Does outl send my notes to a server?

No. Notes sync directly device-to-device over an end-to-end encrypted QUIC connection. When two devices can't reach each other directly, a relay forwards the encrypted bytes — it can see that two devices are talking, never what they're saying. There is no outl server holding your data.

Can the relay or anyone in the middle read my notes?

No. The connection is QUIC + TLS 1.3, keyed to your devices' identities. A relay moves sealed envelopes. It cannot read a single op, page title, or tag. Content is end-to-end encrypted; only your paired devices hold the keys.

Do I need an account to sync?

No. There's no signup, no email, no login. You pair two devices once with a QR code or a ticket string, and they trust each other from then on. No account means nothing to leak, subpoena, or get locked out of.

Is peer-to-peer sync slower or clunkier than cloud sync?

No. Real-time edits land in milliseconds when devices are reachable, and a background catch-up loop guarantees convergence even over flaky mobile networks. The TUI, desktop, and iOS clients work exactly as before. You don't trade UX for privacy.

What happens if I'm offline?

You keep working. Every edit is written to a local append-only log. When you reconnect, your devices exchange only the changes each one missed and converge with no prompts and no merge conflicts.

blog · 2026-06-25 · privacy

Private by default: outl now syncs peer-to-peer, end-to-end

Name: outl
Author: Avelino

outl dropped iCloud for iroh. Your notes now sync device-to-device over end-to-end encrypted QUIC — no server, no account, no company in the middle. And you give up nothing: same TUI, desktop, and iOS, same clean markdown, same offline-first UX. Privacy that isn't a downgrade.

@avelinorun

5 min read

you shouldn’t have to choose

Every notes app hands you the same quiet trade. Want your stuff on all your devices? Then your stuff lives on someone’s server. Want it private? Then sync gets worse, or you’re wiring up Syncthing on a Saturday.

outl refuses the trade. Your notes now sync end-to-end encrypted, peer-to-peer, with no server and no account — and the app didn’t get harder to use to make that happen. Same three clients, same clean markdown, same offline-first feel. Privacy stopped being the expensive option.

what changed

The June beta moved your workspace folder between devices through iCloud Drive. It worked, but it only worked on Apple, and it meant your files rode through Apple’s infrastructure to get from your laptop to your phone.

That’s gone. outl now syncs over iroh: QUIC between your devices, hole-punched directly through your network, with a relay only when the network leaves no other path. No iCloud. No outl server. No account to create.

I wrote the full engineering story on my personal blog — the wire protocol, the NAT traversal, the CRDT bug a real network finally exposed. If you want the deep dive, it’s here: the op log was peer-to-peer the whole time. This post is the short, human version.

why peer-to-peer is the whole privacy story

Most apps that promise privacy are asking you to trust a promise. “We don’t look at your data.” Maybe they don’t. But the data is sitting on their servers, which means they could, a court could make them, or someone who breaks in could.

Peer-to-peer removes the question. Your notes go straight from one device you own to another device you own. There’s no third machine in the middle holding a copy.

When your network won’t allow a direct connection — two phones behind carrier NAT, say — a relay steps in to forward the traffic. And here’s the part that matters: the relay moves ciphertext. The connection is QUIC plus TLS 1.3, keyed to your devices. The relay can see that two devices are talking. It cannot read one word of what they say. No page title, no tag, no bullet. Sealed envelopes, every time.

No server holding your notes. No account that can leak. No company whose privacy policy you have to believe. Privacy that doesn’t depend on anyone’s good behavior is the only kind worth the word.

the catch that isn’t there

Here’s where this usually falls apart. “Private” tools tend to feel like homework. Self-hosted, fiddly, a downgrade you tolerate because you care about the principle.

Not this. Nothing about the experience got worse:

Same clients. The vim-style TUI, the native desktop app, the iOS app on your phone. All three, unchanged.
Same clean files. Plain .md you can open in any editor, read with cat, grep, and back up however you like. No lock-in, no proprietary blob.
Same offline-first. Edit on a plane. Edit on the subway. Your devices reconcile when they meet again, with no merge dialogs and no lost text.
Same speed. Edits show up on your other devices in milliseconds when they’re reachable, and a background loop guarantees they converge even when the network is flaky.

You didn’t trade quality for privacy. You got both because the architecture was built for it from the start.

how it works, briefly

Every device keeps its own append-only log of edits. When two devices connect, they trade a tiny summary of what each has seen and ship only the difference — not the whole history, just the gap. A conflict-free replicated data type merges those edits into the same tree on every device, in any order they arrive, with a mathematical guarantee that nothing is lost and nothing duplicates.

Pairing is one step: scan a QR code or paste a ticket, once. After that your devices know each other and sync on their own.

If you want the real mechanics — the QUIC handshake, the vector-clock delta sync, why an iPhone behind carrier NAT still works — that’s the engineering write-up.

this is where notes are heading

For a decade the deal was: hand your thinking to a cloud, get convenience back. That deal is aging badly. Breaches are constant, AI training scrapes whatever it can reach, and “we take your privacy seriously” has become the sentence companies say right before they don’t.

Local-first plus end-to-end peer-to-peer is the correction. Your data lives on your machines. It moves between them encrypted, directly, with no middleman who could read it or lose it. That shouldn’t be a niche feature for the paranoid. It should be the default, and in outl it is.

try it

brew tap avelino/tap
brew install outl@beta          # TUI
brew install --cask outl-desktop@beta   # macOS desktop

iOS is a free TestFlight beta. Pair it with your laptop once, and your journal follows you with nobody in between.

outl is open source and MIT-licensed: github.com/avelino/outl. Issues open, bug reports welcome.

download the beta → read the sync manifesto ← all posts