Codename, not name: how to date when your community has eyes

The first thing every other matchmaking platform asks for is your real name, or a name they will treat as your real name. The second thing is a photo. Together, these two pieces of data are the recognition primitives that make the rest of online dating feel exposed — to colleagues, to relatives, to acquaintances who recognise a face in a coffee shop.

We removed both. We wrote about why we removed photos. This essay is about why we removed real names.

The codename is the only public identity

When you create a PotentialSpouse account, the system generates you a codename. Six words, drawn from the EFF Large Wordlist, joined by hyphens. Something like patio-juniper-orbit-coastal-figment-thrush.

That is the only identifier any other user ever sees. It appears on your profile, on your match wall, on every chat, on every notification. It is also your login — when you log in with codename and password (one of the two auth options, the other being Google), you type the codename into the username field. Your real name does not exist in the platform’s database. We do not have it. We did not ask for it.

There are two consequences worth thinking about, both honest:

The community-eyes problem disappears. Your aunt cannot Google you. Your colleague cannot recognise you. The man who proposed to you two years ago and is still angry about it cannot find you on a list. There is no list.
Your data export, downloadable from settings any time, is portable but anonymised. It contains everything you have written, but not “your name” — because we never had it to return to you. (You can import it back later, on a new account, as a backup recovery path. We covered that in the account recovery docs.)

Why six words

The EFF wordlist has 7,776 words. Six of them combined gives roughly 2.2 × 10²³ unique codenames. That is more than the number of grains of sand on Earth, and it gives every PotentialSpouse user a guaranteed-unique handle without ever needing the disambiguation _2025 suffix that other platforms inflict on late arrivals.

The wordlist is a deliberately curated set: each word is at least three letters, no homophones, no obscenity, no ambiguity in spelling. The output is a string that a human can read out loud without spelling it letter by letter, which matters when a friend asks “what’s your handle on that platform” and you do not want to send them a link.

What the codename costs

Three things.

It costs you intuition. Real names tell you something: gender, often nationality, sometimes age. A codename tells you nothing. The first message in any conversation feels strange because you are addressing patio-juniper-orbit-coastal-figment-thrush and they are addressing meadow-blanket-twilight-station-cardinal-finch.

This is by design. The whole point is that the first thing you know about each other is not name-shaped. The first things are the answers to the dimensions you both filled in: religious practice, parenting plan, work pattern, relationship style. By the time you exchange real names — which, on PotentialSpouse, happens inside the conversation, when both of you decide to — you already know whether you want to know each other’s names.

It costs us a memorable brand of “the user.” When platforms like ours have a viral moment, it is usually because of a story attached to a recognisable name. Codenames make that harder. We trade the marketing surface for the privacy contract. We think that is the right trade for this product.

It changes the recovery story. If you forget your codename and lose access to your password, there is no “we’ll find your account by your email address” path, because we don’t store one. You either still have your data export (in which case there is a recovery flow) or you do not (in which case the account is gone). We have written about this in the FAQ. It is a real limit. We accept it.

What the codename is not

It is not anonymity. We can still link a codename to a session, to a Google ID hash if you used Google to log in, and to your moderation history. Law enforcement with a warrant can compel disclosure of your account. The codename is not designed to protect a user from a determined investigator.

It is designed to protect a user from incidental recognition by people in their daily life. That is a different threat model, and it is the threat model that actually keeps people off existing matchmaking platforms. We solved the right problem.

A note on Google login

PotentialSpouse also supports “sign in with Google” as an alternative to codename + password. Some users prefer this; it is faster. Even when you use Google to authenticate, the platform still generates you a codename — Google gives us only an opaque ID, which we store as a salted hash. Your real name, your email address, and any other Google profile data is not stored on our servers. The codename is still your only public identity.

This is the part where some readers say, “wait, you cannot read my email address even though I logged in with Google?” Correct. We discard it on the OAuth callback. The hash of the Google ID is what links you back to your account on next login; we never needed your email address for anything.

The bigger pattern

The codename is not a feature. It is the first row of the schema. Every other piece of code in this product is built on top of the assumption that the only public identity is a generated string. That is what makes the privacy contract real rather than aspirational. There is no “switch on real names later” toggle. There is no shadow column. The data is not there.