This privacy policy describes how we collect, use and protect your information during product and service use.

1. Introduction

We prioritise maximal end user security and privacy as a design principle, preferring local-first architectures, minimised cross-service authentication requirements, proven cryptographic operations, and a fundamental inability to access personal information, communications or data.

2. Data Collection and Usage

We generate and securely store several types of cryptographic keys in your device's secure keychain: a master signing key pair, operational signing keys, and operational agreement key pairs that rotate periodically. These keys power our end-to-end encryption communication systems without revealing or requiring any personally identifying information.

For identification, we generate two random UUIDs: one device-specific and one user-specific. These identifiers are completely arbitrary and cannot be traced to your real identity, email, phone number, or Apple account.

We collect limited anonymous analytics including an installation timestamp, daily activity status, and feature usage counters (saves, shares, searches). This data is cryptographically signed using your device's cryptographic keys for verification but contains no personal information. Analytics data is transmitted to Supabase servers via anonymous authentication and contains no personally identifiable information. Anonymised analytics data may be retained indefinitely.

Peer connection public keys, user-assigned aliases, and connection timestamps are stored locally on your device. We cannot access any connection information, status or activity.

3. Push Notifications and Message Delivery

When you enable notifications, we store your Apple Push Notification (APNs) token within Supabase, associated only with your public signing key. Push notifications contain generic alert text and never include actual message content, URLs, or personal information.

When peers share content, the content is first encrypted and cryptographically signed on-device. This is anonymously transmitted to Supabase servers along with the recipient's public key, at which point we send a push notification. The recipient may also check for a message manually or be alerted to a message during regular use. The recipient then downloads the message to their device, verifies it and decrypts it.

Successfully delivered messages are marked for deletion and removed whenever a new message for any recipient lands. Undelivered messages automatically expire. We only store and forward messages—we have no way to decrypt their content or infer the sender or recipient.

4. Content Security

All content you save within the app remains on your device. When sharing with peers, content is protected with end-to-end encryption using contemporary cryptographic standards. Encryption and decryption processes occur exclusively on your device, ensuring that even we cannot access your data.

5. Third-Party Services

We use Supabase for backend infrastructure with strictly anonymous, one-way transmission. Our edge functions process push notifications independently, without access to message content or sender and recipient identities.

We do not incorporate any advertising frameworks, analytics services that track across apps, or other data collection mechanisms. We categorically do not share any user data with advertisers or data brokers.

We do collect anonymous website analytics using Goatcounter to improve our service. This includes basic information like pageviews, referring sites, browser types, and approximate location. We cannot identify individual users, do not use cookies for tracking, and do not share this data with third parties. This limited collection helps us understand our awareness > onboarding > retention funnel whilst respecting end user privacy.

6. Your Privacy Controls

You can delete all app data by removing the app from your device. For server-side data removal, email team@subset.network with your request. Messages are automatically purged from our servers upon successful delivery or after the expiration period, whichever comes first.

Our service is not directed at children under 13, and we do not knowingly collect data from children. We do not track your activity across other applications or websites.

We may update this Privacy Policy periodically and will notify you of any substantive changes. For questions, please contact team@subset.network.