Whyolet Text › Privacy Policy

Privacy Policy

Offline Functionality: The Whyolet Text app works offline and does not send your data to the developer or any third parties unless you explicitly choose to do so.
Local Data Storage: Your data is encrypted and stored locally on your device using an encryption key managed by the app.
Optional Sync Feature: If you click "Sync" in the menu, the app creates a file named "whyolet-text.db" on your Google Drive account. This file is always encrypted using a key derived from your passphrase (empty by default) and a unique random salt. While this provides basic protection against most users and malicious apps, advanced users might decrypt it easily. For stronger security, set a passphrase as described below.
Securing Your Data with a Passphrase: By default, the passphrase is empty, offering basic encryption. To enhance security, click "Key" in the menu and set a strong passphrase (e.g., a few words) before using "Sync" or "Backup." If you forget your passphrase, you may lose access to your synced or backed-up data.
Limited Google Drive Access: The app requests the limited permission scope, which restricts it to accessing only the files it creates or that you explicitly open with it. As a result, the app can only access the "whyolet-text.db" file it creates for syncing and has no access to any other files on your Google Drive. This limitation is enforced by Google’s OAuth system, ensuring your other files remain inaccessible to the app.
Third-Party Service: You can optionally sync your encrypted data with Google Drive, a third-party service. Your data is encrypted locally before being uploaded, and your passphrase and encryption key are never shared with Google Drive. A longer passphrase enhances the security of your data, even in the event of a data breach on Google's side. Please review Google Drive’s privacy policy for details on how they handle your data.
Local Backup Feature: If you click "Backup" in the menu, a file named "whyolet-text--YYYY-MM-DD--hh-mm-ssZ.db" (UTC timestamp) is created in your device’s "Download" folder. This file is encrypted in the same way as the sync file. You can upload it anywhere.
Save File Feature: If you click "Save" in the menu, a plain text file named after the current page is saved to your device. Important: This file is not encrypted, allowing you to open it easily with another app. Handle it carefully if it contains sensitive information.
Full User Control: You have full control over your data and can delete it at any time from your device or from your Google Drive.
Technical Details: (click to expand)
Structure of the encrypted file:
- 24 random bytes - PBKDF2 salt.
- 12 random bytes - AES initialization vector (IV).
- Data encrypted with AES-GCM using the IV and a 256-bit key derived from your passphrase (empty by default) and the salt via PBKDF2-HMAC-SHA256 with 1,000,000 iterations:
  - Data compressed with gzip if your browser supports CompressionStream; otherwise, it’s uncompressed:
    - A JSON array of "page" objects, each with:
      
      "tag": string, title of the page, identifies the page.
      
      "text": string, main content of the page.
      
      "edited": string, ISO UTC timestamp of the last update of the "text".
      
      "done": boolean, true if all lines in "text" are marked done (──done line──) or follow an anchor (⚓).
      
      "selStart": number, characters before the selection starts.
      
      "selEnd": number, characters before the selection ends.
      
      "scroll": number, vertical scroll position in pixels from the top.