You photograph your passport, insurance documents, warranty cards. You save them to the app. Then the real question — who else can see them?
In Expi? No one. Not even us.
What Happens When You Upload a Document
When you add a photo to an item in Expi, here’s what goes down:
The photo encrypts directly on your phone. Before it ever leaves your device. Only the encrypted data package gets sent to our server — without the key, it’s worthless noise.
We use AES-256-GCM — the same standard that banks and governments rely on. Each photo gets encrypted in a unique way. Even if you encrypt the same photo twice, the result is different every time.
Where the Key Lives
Your encryption key never leaves your device. It stays locked in Keychain (iOS) or Keystore (Android) — that’s the special hardware vault on your phone, off-limits to regular apps.
If you use cloud backup, the key gets backed up too — but not how you might think. Before it goes to the server, it wraps itself in your PIN. Without your PIN, the key backup is as unreadable as the photos themselves.
On our server, we see only encrypted data. We don’t have your key. We don’t have your PIN. We have no way to access your photos. And that’s exactly how it should be.
What About Family Sharing
Starting in version 1.2, you can share items with photos within a household. Your daughter’s passport, your car insurance — your spouse sees them too, without you having to message photos back and forth.
It works through a separate encryption key for the household. When you first share an item with a photo, Expi automatically generates a family key. No extra steps required on your end.
Each family member gets a 6-digit sharing code. Find it in Settings → Household, next to their name. You share the code with them or tell them in person. They enter it once — the first time they open a shared photo — and then they won’t be asked again.
Why a code? Because the household invitation alone isn’t enough. The code makes sure only the people you give it to can see the photos. Not the server. Not Expi. Nobody else.
What If I Keep Photos Local Only
If you chose “Device Only” when you first set up Expi, your photos are encrypted with a key that exists only on your phone. Family sharing isn’t an option — the app will let you know. The item name, category, and date get shared, but not the actual photo.
It’s a trade-off. Maximum privacy in exchange for photos that stay tied to one device.
Why We Do It This Way
It would be easier not to encrypt at all. Or to keep the keys on our server. Development would be faster. Support would be simpler.
But Expi holds your most sensitive documents — passports, birth certificates, contracts. We have no right to see them. And we don’t want to.
That’s why we encrypt on-device. That’s why the key is only yours. And that’s why family sharing requires a code. Every extra step is there to keep your data yours.