[mzajc]

Personally, I feel like the bold statements about encryption should be removed until this is implemented to avoid misleading users.

Out of curiosity, is the data encrypted with a client-provided secret (eg. a password hash, or something that would otherwise be impossible to extract from the server), or is the secret stored on the server?

[owenfar]

I'm not sure I agree about it being a bold statement. Our description is very clear, and our approach is still much safer.

I see hundreds of products slapping "Encryption at rest" to make people believe their data is safe :) Yet, it's accessible by anyone that controls the server...

We also go further into details in the privacy page too.

The data cannot be decrypted without a client-provided secret. We'll make sure to be more transparent regarding all this.

[botanical76]

In my opinion it is misleading. Your "privacy by default" section has three headings which claim encryption, and while none of them are false, you can still just log everything your server receives. This is less private than What's App, and it's marketed as an Operating System -- for everything that you do. I think it's worth considering moving the encryption to be done client-side as long as there are no performance concerns.