A guided tour

Everything Haven does,
explained simply.

Take it one feature at a time. Each one comes with a plain-English explanation and why it matters. Curious how the magic works? Every section has a little How this works you can open for the technical detail.

Circles Built & shipping

A circle is a small, private group — your family, your closest friends, your band, your book club. You decide exactly who's in it, and only those people can see what's shared there. You can have as many circles as you like, each with its own vibe and its own people.

Why it matters: no "friends of friends," no public profile, no strangers wandering in. Sharing with your family circle never accidentally reaches your work circle.

How this works

Each circle is a cryptographic group. Every post, comment, reaction, message and media file is sealed to the exact set of members with a fresh content key, wrapped individually for each member using a hybrid post-quantum key exchange (X25519 + ML-KEM-768) and signed (Ed25519 + ML-DSA-65).

Membership is enforced by the math, not by a server's permission check — there is no server. Posts are signed by the author's identity key, so members can always attribute and, if needed, remove a bad actor. Per-circle privacy (Spotlight exclusion + Face ID lock) is built in.

Posts & the feed Built & shipping

Share a photo, a video, a thought. It lands in your circle's feed in the order it was posted — newest at top, no algorithm deciding what you do and don't see. Made a typo? Edit it. Changed your mind? Unsend it. It's your feed.

Why it matters: a chronological feed of just your people means you actually see Grandma's update — not whatever an engagement engine decided would keep you scrolling.

How this works

The feed is built by a deterministic reducer over the stream of sealed events each member receives (posts, edits, unsends, reactions, comments). Edits and unsends are themselves signed events, so history stays tamper-evident. Media is content-addressed with BLAKE3 and chunked into 512 KB sealed pieces, so the same photo is never stored or sent twice.

Stories, the camera & film filters Built & shipping

Tap the in-app camera to snap a photo or hold to record a video, flip the camera, add a caption, and post it as a story your circle can watch in a tap-through tray. Dress it up with gorgeous film-style filters — including a warm, nostalgic Kodak Gold look alongside nine other Apple-style variants.

Why it matters: a real, beautiful camera and filters built right in — with none of it ever touching a server. Your candid moments stay candid, and private.

How this works

Capture uses AVFoundation (AVCaptureSession): tap for photo, hold to record, flip, flash. Captured files live only in the app's sandbox and are sealed end-to-end before they ever leave the device. There are ten filters — nine Apple-style variants plus the Kodak Gold film look — applied on-device.

Privacy hygiene is built in: GPS/EXIF location and identifying maker tags are stripped by default on capture, the camera pipeline calls no third-party SDK, logs nothing, and temp files are deleted once the post is sealed. Apple's on-device SensitiveContentAnalysis can blur sensitive media with tap-to-reveal, with zero data collection.

Direct & group messages Built & shipping

Message anyone in your circles one-to-one, or start a group chat with several people at once. Same warmth as the feed — text, photos, and videos, all locked down end-to-end. Each message shows who sent it, when, and a delivery checkmark so you know it landed. You can even schedule a message to send later, and send screenshot-protected secret messages for the things meant for one set of eyes.

Why it matters: private means private. No "for your eyes only" disclaimer on a server that could be read by someone else — the message is mathematically yours.

How this works

A DM is modeled as a tiny circle (a deterministic dm: group); a group DM is the same construct with more members — so both reuse the exact same sealing, signing and delivery path as group posts, one battle-tested code path, not a special case. Every message carries its author's signed identity, a timestamp, and a delivery receipt. Scheduled messages are sealed up front and released at the send time; secret messages render in a screenshot-protected view (a secure field on iOS, FLAG_SECURE on Android).

Voice & video group calls Built & shipping

Call your circle — one friend or the whole group — with crisp voice and video, plus screen sharing when you want to show, not just tell. It rings through your phone's native call screen so it feels like any other call.

Why it matters: face-to-face with the people you love, encrypted the whole way, with no meeting links, no accounts, and no company hosting the call.

How this works

Calls use WebRTC for real-time audio/video and screen share, negotiated peer-to-peer over Haven's encrypted transport. On Apple platforms the system call UI is CallKit; on Android it's Telecom/ConnectionService. When two peers can't connect directly (hard NAT), a stateless connection relay forwards the encrypted stream — it never decrypts a frame.

Music on posts Shipped

Attach a song to a photo or video so your moment has a soundtrack. Viewers see a little pill with the artist and title and a gentle playing animation, and hear it through their own Apple Music. If you unmute a video, the music smoothly fades out and the video's audio fades in — a clean crossfade.

Why it matters: the right song makes a memory. And because Haven only sends a reference to the track — never the audio — it's the only model that's truly legal, private, and piracy-free.

How this works

The post carries a tiny TrackRef (catalog id, title, artist, artwork URL, duration) — never the audio data — sealed inside the same encrypted event as the rest of the post. Each viewer plays it through their own MusicKit subscription; without one they get a 30-second preview or a tap-to-open link. Haven never sees your Apple ID or listening history.

An AudioCoordinator owns both the music player and the video player and ramps volumes over ~300–500ms for the crossfade; only one post's audio plays at a time. The feed pill, animation, crossfade, and live Apple Music playback are all shipped (the MusicKit entitlement is granted on the App ID).

Reactions & comments Built & shipping

React with a tap and leave a comment to keep the conversation going right under a post — the small, warm back-and-forth that makes a group feel alive.

Why it matters: connection lives in the little moments. Reactions and comments are private to your circle, just like everything else.

How this works

Reactions and comments are sealed, signed events addressed to the same circle as the post they attach to, then folded into the feed by the same reducer. They flow peer-to-peer over whichever path is available (nearby, direct, or relay).

Nearby sharing (works offline) Built & shipping

No internet? No problem. When your people are physically close, Haven can pass posts, messages and invites directly between phones over Bluetooth and local Wi-Fi — campsite, airplane, basement, blackout, all fine.

Why it matters: a truly serverless app shouldn't fall over when the Wi-Fi does. Your circle keeps working anywhere you're together.

How this works

On Apple devices this is MultipeerConnectivity (Bluetooth + local Wi-Fi); on Android it's the Nearby Connections API. A mesh relay hop lets one internet-connected phone forward a sealed message onward for a friend who's only reachable over the local mesh — still ciphertext only, end to end.

Per-circle Face ID lock Built & shipping

Some circles are more private than others. Lock any circle behind Face ID (or Touch ID), and keep it out of search and Spotlight, so a glance at your unlocked phone never reveals what's inside.

Why it matters: privacy from the world and from the person holding your phone. The most personal circle gets the most protection.

How this works

Per-circle privacy combines biometric gating (Face ID / Touch ID) with Spotlight exclusion so locked circles don't surface in system search. The master seed that unlocks your identity is itself Secure-Enclave-wrapped on-device, so even a raw Keychain dump yields nothing without your biometrics.

Multi-device sync Built & shipping

Use Haven on your phone, your iPad, your Mac. Your own devices now converge and stay in sync — post from your phone and it shows up on your iPad; your circles, profile and conversations line up across every device you own. Move your identity to a new device with a quick transfer code or QR scan, and your contacts never even notice — you're still you to everyone in your circles.

Why it matters: your life isn't on one screen. Haven follows you across your devices without ever copying a private key over the internet.

How this works

A multi-identity switcher, move-to-device via a transfer code / QR (haven-seed:…), iCloud-Keychain backup/restore of identity history (the active seed stays device-only), and multi-token push so every linked device gets notifications. A user's own devices self-sync their circles, posts and profile so they converge to the same state — the sync path is strictly additive, so a freshly-restored or empty device can never tombstone content that already exists elsewhere.

The target design gives each device its own key, signed into an account device-list by your long-term identity key — so adding or revoking a device (e.g. a lost phone) is instant and never changes who you are to your contacts. No private key is ever copied between devices.

Serverless & end-to-end encrypted The foundation

This is the heart of Haven: there is no server holding your life. Everything is encrypted on your device, the keys stay on your own devices (the only sync is Apple's end-to-end iCloud Keychain between your devices — never to us), and your content travels directly between the people in your circle. It even resists future quantum computers.

Why it matters: nothing to hack, nothing to sell, nothing to subpoena, nothing to shut down. You don't trust a company with your memories — you don't have to.

How this works

One Rust core (p2pcore) handles identity, hybrid post-quantum crypto, circles, and the social engine, shared by every platform. The transport ladder picks the best path automatically: nearby (Bluetooth/Wi-Fi) → direct (iroh QUIC with NAT hole-punching) → relay (only if nothing local works). Above the transport, everything is opaque encrypted bytes.

Discovery uses signed records on the decentralized mainline DHT (the one BitTorrent uses) keyed by your public key — so a link to you is permanent with zero backend. The result is a one-time-price app with no monthly operator cost, ever.

A note on honesty: Haven is in beta and ships fast. Everything above is built and running today; a green tag means it's shipping. When something is only partly wired, we say so with an amber tag rather than overpromising. The app is free while in beta and will be a one-time paid app at launch — never a subscription. See the roadmap.