Security & Privacy

We cannot read your emails.
Ever.

It’s not a policy promise — it’s a technical guarantee. Senticly is built so that your inbox is encrypted with a key only you hold. Here’s exactly how, in plain terms.

The guarantee

Encrypted with a key only you hold

Senticly encrypts every email and credential with AES-256-GCM, using a key derived exclusively from your password via PBKDF2 (100,000 iterations).

That key is never stored on our servers. It lives only in your session while you’re logged in. Even if our database were compromised, an attacker would find only ciphertext that’s infeasible to reverse without your password.

A Recovery Key is generated at registration and shown once. It lets you regain access if you forget your password — but even with it, we still cannot decrypt your data ourselves.

AES-256-GCM at rest
All credentials and cached emails are AES-256-GCM ciphertext. Without the key, they’re meaningless noise.
PBKDF2 key derivation
Your password is never stored. PBKDF2-SHA256, 100,000 iterations, unique per-user salt produce the key.
Session-only key storage
The key exists only in your session while logged in. Never written to disk. Log out and it’s destroyed.
Recovery Key — your safety net
Generated once at registration. Lose your password and it restores access. Lose both — nobody can help. That’s the guarantee.

If you lose both password and Recovery Key: we cannot decrypt your data — not now, not ever. We can only delete your account and encrypted data so you can start fresh. Email software@stagiservizitecnici.com from your registered address to request this.

Under the hood

What happens when you log in

1
Your password is turned into a key — in memory
PBKDF2-SHA256 (100,000 iterations) stretches your password with a unique salt into a 256-bit AES key. This happens server-side per request and is held only in your session.
2
Your data is decrypted only to answer you
Cached emails and mailbox credentials are decrypted in memory to run your query, then discarded. The plaintext is never persisted.
3
You log out — the key is gone
The session key is destroyed on logout. To read your data again, someone would need your password or Recovery Key. We have neither.
FAQ

Security questions, answered

Can Senticly staff read my emails?
No. Your emails and mailbox credentials are stored only as AES-256-GCM ciphertext. The decryption key is derived from your password (or encryption passphrase) and lives only in your session — it is never written to our database or logs.
What happens if your database is breached?
An attacker would find only ciphertext. Without your password-derived key, the data is mathematically infeasible to decrypt. There is no master key on our side that could unlock it.
How does Google Sign-In keep the same guarantee?
Google verifies your identity but never sees your data. When you sign up with Google you set a separate encryption passphrase that derives your AES key, exactly like a password would. We still never store that key.
What if I forget my password?
Use the Recovery Key shown once at registration to regain access and keep your encrypted data. If you lose both your password and Recovery Key, no one — including us — can decrypt your data; we can only delete the account so you can start fresh.

Private by design

Powerful AI inbox search, without handing your email to a server that can read it.

Create your encrypted account