Read this page fully before creating an account.
A VPN hides your IP address from the sites you visit, but your browser still has a unique fingerprint - screen size, fonts, timezone, installed plugins - that can identify you across sites without ever needing your IP. Tor Browser is specifically built so that most users look identical to each other, which a VPN alone does not do. If your situation carries real risk, Tor Browser is the stronger choice - download it at torproject.org/download.
Private or incognito mode only avoids saving history on your own device. It does nothing about your IP address or your browser's fingerprint. Don't rely on it as a substitute for a VPN or Tor.
An open Gmail, social media, or other personal account tab in the same browser session is a correlation risk, regardless of whether you're using a VPN or Tor. Use a separate browser, or a clean session with nothing else open, for this work.
Is the device you're using already tied to your identity in other ways - a work laptop, a phone with everything logged in? For higher-stakes situations, a separate or dedicated device is worth considering. A VPN on your home or work network still means that network knows VPN traffic originated from you at a specific time; for higher-risk situations, public wifi plus a VPN or Tor is a stronger combination.
A fuller mobile security guide is planned for later - a few quick notes for now:
For the highest-stakes situations, consider Tails instead of your regular operating system - a free, Linux-based system that boots from a USB stick, forces all internet traffic through Tor, and leaves no trace on the computer it's run from once shut down. It's the option journalist security guides (Freedom of the Press Foundation, EFF, and others) most often point to when the stakes are real, since it solves most of the device-hygiene concerns above at once rather than one at a time.
Do not write your own name, a source's name, contact information, or other identifying details directly into a case in the app. If you need to record something like that, keep it in a local encrypted volume on your own device instead - VeraCrypt is a solid, free, well-regarded option for that.
The app's own design: no email or identity collected at any point, encrypted notebooks the operator cannot read, and source archiving that always routes through the app's own server - never your IP - when saving a page to the Wayback Machine. It cannot protect you from your own device being seized, from being coerced, or from what you choose to type into a note. Those are yours to manage - the guidance above is the best we can offer, not a guarantee.
For what it's worth: this app's server is physically located in Canada, hosted by a UK-based company. Both have real privacy law frameworks (PIPEDA and provincial law in Canada; UK GDPR and the Data Protection Act in the UK). We're not lawyers and won't make specific legal claims about what that means for any particular situation - cross-border legal process is genuinely complicated - but we think it's honest to tell you plainly where the server actually sits rather than leave it unstated.
You shouldn't have to just take our word for any of this. The source code will be made publicly available on GitHub once debug and testing is complete, so the claims above can be verified by anyone - see the Project page for details.
There's no email and no username - your password is your entire login. Choose one at least 16 characters long, or use the built-in generator on the signup form. A memorable original sentence works well and doesn't need to be complicated.
When you create your account, you'll be shown a one-time recovery key. This is your only backup if you ever forget your password - save both your password and this recovery key somewhere safe (a password manager, or a secured physical note) before you need them, not after.
If you do not log in at least once every 45 days, your account and all of your cases are permanently deleted, with no warning beforehand. This is deliberate: if you're ever unable to log in for any reason - including detention - your data does not remain on the server indefinitely waiting to be found. Logging in resets the clock, so periodic use is all it takes to keep a case alive; there's no way to warn you in advance since there's no email to warn you with.