Skip to content

PIN and Privacy

BLINK encrypts the most sensitive parts of your account with a key derived from a PIN that only you know. The server never sees the PIN. This page explains the model, the protected data, and the cost of losing the PIN.

What the PIN protects

Encrypted with your PIN:

  • All your fetish interests and levels.
  • Your hard limits list.
  • Your full inventory (toys, clothing, accessories) including notes.
  • Your personal Domina's personality (tone, traits, specialties).
  • Your safe word.
  • Every chat message you have ever sent or received.

What is not encrypted:

  • Your username, email, tier, role.
  • Your level and XP.
  • Session metadata (title, difficulty, time, status).
  • Generated image file paths and the images themselves.
  • AI Studio image prompts.
  • Stripe billing data (Stripe holds this anyway).

This split exists because the encrypted fields are the personal ones that would identify your tastes; the unencrypted fields are the operational ones the server needs to function.

How the encryption works

  • During PIN setup, the app uses PBKDF2 to derive an AES-GCM key from your PIN plus a per-user salt.
  • The salt is stored on the server. The PIN is never transmitted.
  • When you sign in, you enter your PIN. The app derives the key locally and decrypts everything in memory.
  • When you change a protected field, the app re-encrypts before sending to the server.
  • The server only ever sees ciphertext for these fields.

The result: someone with database access cannot read your fetishes, limits, inventory, or chat history.

When you'll be asked for the PIN

  • On a new browser or device when you first sign in.
  • After clearing browser storage (the cached key lives in IndexedDB for up to 7 days).
  • After you manually sign out of all sessions.

You will not be asked for the PIN every time you load the app on the same device, within the 7-day window.

What happens if you forget the PIN

The encrypted fields are unrecoverable.

  • Sessions, level, XP, billing, tier, and account state all survive.
  • Fetish interests, hard limits, inventory, custom Domina personality, safe word, and chat history are gone.
  • Support cannot recover them. The PIN is not stored anywhere.

Your account is still usable, but it will feel like a fresh one for the protected fields. You can re-enter everything and set a new PIN.

When you change your PIN

  • Old ciphertext is decrypted with the old key, re-encrypted with the new key, and stored back.
  • This happens client-side. Plaintext is briefly in memory only.
  • You will be asked for the old PIN to authorise the change.

Is the PIN the same as my password?

No. The password authenticates you to Firebase Auth (it gates the account). The PIN derives an encryption key (it gates the protected data). Resetting one does not reset the other.

If you forgot the password, use the standard Firebase reset.

If you forgot the PIN, the protected data is gone; the rest of the account is fine.