Blog
Let's Talk Security

Let's Talk Security

April 4, 2026

When you sign up for a new platform, there's always that moment of hesitation. Can I trust these people with my password? What happens to my data?

We get it. And we think you deserve a straight answer.

We never see your password

When you create an account with an email and password, your password is hashed before it's stored. That means we convert it into an irreversible string of characters using an industry-standard algorithm called bcrypt.

What does that mean in practice?

  • We can't read your password. Not us, not our database, not anyone.
  • Even if our database were compromised, attackers would get a useless hash, not your actual password.
  • When you log in, we hash what you type and compare it to the stored hash. If they match, you're in. The original password is never stored or transmitted in plain text.

This is the same approach used by banks, major tech companies, and security-focused platforms worldwide.

Signing in with Google is even safer

If you sign in with Google, your password never touches our system at all. Here's how it works:

  1. You click "Sign in with Google"
  2. Google handles the entire authentication on their side
  3. Google tells us "yes, this person is who they say they are" and gives us your name and email
  4. We create or find your account — no password involved

This is called OAuth, and it's the gold standard for authentication on the web. You're trusting Google — a company that spends billions on security — to verify your identity, and we simply accept their confirmation.

The benefits are real:

  • No password to steal. There's nothing for us to leak because we never had it.
  • Google's security protects you. Two-factor authentication, suspicious login detection, and everything else Google offers — it all applies.
  • One fewer password to remember. And one fewer password that could be reused or guessed.

What about my data?

Your reading history, your choices in stories, your account details — all stored securely. All communication between your browser and our servers is protected by SSL/TLS encryption, so your data is safe in transit.

On top of that, sensitive data gets an extra layer of protection before it's stored. Your password is hashed with bcrypt — an industry-standard algorithm — so even we can't read it. And if you provide an API key for AI-assisted writing, it's encrypted with AES-256-GCM before it reaches the database. The raw key is never stored.

We don't sell your data. We don't share it with advertisers. We're building a platform for storytelling, not a data harvesting operation.

Our commitment

Security isn't a feature we ship once and forget. It's an ongoing practice. We stay current with best practices, we use established and audited authentication libraries, and we treat your trust as something we have to earn every day.

If you have questions about how we handle your data, reach out. We're happy to talk about it.

— The Untell Team

← Back to blog
Let's Talk Security | UNTELL Blog