Five escalating actions, all from your phone. Built so that any of them can be reversed — by you, from anywhere, without involving us.
Most privacy products are silent about what to do when things go wrong. We're not. Devices get lost. Accounts get phished. Borders get crossed. Relationships change. Phones get handed to people you don't fully trust. TRS is built so that any of those moments is a few taps away from resolved — with the architecture designed so that doing the right thing in a panicked moment doesn't lock you out of your own content forever.
The five actions below escalate in weight. Pick the smallest one that fits the situation.
Ends your current session on this device. Your encryption keys stay where they are.
You're handing your phone to someone for a minute. You're stepping away from a borrowed device. You want to be signed out for hygiene reasons.
Yes — sign back in any time.
Ends every active session on every device you've signed in on. Your encryption keys stay on each device, so once you sign back in everything is right where you left it.
You forgot whether you signed in on a device you no longer have. You think someone might have your password but not your physical phone. You want to start fresh across the board.
Yes — sign back in on whichever devices you still use.
Removes the decryption keys from this device only. The account and content on the server stay intact.
Selling or trading in this phone. You suspect this device specifically might be compromised. You're stepping away from a device for a long stretch.
Yes — recover with your 24-word key, or with your Recoverees.
Removes the decryption keys from every device you've signed in on. The account and content on the server stay intact — only the means of opening them on your devices is removed.
You suspect any of your devices might be compromised and you don't know which. You're crossing a border and want to travel light. You're going through a difficult life transition and want to reset the trust surface.
Yes, if you have your recovery key in hand or your Recoverees configured. The app blocks this action if you have neither, so you can't accidentally lock yourself out.
One action, four consequences: keys wiped from every device, every Pending Release cancelled, every Recoveree alerted that you triggered lockdown. They'll be ready in case you need to recover.
You believe your account is under active threat — coerced disclosure, immediate physical danger, urgent legal situation. This is the "I'm in trouble right now" action.
Yes, with significant friction. Hold-to-confirm for 3 seconds to fire — and your Recoverees will be on alert.
Erases your account, every Safe, every file, every Recipient/Releasee/Recoveree designation. Cannot be reversed by us. Cannot be reversed by you.
This action is in the same area of the app as the failsafes — but visually separated and explicitly framed so it can't be mistaken for "wipe and recover later." Once committed, it's done.
Most privacy products treat "wipe my data" as a one-way door. TRS doesn't. The same architecture that protects your content from us — Layer-3 owner-sealed recovery — also gives you a way back in after any wipe. Your 24-word recovery key, or a quorum of your Recoverees approving your recovery, re-derives the content keys for you. Nothing on the server was destroyed; just the means of opening it on your devices.
This is the part where it pays to have either (a) saved your recovery key somewhere safe, or (b) set up your Recoveree quorum — ideally both. Without one of them, "wipe everywhere" is a one-way door. The app warns you before you walk through it.
The failsafes only work if you've set up at least one recovery path beforehand. There are two:
Shown to you once at signup. You write it down, screenshot it, or print it. Anyone with this phrase can recover your account, so treat it like the key to a safe — keep it somewhere only you can reach. A password manager works. A locked drawer works. A folded paper in your wallet works.
A small group of people (typically 2–5) you've trusted with cryptographic shards of your recovery key. A configurable threshold ("any two of three") can approve a recovery request from a new device. No single Recoveree can recover alone. We can't recover your account regardless. The math forces a small, observable conspiracy of people you've chosen — exactly the right shape for the kind of attack you'd actually worry about.
Most people set up both. Either one alone — your recovery key in hand, or your Recoveree quorum configured — is enough.
We try not to overpromise. Four limits worth knowing:
If a device is offline when you trigger a wipe-everywhere, it won't actually wipe its keys until it comes back online. This is the same limit as Apple's "Find My" remote wipe — we can't reach a device that isn't reachable. If a device has been stolen and kept offline by the thief, the wipe doesn't fire on that device until they connect it. Plan accordingly.
If a recipient has already opened a Safe and the content is showing on their screen, the wipe doesn't unread it for them. The viewable-window timer continues to run on their device. Read receipts will show what was opened and when.
A bad actor with physical access to you and your recovery key can recover your account. The 24-word phrase is a single point of failure by design — that's what makes it usable. You can mitigate this by using Recoverees instead, which require multiple independent humans to approve a recovery request within a fifteen-minute window. Sequential coercion of multiple people over hours or days doesn't work against that mechanism.
The "Delete account permanently" action below the failsafes — different action, different card — is permanent. Your Safes, files, and trust circle are all erased. Nothing the failsafes can do brings that back. We put deletion in its own visual section so it can't be tapped in a panic and mistaken for one of the recoverable tiers.