SecureChat

Privacy policy

Privacy

SecureChat is built so that the relay, by design, never receives enough information to read your messages. This page describes what we collect, what we do not collect, and how to make a data-deletion request.

Summary

What we do not collect

  • Plaintext message bodies (we never see them)
  • Your Curve25519 private key (lives in iOS Keychain only)
  • Contact lists, phone number, email, name
  • Crash reports, analytics events, device identifiers
  • Location, IDFA, advertising identifiers
  • Third-party SDKs (no Firebase, no Sentry, no analytics)

What the relay does receive

  • Opaque, sealed, signed message envelopes
  • Sender and recipient peer IDs (64-hex)
  • Packet expiry timestamps (default 24h, configurable)
  • Standard TLS metadata (your IP, the relay's IP) — these are visible to any internet server you talk to and we treat them with the same care as any other operator

Self-host the relay

If you do not want the public relay to be involved at all, run your own. The relay is a single Fastify container, takes about 20 minutes to deploy on a fresh VPS, and the iOS app points at it via a configurable host. See the self-host guide.

Data retention

The relay stores sealed packets for at most 24 hours (configurable via MAX_TTL_SECONDS). Once a recipient acknowledges a packet, it is deleted immediately. Packets that expire without being acknowledged are removed by a periodic cleanup pass. The file-store implementation writes its state to DATA_DIR and does not retain a separate history.

Server logs

The relay logs HTTP-level access (method, path, status code, request ID) for the /v1/relay and /v1/admin surfaces. Logs do not include request bodies, peer IDs, or sealed payloads. Logs are written to stdout in JSON via pino and are not shipped off-host.

Data-deletion requests

To request deletion of any data we hold about you, email privacy@securechat.team. The only data the public relay holds about you is sealed packets and tombstones; both are removed within 24 hours of sending or receiving, respectively. We will reply within 30 days and confirm the deletion in writing.

Changes to this policy

Material changes to this policy will be announced in the iOS app and on the status page. The full history of this file is in the project repository: privacy.html on GitHub.