No technical background needed. We'll walk you through every protection we use — with plain, everyday language — so you know exactly what's keeping your data safe.
Here's what actually happens behind the scenes — explained like you're talking to a friend, not a textbook.
One password to protect everything. We store only a scrambled fingerprint of it — like a photo of a cake, not the recipe. We can check "is this right?" but can never work backwards to find your password.
Your phone or computer uses your master password to build a unique secret key — entirely on your device. This key never travels to our servers. Not once. It exists only in your device's memory while the app is open.
When you add a Gmail or Outlook account, its password gets locked with your secret key before it's sent anywhere. We receive a scrambled blob that's completely unreadable without your key — which we don't have.
Here's why a new device can unlock your accounts without us ever sending your key over the internet.
On your new device, you enter your master password. That's it. No special code, no recovery key.
The same password, run through the same process, always produces the same key — on any device. Your new phone rebuilds it locally, without any help from our servers.
Your new device downloads the locked blobs from our server, unlocks them with the key it just rebuilt, and every email account is there, ready to go.
We use the same encryption that governments and banks use worldwide. Here's what those terms actually mean.
AES-256-GCM — This is the lock. "256-bit" means there are more possible combinations than atoms in the observable universe. Your email passwords are locked with this before leaving your device.
Argon2 / PBKDF2 — This is how your secret key is built from your master password. It's intentionally slow and heavy — making it practically impossible for someone to guess millions of passwords quickly.
bcrypt — This is how we store a fingerprint of your master password for login. It's a one-way scramble. We can check "does this match?" but can never reverse it to find the original.
Zero-knowledge — This means we genuinely cannot see your passwords. Not because of a policy — because we mathematically never receive the key needed to unlock them.
| Item | Protected? |
|---|---|
| Email address | Plain text |
| Display name | Plain text |
| Server addresses & ports | Plain text |
| IMAP username | Plain text |
| IMAP password | AES-256-GCM |
| SMTP password | AES-256-GCM |
| OAuth token (Gmail / Outlook) | AES-256-GCM |
When your password leaves your device, it has already been transformed into something completely unreadable. Here's what that looks like — and why even the world's most powerful computers can't undo it.
Your password becomes random noise. AES-256-GCM doesn't just scramble your password — it transforms it into data that is statistically indistinguishable from random. There is no pattern. No fingerprint. Nothing to analyse.
Every blob is unique, even for the same password. We add a random "nonce" (a one-time random number) to every encryption operation. Encrypt the same password twice and you get two completely different blobs. An attacker can't even tell if two accounts share the same password.
The blob includes a tamper seal. The "GCM" part of AES-256-GCM adds an authentication tag — a built-in seal that proves the blob hasn't been altered since it was created. If anyone tampers with the stored blob, decryption fails immediately.
Brute force is not an option. A 256-bit key has 2256 possible combinations — a number so large that no computer ever built, or ever likely to be built, could crack it by guessing. This isn't marketing — it's mathematics.
This is what banks and governments use. AES-256 is the encryption standard mandated by the US National Security Agency for top-secret information. When your bank says your data is encrypted, this is what they mean.
Before encryption — what you type:
After AES-256-GCM encryption — what we receive:
Your master password is just words. What actually locks your data is a completely different thing — a key that gets built from it. Here's exactly how that works, and why it makes your data safe even if someone guesses your password wrong a million times.
It's deliberately slow. Argon2 and PBKDF2 are designed to take noticeable time and memory to run — even on a fast computer. This isn't a flaw. It means an attacker trying to guess your password can only try a handful per second, not billions.
A random "salt" is mixed in. Before deriving your key, we add a unique random value called a salt. This means two people with the exact same master password will produce completely different keys. Pre-computed attack lists are useless.
It runs thousands of rounds. The process doesn't run once — it loops thousands of times, feeding the output back in as the next input. Each round adds more work for any attacker, while being barely noticeable to you.
Same password always makes the same key. Despite all the complexity, the result is deterministic — your password plus your salt will always produce the exact same 256-bit key, on any device, every time. That's how your new phone can unlock your accounts without us sending it anything.
Argon2 won the Password Hashing Competition. It was selected in 2015 by an international panel of cryptographers as the gold standard for exactly this job. PBKDF2 is the long-trusted standard used by Apple's own iCloud Keychain. We use both.
Your inputs:
After Argon2 runs 100,000 rounds:
No small print. No surprises. Here's everything, honestly.
Yes, we can see this. We need it to send you a password reset code and for account support.
No. We only store a one-way fingerprint. We can verify it's correct but can never reverse it to find the actual password.
Yes — the addresses themselves, like you@gmail.com. These aren't sensitive; it's your public email identity.
Yes — the server addresses and port numbers. These are public technical settings, like a mailing address for a building.
No. These are locked with your key before they reach us. We hold the safe — you kept the combination.
No. Emails travel directly between your device and Gmail, Outlook, etc. We are never in the middle of that connection.
We're being upfront about this because it's the one trade-off of our security model. We think it's worth it — but you should know.
Because we don't hold your key, we literally cannot open your locked containers. No back door. No override. This protects you — but it means forgetting your master password requires a reset.
You verify your identity via a code sent to your Stax Inbox account email.
The locked blobs are deleted. They're useless without the old key anyway. We clear them out.
Your non-sensitive settings are kept — server addresses, ports, usernames. Only the actual passwords are lost.
You re-enter each email password once. Fresh encryption begins with your new master password. Everything syncs again.
Treat your master password like your ATM PIN. Write it down somewhere private at home — a notebook, a card in your wallet, a note in a drawer.
Not on a sticky note on your screen — but somewhere only you would think to look.
Stax Inbox is currently in development. Leave your email and we'll notify you when it launches.