Techlore SPA Tools Security, Privacy & Anonymity tools for everyone
Find the right browsers, VPNs, messaging apps, password managers, operating systems, and other tools to keep you safer online. Organized by category with filters to help you build a complete setup at any level.
Not sure where to start? Take the SPA Quiz for personalized recommendations, or browse the SPA Wiki to learn the concepts behind each category.
press esc to reset
Browsers #
Your browser handles nearly all of your web activity, making it one of the most impactful choices you can make.
Brave offers a familiar Chromium experience with privacy and security built in by default and little configuration required. The built-in Brave features can be a distraction, but they're easily disabled and don't affect the browser's core strengths.
Firefox is the strongest non-Chromium alternative for desktop, backed by Mozilla, a nonprofit focused on digital rights. Out of the box it's a solid choice; with hardening it becomes one of the best. See our hardening guide below.
Co-developed by Mullvad and the Tor Project, Mullvad Browser brings Tor Browser's fingerprinting protections to regular internet connections. A strong pick for desktop users who want serious privacy without routing through Tor. Recommended with a VPN. May introduce some breakage.
Tor Browser routes your traffic through the Tor network, making it a strong browser for anonymity and censorship circumvention. If anonymity is your primary concern, this is a good starting point. Will likely break some sites and can be slower to use.
DuckDuckGo's standalone browser bundles tracker blocking, Smarter Encryption, and Email Protection by default. Note that the underlying engine differs by platform—WebKit on macOS/iOS, Chromium-based on Windows/Android—so it's not a single forked browser the way Firefox or Brave is.
Safari is a reasonable default for Apple users, with privacy basics built in. Pair it with uBlock Origin Lite or AdGuard for stronger ad and tracker blocking. For iOS users running Lockdown Mode, Safari is the only browser that lets you allowlist trusted sites, making it a reasonable choice in that context.
Waterfox is a long-running Firefox fork focused on user choice, reduced telemetry, and is independently operated. Soon will include Brave Shields. A reasonable Firefox alternative for users who want Mozilla's Gecko engine with different defaults.
A Chromium fork with built-in ad blocking and privacy improvements over stock Chrome. A practical option for Android users who want a Chromium-based browser with better defaults. Also available on Windows and Linux.
LibreWolf is a community-run Firefox fork that applies most recommended hardening settings out of the box, saving you the manual configuration. Desktop only, solid pick if you want a hardened Firefox without the setup. Community-run.
The closest thing to Tor Browser on iOS. iOS restrictions prevent it from matching the official Tor Browser's protections, but it remains a reasonable option for Tor access on Apple devices for lower threat model usage.
Browser Extensions #
Small additions to your browser that can meaningfully reduce tracking and improve your overall security posture.
AdGuard is a reliable, low-friction option for blocking ads, trackers, and phishing across browsers, particularly in Safari for users who want effective blocking without the occasional site breakage that can come with more aggressive filtering. Covers custom DNS filtering as well, making it more versatile than a basic ad blocker.
Ghostery is an open-source tracker and ad blocker with a clean, beginner-friendly interface. Includes approachable visual indicators for those who want simple feedback on blocked items. Migrated to Manifest V3 ahead of the deadline, so it remains effective on modern Chromium browsers.
uBlock Origin is a highly effective browser extension for blocking ads, trackers, and malicious content. Highly configurable for advanced users, though default settings work well for most people. Can occasionally break sites, but exceptions are easy to set. Most Techlore fans either opt for a Firefox-based browser with uBlock Origin, or Brave Browser with no extensions.
uBlock Origin Lite is the Manifest V3-compatible version of uBlock Origin, designed for browsers that no longer support MV2 like recent versions of Chrome and Safari. It offers less filtering capability than the full version but remains a meaningful improvement over no blocker at all. Check the MV2/MV3 tags in the Web Browsers section to know which version applies to your browser.
Search Engines #
Symptoms, debts, doubts, late-night curiosities. A privacy-respecting search engine answers without keeping the record.
Brave Search runs its own independent search index rather than relying on Google or Bing, meaning your queries aren't being proxied through Big Tech infrastructure. A strong default for users who want a familiar search experience without the tracking.
DuckDuckGo is a privacy-focused metasearch engine that pulls primarily from Bing without passing your identity to Microsoft. One of the most accessible entry point for users switching away from Google.
Startpage proxies Google and Bing results on your behalf, so you get Google-quality results without Google seeing who's asking. A reasonable option for users who find other alternatives lacking in result quality but still want to avoid direct Google tracking.
SearXNG is an open source metasearch engine that pulls results from dozens of sources without tracking your queries. Self-hostable for maximum control, or usable via community-run public instances. A privacy-respecting search option, with the trade-off of variable result quality depending on the instance.
Kagi is a paid search engine with its own index, no ads, and no tracking. Funded entirely by subscriptions rather than data collection. The paid model removes the conflict of interest that shapes most search engines. Worth considering if you're frustrated with ad-heavy results and willing to pay for a cleaner experience.
DNS Providers #
DNS translates every domain you visit into an address. Your default provider logs all of it, and switching is one of the easiest wins available.
AdGuard DNS is a free encrypted DNS resolver with built-in ad and tracker blocking across all devices, no software installation needed. A solid low-effort option for adding network-wide protection, with optional customization available through a free account.
Quad9 is a free, privacy-respecting encrypted DNS resolver with built-in malware blocking, operated by a Swiss nonprofit. A reliable set-and-forget option for users who want basic protection without any configuration.
Mullvad's DNS service is a free, no-account encrypted DNS option with a handful of preset blocklist configurations including trackers, ads, malware, and more. Less customizable than NextDNS, but zero friction to set up and completely free.
NextDNS is a fully customizable encrypted DNS service that lets you build your own blocklists, allowlists, and filtering rules across all your devices. One of the most powerful options available while still being approachable enough for non-technical users.
Control D is a highly customizable encrypted DNS service with granular per-device and per-profile filtering, comparable to NextDNS in flexibility. Built by the same team as Windscribe, with a discount available for Windscribe subscribers.
VPN Providers #
A VPN shifts your network trust from your ISP to the VPN provider. Useful for privacy from your ISP, and for changing your IP online.
Proton VPN is a well-audited, open source VPN from the Proton ecosystem with a generous free tier—no data caps, no ads. A natural starting point if you're already in the Proton ecosystem. Offers a helpful extension to run as a proxy within a browser. Use the VPN Finder below to compare it against other providers in detail.
Windscribe offers a generous free tier and strong value on paid plans, with a configurable firewall and open source clients. A solid option for users who want flexibility without a high price. Also offers a helpful extension to run as a proxy within a browser. Use the VPN Finder below to compare it against other providers in detail.
IVPN is a privacy-first VPN with a strong track record on transparency, independent audits, and minimal data collection. No personal information required, comparable to Mullvad in its commitment to user privacy. Use the VPN Finder below to compare it against other providers in detail.
Mullvad is one of the most privacy-focused VPN providers available. No email required, cash and Monero accepted. Strong on transparency and independent audits. Considered the gold standard for privacy. Use the VPN Finder below to compare it against other providers in detail.
Obscura is a two-party VPN that routes your traffic through both Obscura and Mullvad's infrastructure, so neither party alone can link your identity to your activity. Offers more privacy than just Mullvad alone. Supports Monero. Currently available on iOS and macOS only. Use the VPN Finder below to compare it against other providers in detail.
Orbot routes your device's traffic through the Tor network using Android or iOS's built-in VPN slot, making it one of the most accessible ways to use Tor on mobile. It doesn't provide the full anonymity of Tor Browser, but it's a meaningful step up for general protection and gives you access to onion sites on mobile.
AzireVPN is a VPN provider owned by Malwarebytes operated out of Sweden. Strict no-logs policy, diskless physical servers, and a "blind operator" model that prevents even admins from inspecting live connection data. Open source clients, WireGuard support, independent audits, and a warrant canary. Use the VPN Finder below to compare it against other providers in detail.
Messengers #
Most messaging apps expose your chats, metadata, contacts, and content. But the right messenger keeps your conversations private.
Signal is the most widely trusted private messenger, combining strong encryption with a familiar, easy-to-use interface. Registration requires a phone number, which is worth considering per threat model, though usernames let you communicate without exposing your number to contacts. See our Signal hardening guide for getting the most out of it.
Briar routes messages through Tor, requires no central server, and can sync over Bluetooth or Wi-Fi when internet isn't available. These traits make it one of the most resilient messengers for high-risk or infrastructure-limited situations. The strongest choice when anonymity and censorship resistance matter most.
SimpleX requires no phone number, email, or username to sign up. It's one of the only messengers with no persistent identifier tied to your account. Decentralized, independently audited, and increasingly feature-complete. The right choice for users who want to minimize their identity footprint entirely.
Threema is a one-time purchase, end-to-end encrypted messenger with no phone number or email required to sign up. A clean, well-audited option for users willing to pay upfront rather than deal with a subscription or free-tier limitations.
Matrix is an open, federated messaging protocol, meaning you can self-host your own server or choose one you trust. E2EE is available but not always the default depending on the client and room settings. Federation adds resilience and flexibility, but also means metadata handling varies by homeserver. Element is the most popular client.
Molly is an independently maintained Signal fork for Android that adds security features like database encryption at rest and support for UnifiedPush. It works with your existing Signal account, though it's worth noting it isn't officially endorsed by Signal and adds a third party to your trust chain. Many utilize its 'use phone as linked device' feature to use Signal on two phones.
Session requires no phone number or email to register and routes messages through a decentralized network. A reasonable option for users who want anonymity without the complexity of Briar, though its cryptographic protocol differs from Signal's and has received mixed reviews from security researchers.
Email Providers #
Email wasn't built for privacy, but choosing a provider with strong encryption and a no-logs policy gets you much closer to it.
Proton Mail is one of the most trusted private email providers with end-to-end encrypted between Proton users, with zero-access encryption for everything stored on their servers. Works well as a standalone service or as part of the broader Proton ecosystem.
Tuta is a fully open source, end-to-end encrypted email provider with a strong privacy track record. Notable for encrypting not just message content but also subject lines and metadata—going further than most providers in the category.
Self-hosting email is often assumed to be the most private option, but the reality is more nuanced. Deliverability issues, misconfiguration risks, and ongoing maintenance make it a challenging fit for most people. Read the linked guide before going down this path. We generally don't recommend it unless you have the technical confidence to justify it.
Fastmail is arguably the most polished and feature-complete option on this list, with a fast, reliable experience across all platforms. It doesn't offer end-to-end encryption, so it's not the right choice for high-risk threat models. But for users upgrading from Gmail who want better privacy without compromises on usability, it's hard to beat.
StartMail is a paid, encrypted, privacy-focused email service with a clean interface and built-in disposable email alias support. A reasonable option for users who want a straightforward private email experience without the complexity of a full ecosystem.
Mailbox.org is a privacy-respecting email provider with a broad feature set including calendar, contacts, cloud storage, video conferencing, and office tools alongside email. An all-in-one experience for those who desire a powerful, flexible solution.
Aliasing Services #
Aliasing lets you use services without sharing your real information. This limits data sharing and damage when breaches happen.
MySudo provides alias phone numbers, email addresses, and browser profiles. Useful for compartmentalizing your identity across different areas of life. As with any aliasing service, you're consolidating trust into one provider rather than spreading it across many.
Privacy.com lets you generate virtual debit cards for online purchases, keeping your real card details off websites and making it easy to cancel a card tied to any specific service. US only, and as with any aliasing service, trust shifts to Privacy.com rather than being eliminated.
Proton Pass is a password manager with built-in email aliasing powered by SimpleLogin, letting you create and manage aliases directly alongside your passwords without switching apps. The most integrated approach to aliasing if you're already in the Proton ecosystem.
SimpleLogin is a dedicated email aliasing service that lets you create unique addresses for every site, keeping your real email private along the way. Self-hostable, compatible with any email provider, and available directly inside Proton Pass if you prefer an integrated experience.
addy.io is an open source email aliasing service with one of the most generous free tiers available—including unlimited aliases. The primary alternative to SimpleLogin, also compatible with any email provider.
Guerrilla Mail generates temporary, disposable email addresses instantly, no account needed. Useful for one-off signups where you don't want to expose a real address or create a permanent alias. A quick tool for throwaway situations.
Password Managers #
Reusing passwords is one of the biggest security risks online. A password manager makes unique, strong credentials effortless.
Bitwarden is a reliable, open source, cloud-based password manager with zero-knowledge encryption, meaning only you can access your vault. It works well across all platforms and supports self-hosting if you'd rather not rely on their servers.
Proton Pass is a polished, easy-to-use, encrypted password manager from the Proton ecosystem. The standout feature is built-in email aliasing which is useful for keeping your real address off sites you don't fully trust. A strong pick if you're already using Proton services.
KeePass is one of the most secure and customizable password managers available, storing your vault locally rather than in the cloud by default. It takes more setup than most options, but our recommended clients below make the experience significantly smoother.
1Password is a polished, proprietary password manager with a strong privacy and security track record. A reasonable choice if the open source options don't fit your workflow. It comes at a cost, is proprietary, and doesn't offer self-hosting.
KeePass Clients #
KeePass stores your vault locally, giving you full control over your credentials without trusting a third-party cloud service.
Strongbox is a polished KeePass client for iOS and macOS with deep Apple ecosystem integration. It supports end-to-end encrypted iCloud sync as well as local network sync for users who prefer to keep their vault off the cloud entirely.
KeePassDX is the recommended KeePass client for Android, with a modern interface and strong community trust. Available on both F-Droid and the Google Play Store.
KeePassium is an open source KeePass client for iOS and macOS with a clean, intuitive interface. A solid choice for Apple users who want full transparency into what their password manager is doing.
Two-Factor Authentication #
A second layer of login verification ensures a stolen password alone isn't enough to access your accounts.
Ente Auth is a cross-platform TOTP authenticator with end-to-end encrypted cloud sync, meaning your codes are backed up and accessible across devices without Ente being able to read them. Can be used offline without an Ente account. Available on iOS, Android, desktop, and web.
Proton's TOTP authenticator brings the same end-to-end encrypted sync as the rest of the Proton ecosystem. A natural fit if you're already using Proton Pass or other Proton services. Can be used offline without a Proton account. Available on iOS, Android, and desktop.
YubiKey is the most widely trusted hardware security key for phishing-resistant two-factor authentication. Significantly stronger than TOTP for protecting high-value accounts. If your most critical accounts support hardware keys, they are worth the investment.
2FAS is a TOTP authenticator that keeps your codes off third-party servers entirely. Backups go to your own personal cloud storage, not 2FAS infrastructure. The optional browser extension adds convenience without compromising that approach.
Aegis is a clean, reliable TOTP authenticator for Android with encrypted local backups and no cloud dependency. The go-to pick for Android users who prefer to keep their codes strictly on-device. Android-only.
Data Removal Services #
Data brokers compile and sell dossiers about you from public records, app permissions, and breach data. These services automate the opt-out process.
DuckDuckGo Personal Information Removal is a paid service that scans data broker sites and submits opt-out requests on your behalf. Bundled with VPN and Identity Theft Restoration in DuckDuckGo's Privacy Pro plan. US-only at the moment, runs locally on your machine.
EasyOptOuts is an affordable, automated data broker removal service that's been independently verified via Consumer Reports research. The best value option currently available for US users who want ongoing automated removal. Not local, requires trusting EOO.
Optery's free tier is useful for scanning data broker sites to see where your information appears. Helpful for manual opt-outs or verifying another service did its job. The automated paid plan is effective but significantly more expensive than EasyOptOuts. Also verified by Consumer Reports research. Not local, requires trusting Optery.
The Big Ass Data Broker Opt-Out List is a community-maintained directory of data brokers, each paired with step-by-step removal instructions. Free and exhaustive. The trade-off versus paid services like EasyOptOuts is that you do the manual work yourself.
California's Delete Request and Opt-out Platform is a state-run, free service mandated by the DELETE Act. California residents can submit a single deletion request that all registered data brokers must honor starting August 1, 2026. A high-leverage privacy lever available to Californians that's free.
Desktop Operating Systems #
Your OS is the foundation everything else runs on—what you choose shapes your baseline privacy and security from the ground up.
Asahi Linux is the project bringing native Linux support to Apple Silicon Macs through reverse-engineered drivers. Fedora Asahi Remix is the recommended distribution. A natural fit for Apple Silicon owners who want to dual-boot with macOS rather than replace it outright.
Fedora is a well-maintained Linux distribution with strong security defaults and a reliable release cycle. It's a solid starting point for most users moving to Linux. For an even more hardened experience, Fedora Silverblue offers an atomic variant with additional security improvements.
Not all Linux distributions are equal in their privacy and security defaults, but nearly all offer significantly more transparency and user control than Windows. If you're not sure where to start, visit Distrochooser below to find a distro that fits your needs and experience level.
Qubes isolates applications and entire operating systems into separate virtual machines, so a compromise in one environment can't affect the others. One of the most secure desktop setups available, but it demands capable hardware and a willingness to learn a fundamentally different way of working.
Tails is a live operating system you boot from a USB drive. It routes all traffic through Tor and leaves no trace on the host machine when you're done. Designed specifically for situations where you need privacy without a long-term setup.
Whonix runs as a pair of virtual machines: one acting as a Tor gateway, one as the user-facing workstation. This means all traffic is routed through Tor by design, with no chance of IP leaks. Pairs well with Qubes for a hardened, anonymous desktop environment.
macOS is a reasonable choice for users who need or prefer to stay on Apple hardware. It offers meaningfully better privacy and security defaults than Windows despite being proprietary. Decent protection out of the box, can be improved with hardening to cover many threat models well. See our macOS hardening guide below for the full setup.
Computer Hardware #
Most laptops ship with proprietary firmware and limited OS choice—these manufacturers go the other way, with open firmware, full repair docs, and first-class Linux support.
Framework laptops are designed for repairability and modularity from the ground up. Swap your own ports, RAM, storage, and even mainboard generations. Officially supports Linux as a first-class OS. The strongest pick for users prioritizing long-term ownership and the right to repair.
System76 designs Linux laptops and desktops out of Denver, Colorado, and ships its own distribution Pop!_OS preinstalled. Open-source firmware (Coreboot) on most current models. A solid one-stop pick for users who want first-class Linux support without configuration headaches.
NovaCustom is a Dutch laptop manufacturer focused on privacy-respecting hardware. Has options for Coreboot firmware, hardware kill switches via firmware, QubesOS support—and a choice of Linux distros or Windows preinstalled. Also sells the SHIFTphone 8.1 with iodeOS preconfigured. Accepts Monero and offers a local pickup option.
Tuxedo Computers is a German manufacturer building Linux laptops and desktops, with TUXEDO OS (Ubuntu-based) preinstalled. Solid hardware-Linux integration and EU-based support, similar in spirit to System76 with a European footprint.
BusKill is an open-source USB dead-man switch. It's a magnetic breakaway cable that triggers a configurable action (lock, shut down, panic-wipe) when yanked from your laptop. Can be used with any drive, and can be 3D-printed from scratch. Designed for journalists, activists, and high-risk users who need a fast hardware-level response if separated from their device.
Android Operating Systems #
Stock Android ships with deep Google integration by default. Custom ROMs let you reclaim control over what your phone shares.
CalyxOS maintains quality protection for most users, offering app compatability via MicroG at various privacy levels with support for a number of different devices. Developed by a non-profit Calyx Institute with moderate device compatability. Recently resumed updates in testing after an infrastructure overhaul—public release coming soon.
GrapheneOS prioritizes security, hardened at the OS level with strong sandboxing, and able to run Google Play apps via GSF in an isolated environment without granting them full system access. Currently requires a Google Pixel device, with a Motorola partnership hoping to add more options in the future.
LineageOS is a de-Googled Android option with broad device compatibility, useful for extending the life of older or end-of-support hardware that no longer receives official updates. The 'LineageOS for microG' project enables MicroG for app compatibility.
/e/OS is a de-Googled Android distribution from the Murena project, with MicroG built in and a curated default app suite. Available pre-installed on Murena hardware or flashable to a wide range of supported devices.
iodeOS is a French-developed de-Googled Android ROM with built-in tracker blocking at the OS level. Supports a wide range of devices and emphasizes a clean, ad-free user experience out of the box. Pairs well with the iodé companion app for ongoing tracker analytics on Fairphone or Teracube devices.
Mobile Hardware #
The phone is the most surveilled device you own—these manufacturers prioritize repairability, OS choice, and long-term support over the usual lock-in.
Fairphone designs modular, repairable smartphones built to last. The latest Fairphone 6 ships with stock Android but is widely supported by privacy-focused alternatives like CalyxOS, /e/OS, and iodeOS. The strongest pick for users who want a long-lifespan phone with real OS choice.
NitroPhone is a Pixel device sold by Nitrokey with GrapheneOS preinstalled. Hardware modifications like microphone removal and camera shutters are available as add-ons. A turnkey option for users who want GrapheneOS without flashing it themselves.
Murena sells smartphones preloaded with /e/OS, the de-Googled ROM that replaces Google services with privacy-respecting alternatives. Their current lineup is built around Fairphone and SHIFTphone, giving you /e/OS and other software out of the box without flashing anything yourself.
SHIFTphone is a small German manufacturer focused on sustainability, fair labor, and long-term support. The current Shiftphone 8 can be ordered preinstalled with iodeOS through NovaCustom—a clean way to skip the de-Googling process entirely.
App Stores & Distribution #
Where you get your apps matters. Alternative stores give you more control over what runs on your device and who tracks it.
Aurora Store is an open source client for the Google Play Store that lets you download and update apps without a Google account. Useful for accessing Play Store apps on a de-Googled device or simply without tying downloads to your identity. Still enables optional Google login.
F-Droid is the go-to app store for open source Android apps, with every listing verified to be free and open source. A strong complement to the Play Store, or a replacement for it if you're running a de-Googled device. Allows third-party repos for greater app availability.
Obtainium installs and updates apps directly from their source—GitHub, GitLab, developer websites, and more without going through any app store. Ideal for staying current on open source apps that aren't available on F-Droid or update there slowly.
AltStore lets iOS users sideload apps outside the App Store by installing IPA files directly. Apple's restrictions keep the experience limited in most regions, though users in the EU can use AltStore PAL for a significantly less restricted sideloading experience thanks to the Digital Markets Act.
Firewall Tools #
Firewalls let you monitor and block what your apps communicate with, giving you visibility into outbound traffic you'd otherwise never see.
RethinkDNS is an open source Android app that combines DNS-based ad and tracker blocking with firewall controls. Covers all apps on the device, not just your browser. One of the most capable privacy tools available on Android.
Little Snitch is a polished, feature-rich macOS firewall with detailed network monitoring and per-app connection rules. The paid option for users who want the most refined experience on macOS.
Lulu is a free, open source macOS firewall that alerts you when an app tries to make an outbound connection, letting you allow or block it. A capable option if you want Little Snitch-style control without the cost.
Portmaster is a full-featured firewall for Windows and Linux that gives you granular control over every app's network connections. A strong pick if you want to see and control exactly what your device is talking to.
Cloud Storage Providers #
Most cloud providers can read your files. End-to-end encrypted services keep your data private even from the provider hosting it.
Proton Drive is an end-to-end encrypted cloud storage service in the Proton ecosystem. Platform support has been expanding steadily with Proton Docs and Proton Sheets existing in a Google Drive-inspired workspace. A natural fit if you're already using other Proton services.
Cryptomator encrypts your files locally before they ever reach the cloud, so providers like Google Drive, Dropbox, or iCloud only ever see encrypted data. A practical way to keep using the cloud storage you already have without handing over access to your files.
Nextcloud is a self-hostable suite covering files, photos, contacts, calendar, and more. It's the closest open source equivalent to Google Workspace. E2EE is now available as well for even greater control over data.
Syncthing syncs files directly between your own devices over your local network or the internet. No cloud storage involved, no third party ever sees your files. A reliable, set-and-forget solution for keeping folders in sync across computers and phones.
OnionShare lets you share files, host temporary websites, and chat directly from your device over the Tor network. No central server, no account, no third party involved. A private way to send files to someone when it genuinely matters.
Filen is an end-to-end encrypted cloud storage service with a clean, modern interface and a generous free tier. Goes beyond basic file storage with photo backup, notes, and encrypted chat—all under the same E2EE umbrella.
Notes & Photos #
Notes and photos often contain sensitive personal information. Services that encrypt locally with E2EE keep that data out of reach by default.
Cryptee is an end-to-end encrypted home for your notes, documents, and photos—all in one place, accessible via browser as a PWA. Designed around personal privacy first, with the ability to share photos selectively when you choose to.
Ente is an end-to-end encrypted photo and video backup service. A privacy-respecting alternative to Google and Apple Photos. Your memories are encrypted before they leave your device, meaning only you can access them.
Notesnook is a fully-featured, end-to-end encrypted notes app with a polished interface across all platforms. A strong pick for users who want the familiar feel of Notion or Evernote without handing over their notes to a third party.
Proton Docs and Proton Sheets are end-to-end encrypted, real-time collaborative documents and spreadsheets that ship as part of Proton Drive. A rare combination of E2EE and Google Docs-style collaboration, well-suited to teams already in the Proton ecosystem.
Joplin is an open source, offline-first notes app with full Markdown support and optional sync via your own cloud storage like Nextcloud, Dropbox, or a Joplin server you control. The right pick for users who want complete ownership over where their notes live. Can also be used with Joplin's own cloud.
Lunatask is an encrypted, all-in-one productivity app covering tasks, habits, notes, and mood tracking. One of the few life management tools that takes privacy seriously, with end-to-end encryption across all your data.
Standard Notes is a no-frills, end-to-end encrypted notes app focused on longevity and simplicity. Syncs across unlimited devices on the free tier. A reliable choice for users who want something that will still work exactly the same way over time.
Encryption Tools #
Encryption protects your files and drives so that physical access to your device doesn't mean access to your data.
Cryptomator encrypts your files locally before they ever reach the cloud, so providers like Google Drive, Dropbox, or iCloud only ever see encrypted data. A practical way to keep using the cloud storage you already have without handing over access to your files.
VeraCrypt lets you create encrypted volumes for sensitive files, or on supported operating systems it can encrypt your entire disk. The most robust local encryption option available. Worth the learning curve for anyone with serious data protection needs.
GnuPG (GPG) is a versatile, open source encryption tool commonly used for encrypting files, email, and verifying software signatures. It's one of the most powerful options available, but comes with a steeper learning curve than most tools on this list.
AI & LLMs #
AI tools are powerful but often data-hungry—privacy-respecting options let you benefit from them without feeding your inputs into training pipelines.
Duck.AI is a free, private chat interface to popular models including GPT, Claude, Llama, and Mistral. DuckDuckGo strips identifying information before forwarding queries, and conversations are not used for training. Available in the web and in the DuckDuckGo Browser.
Proton Lumo is a privacy-respecting AI assistant in the Proton ecosystem. Chat history is end-to-end encrypted with zero-access encryption tied to your Proton account, and queries are not used for training. Ghost mode leaves no record at all.
Jan.AI is a desktop app for running open-source LLMs locally on your own machine—no internet connection required for inference. A solid pick if you want AI capabilities without any data leaving your device.
Cryptocurrency Tools #
Privacy-focused cryptocurrencies and wallets let you transact without leaving a permanent, public record tied to your identity.
Cake Wallet is an open source wallet with strong support for Monero and Zcash alongside Bitcoin and other privacy-focused technologies including Silent Payments and Litecoin MWEB. Built-in exchange functionality, Cake Pay, hardware wallet support, and no account required.
Monerujo is one of the longest-standing Monero wallets for Android, with built-in node selection and direct swap integrations. Available via F-Droid for users who want to keep their wallet outside Google Play.
Monero is the gold standard for private cryptocurrency transactions. Private by default, meaning every transaction hides sender, receiver, and amount without any extra steps. Widely adopted in the privacy community and under active development, with FCMP++ set to further strengthen its anonymity guarantees.
Trezor is a hardware wallet line from SatoshiLabs covering self-custody for a wide range of cryptocurrencies. Notable for being one of the few hardware wallets with fully open-source firmware, making it a strong pick for users who prioritize verifiable code over convenience features.
Bisq is a peer-to-peer, decentralized Bitcoin exchange with no KYC requirements and no central party involved in trades. The most established option for acquiring Bitcoin without identity verification.
Cupcake is a companion app from Cake Labs designed to pair with Cake Wallet for offline-signing and air-gapped transaction workflows on a secondary device. Useful for users who want a cold-storage style setup without dedicated hardware.
Ledger is a popular hardware wallet line with broad cryptocurrency support and the Ledger Live companion app. Firmware is partially closed-source, and they have a mixed security history. But ultimately will still provider additional protection for most users.
Zcash was the first cryptocurrency to implement zero-knowledge proofs for private transactions. Worth noting that privacy is opt-in rather than default—users must actively choose shielded transactions to get the full privacy benefit.
Other Utilities #
A collection of tools that don't fit neatly elsewhere but still play a meaningful role in a well-rounded privacy and security setup.
AlternativeTo is a community-driven directory for finding software alternatives. Useful as a starting point when looking to replace a tool with something more privacy-respecting. Filter by open source or platform to narrow results quickly.
BleachBit is an open source tool for securely deleting files and clearing system data like browser history, temporary files, logs, and more. A straightforward way to reduce the digital footprint left on your own machine.
Dangerzone converts potentially dangerous files like PDFs, Office documents, and images into safe versions by processing them in an isolated container before you open them. It's a safe way to handle attachments from untrusted sources.
Objective-See is a collection of free, open source macOS security tools built by former Apple engineer Patrick Wardle—including LuLu, BlockBlock, KnockKnock, and more. Worth bookmarking if you're serious about macOS security.
Proxystore is a German-based privacy marketplace selling vouchers and gift cards for tools like Mullvad, IVPN, Tuta, and others. Pays anonymously with Monero, Bitcoin, or cash by mail—useful for paying for privacy services without tying them to your real identity.
PrivacyPost is a virtual mail forwarding service with end-to-end encrypted document scanning backed by Proton Mail. Lets you receive physical mail under an alias, with anonymous payment options including money order and crypto. A strong pick for high-threat-model users who need a real-world address without exposing their own.
Digital Rights Organizations #
These organizations advocate for the laws and policies that protect your digital rights at a systemic level. Follow and support them!
Digital Rights Creators #
Educators and creators who help make privacy and security approachable. We don't have all the answers, so these creators offer different perspectives.
External Guides #
Curated external resources that go deeper on specific topics, from the communities and researchers we trust.
