared web hosting in the United States. Push tokens are passed through Apple Push Notification service or equivalent OS-level push services for notification delivery only.

Changes

We'll update the date at the top of this page when we change anything material. Substantive changes will be surfaced in-app before they take effect.

Contact

Questions? Reach us through the support form.