Most family messaging today happens on platforms that weren’t built for families. They were built for advertisers, or for power users, or for everyone — which usually means for nobody in particular. The result is a strange compromise: kids on apps designed for adults, parents wishing they could see what’s being said, grandparents on a different platform entirely, and a steady leak of metadata to companies that shouldn’t have it.

We started Shoal because we wanted something narrower and stricter. A messaging app that does one thing — let a family talk to itself privately — and does it without the usual trade-offs.

What’s different

Encryption runs through everything. Every message is encrypted on the sending device with AES-256-GCM before it leaves. Per-message keys are wrapped to each recipient using ECDH P-256. Almost everything else we store about you — your display name, your profile picture, your device labels, your routing metadata — is encrypted at rest under a server-side environment secret. The only personal data we hold in plaintext is your email address, because we need it to send you sign-in emails. There’s an honest architectural limit to all of this; we describe it in detail on the privacy page.

Admin oversight is explicit. Family admins can read conversations involving children on devices they manage. This is a normal thing parents want, and we’d rather build it openly than pretend it doesn’t matter. The mechanism is the same as every other recipient: the admin’s public key is one of the wraps on each message. Visibility lives in the client, between cryptographic recipients — there’s no server-side decryption involved.

Kids don’t need email. Adding a child to your family generates a pairing code. The child scans a QR or follows a one-time URL on their device and they’re in. No inboxes, no usernames to remember, no platform to hand a young child the keys to.

No ads. No tracking. No analytics SDKs. The business model is families paying a small amount for a tool that works. That’s it.

Where we are

Shoal is live for early users. The features pages cover what’s shipping today; the security page goes into the cryptography in detail, and the privacy page is honest about the architectural limits. We’ll write more here as we ship — about the engineering, the threat model, and the surprisingly knotty design questions that come with building software for two-year-olds and seventy-year-olds at the same time.

If you’d like to be part of it, open Shoal or get in touch at hello@shoal.chat.