Roadmap - boopr

Shipping at launch

What's on boopr on day one

The launch set is intentionally narrow: a feed, the people you know, and the tools to share with them. No For You tab, no suggested posts, no follower count.

Chronological feed. Your friends' posts, newest first. No algorithm deciding what you see.
Posts. Photos, text, and GIFs for everyone. Video and photo albums (2-20) on boopr+.
Profiles. Name, bio, avatar, birthday. All encrypted, all visible only to your friends.
Boops. Quick photo or video snaps to specific friends, gone after they're seen.
Friend codes and invites. Exchange codes in person or by QR. 25 invites per person, 100 on boopr+.
Audiences. Pick who sees each post. Audiences live on your device only; the server never sees them.
Screenshot narc. If someone screenshots a boop or a chat, the other person's phone pings within a second.
Hardened storage. Your keys live in your phone's secure hardware, not in regular app storage.
Recovery. Tap Settings > Security to see your 24-word recovery phrase. It restores your account on a new device, and it's free for everyone, always.
Push notifications. Wake-up pings only. The notification itself carries no content or sender info.

Coming next

Built but not launched yet

These three features are built and tested but held back for the public launch. The feed, posts, and profiles are enough to make boopr worth using on its own; we'd rather ship that tight and add the rest once we see how the invite-only community scales. These are post-launch features. We'll share dates when each one is closer to ready.

Direct messages

One-on-one conversations with a friend. Text, photos, and GIFs on every plan; voice and video messages on boopr+. Messages are encrypted on the Signal Protocol between the two of you, so only you and the person you're talking to can read them.

Why not at launch

DMs have a different threat model than posts (a 1:1 ratchet vs. a per-post session), a different UX, and a different moderation story. We'd rather ship them after we've seen how the feed performs with real users.

What it needs

Photo library access when you pick an image to send. Microphone access when you record a voice message. Camera access when you record a video message. Each of these is asked the first time you use that specific feature, never at signup and never in the background.

How privacy works

Messages are encrypted on your phone, decrypted on theirs. The server relays bytes it can't read.

Groups

A shared feed that a small group of friends can post into: a place for a dinner club, a roommate house, or a trip to plan in one spot. This is distinct from the Audiences you'll already have at launch for post targeting. Those live on your device and pick who sees a post. A shared-feed Group is its own space, with its own invites and members.

Why not at launch

Audiences at launch already answer "who sees this post." Shared-feed Groups add member management, group-level invites, and a separate key-rotation story, all of which we want to get right before it goes live.

What it needs

Same as a regular post: your photo library when you attach an image. Nothing new at the device level.

How privacy works

Posts inside a group are encrypted for that group only. Only members can read them. When someone leaves or is removed, the keys roll so they can't read what's posted after that.

Location sharing

Session-based sharing with specific friends: letting a friend watch your walk home, sharing an ETA on the way to meet up, or letting a small group of friends see each other at a concert for the night. You start a session, you end a session. It's always opt-in and always visible.

Why not at launch

Location is the most privacy-sensitive thing we'd ship. Once the behavior model (opt-in sessions, no always-on) is in users' heads, it's hard to change. We want the background-permission story bulletproof before it's turned on.

What it needs

Foreground location while you're actively sharing. Background location so the session keeps updating when the app isn't open, but only while a session is live, never at other times. You start a session to turn it on, end the session to turn it off, and a visible timer shows the session is running the whole time. There is no silent or always-on tracking.

How privacy works

Your coordinates are encrypted between you and the specific friends you're sharing with. We don't see where you are. Map tiles and place-name lookups will run through our own infrastructure rather than a third-party map service, so your IP and coordinates don't leak to a provider either.

Not at launch

No web, desktop, or iPad client.

boopr is iOS and Android only at launch and isn't on the near-term roadmap for other platforms. The hardware-backed key story (Secure Enclave on iOS, StrongBox on Android) is what makes our privacy claims real; a browser or general-purpose desktop OS is a different threat model with different guarantees. We may revisit if there's a clean way to do it; we don't have one yet.

Planned, no date yet

Encrypted-data export

A Settings option that hands you an encrypted archive of everything we hold for you: posts, profile, audiences, friend list, media. Readable on a new device or independently if we ever shut down, using documented standard primitives (XChaCha20-Poly1305, Ed25519, X25519, HKDF) rather than a proprietary container. The design needs careful work, and we'd rather take the time than ship a half-version, so this isn't at launch. We'll publish a date once the scope is locked.

Not on the roadmap

What we will never build.

A short list. These aren't deferred; they're decisions.

Ads. Anywhere. Ever. boopr+ and your support fund the infrastructure; nobody bids on your attention.
An algorithmic feed. No "for you," no trending, no explore, no suggested posts from strangers. Your feed is the people you chose to follow, newest first.
Selling your data. Not to advertisers, not to data brokers, not to AI training. We can't sell what we can't read, and we built it that way on purpose.
Public follower or friend counts. Your circle isn't a scoreboard.
Stories or ephemeral FOMO timers. If you want something to go away, delete it. We won't design features whose job is to pull you back in.
Cosmetic premium. No avatar rings, chat themes, or name flair for paying users. We tried it. It made the app look worse, not better. boopr+ adds capabilities, never visual status.
Third-party map tiles or GIF search. Those services see the IP and coordinates or queries of everyone who uses them. Not worth it. We'll self-host what we need.
Server-side content moderation of your posts. We can't read your content, so moderation here runs on user reports and invite-chain accountability. There is no server-side scanning to turn on.

What's next on boopr.

What's on boopr on day one

Built but not launched yet

Direct messages

Groups

Location sharing

No web, desktop, or iPad client.

Encrypted-data export

What we will never build.

Day one is August 15, 2026.