YOUR DATA
IS NOT THEIR
ARCHIVE.
Private Archive is encrypted offsite backup built on the principle of data minimisation. Your files are encrypted on your device before they leave it. We hold ciphertext, nothing else. We do not collect what we do not need — and what isn’t collected cannot be lost, leaked, or sold.
- RESTIC ENCRYPTION ON-DEVICE
- ROUTED OVER TOR
- PAID IN MONERO
- mTLS — NO PASSWORDS
- OPEN SOURCE · REPRODUCIBLE BUILDS
WHAT WE DO NOT COLLECT.
The omissions are the product. Each item we do not collect is one less thing to lose in a breach, one less detail to be sold to a broker, one less piece of you that exists outside your own machine.
-
Your name.
We never ask. There is no field for it. There is no place to put it.
-
Your email.
No address on file. No newsletter. No password reset. No way back in if you lose your key — this is the trade.
-
Your IP.
You arrive over Tor. We see an exit relay, not a person, not a city, not a habit.
-
Your card.
Payment in Monero. No card vault for an attacker to drain, no merchant ledger for anyone to inherit.
-
Your files.
Restic encrypts before the bytes leave your machine. We hold ciphertext. We cannot decrypt it — not for ourselves, not for any successor company, not for anyone with access to the storage.
-
Your behaviour.
No analytics on this page. No telemetry in the client. No experiments running on what you click.
A SHORT MANIFESTO.
Backup, like every other utility on the network, has been quietly conscripted into the surveillance economy. The default arrangement is dragnet: collect everything, retain by default, and reason about the harms later. We do not accept this as the price of keeping a copy of your photographs.
So we built the inverse. The client encrypts on the machine you trust, with a key we will never see. The transport hides the route. The payment hides the wallet. The credential is a certificate, not a name. Sovereignty over your own data is not a setting we offer; it is the only mode we ship.
This is not a product feature. It is a posture. A backup service that does not collect customer identities cannot leak them in a breach, cannot sell them to a broker, cannot pass them to whichever company buys this one in ten years. A service that stores ciphertext cannot be the source of plaintext. A service that keeps no logs has nothing to leak.
We are aware that absolute security is a fiction. What we offer is principled design and the discipline to keep saying no — to features that would weaken it, to data we do not need, to convenience purchased with your dignity.
— The Private Archive project
HOW IT WORKS.
-
1
ENCRYPT ON YOUR MACHINE.
The Private Archive client wraps Restic. Files are deduplicated, compressed, and encrypted on-device with a key only you possess. We never receive the key. We never receive plaintext.
-
2
SEND THROUGH TOR.
The encrypted blocks travel over Tor to a server you have authenticated to with an X.509 client certificate. mTLS handshake; no password, no recovery question, no second factor. The certificate is the account.
-
3
WE HOLD CIPHERTEXT.
We encrypt before your data leaves your machine. We hold ciphertext. Where we put it is not part of this conversation, because no one who has it can read it. That is the only fact about our storage that should ever matter to you.
YOU PAY. WE FORGET.
Pay in Monero. Balance burns down by the second. Top up when you choose. No subscription, no card.
No tiers. No enterprise upsell. No discount in exchange for your data.
DOWNLOAD THE CLIENT.
Verify the archive against SHA256SUMS. Build it yourself if you prefer — the source is public and the builds are reproducible.