Privacy Summary

Here's what we protect, what metadata we do keep, and what happens if someone comes knocking.

What Is Protected

Passwords are hashed on your device with Argon2 before being sent. We never see the plaintext.
DM content is end-to-end encrypted with X3DH + Double Ratchet.
Server channel messages use Sender Key envelopes. Only ciphertext hits the server.
File attachments are encrypted too. You need the client-held keys to read them.
Sealed sender mode hides who sent a DM from the server.

What Metadata Exists

Account profile, device registration, and session state.
Friendship and DM privacy-rule relationships.
Routing metadata required for message delivery and presence.
Cloud island control-plane data for centrally hosted servers.
We actively minimize metadata over time: hashing IDs, coarsening timestamps, expiring old records.

Cloud vs. Private Islands

Cloud Islands are hosted on our infrastructure. We run the servers but can't read your encrypted content.
Private Islands are fully self-hosted. We have zero access to the server, database, or files.
Both modes use the same encryption. The only difference is who owns the hardware.

Under Legal Compulsion

We can provide operational metadata we store (accounts, relationships, routing data).
We cannot provide plaintext message content. It's encrypted with keys we don't hold.
For Private Islands, data requests go to the operator, not us.
This is not legal advice. It reflects the technical design of the system.