Private fields — serial number and purchase price
Two fields on every item are end-to-end encrypted: serial number and purchase price (EUR). They appear in their own visually distinct section on the item form, with a shield icon, so it's obvious they get special treatment.
Why these specifically
These two fields are the high-value data for insurance claims and theft recovery. Insurers ask for them first. Police ask for the serial number when reporting stolen property. They're also the fields you most don't want leaking accidentally.
Most other fields (title, brand, model, photos) are useful even when shared — "is this the cookware set in your shed?". Serial number and purchase price aren't. Those are between you, your insurer, and your bank.
How the encryption works
When you save an item with a serial number:
- The plaintext value goes into the request to our server over HTTPS.
- The server retrieves your account's encryption key.
- AES-256-GCM encrypts the value with a fresh random IV.
- The ciphertext + IV + authentication tag are stored in the
serial_number_enccolumn. - The plaintext is discarded.
When you view the item:
- The server retrieves the ciphertext.
- Decrypts with your key.
- Sends plaintext back over HTTPS.
The plaintext only exists in two places: the form input on your screen, and your database row's column for the duration of the request that's reading it. We don't log it, we don't email it, we don't include it in audit logs.
What's NOT in scope
- Description field — plaintext. Don't put a serial number in the description.
- Title, brand, model — plaintext. Don't put a price in the title.
- Photos — not application-encrypted. Don't take a photo of your serial number plate (unless you also blur it).
In shares and listings
Private fields are NEVER included when you generate a share link or list on the marketplace. The share view shows the item with these two fields explicitly missing.
We have a regression test for this — every release cycle, we automatically generate a share, decode the share view's HTML, and assert that no plaintext serial number / purchase price appears. The test is in the share-leak group.
In account exports
When you export your data via GDPR data-export, the export DOES include your private fields in plaintext (they're your data, you're entitled to them). The export file is a ZIP encrypted with a one-time password sent to your verified email address.
A common mistake
Putting the serial number in the title — "Sony A7 IV — serial 12345678" — defeats the encryption entirely. Anyone you share this item with sees the title.
If you find yourself doing this, move the serial to the encrypted field and put just "Sony A7 IV" in the title.
Tamper detection
The encryption uses GCM, which detects modification of the ciphertext. If someone (us, an attacker, a database tool) flips even one bit in serial_number_enc, the decryption fails and the item view shows "⚠ This field couldn't be decrypted (data may have been tampered with)."
What if I lose my encryption key?
You can't lose it directly — the key is derived from the master server key plus your user ID. But if our master key were lost (multi-region backup failure), we'd lose the ability to decrypt every account's encrypted fields. The plaintext is gone. We back up the master key in two physically-separated locations, and we rotate it on a scheduled basis with re-encryption on the fly.