Legal

Privacy Policy

Last updated: Pre-launch draft

What we don't collect (the long list) is what makes privacy real. Here is exactly what Cipher handles and what it cannot.

This is a plain-language draft published for transparency while Cipher is pre-launch. It is not legal advice and will be reviewed by counsel before the product is generally available.

01The short version

Cipher is built so that the most sensitive data about you — what you say, to whom, and your encryption keys — never exists in a form we can read. This policy explains the little we do handle, why, and the limits of what any architecture can protect.

02What we do not collect

This list is the point. It is what makes the privacy real, rather than promised:

  • Message content — it is end-to-end encrypted with keys only you hold.
  • Your encryption keys or recovery phrase — generated on your device, never transmitted to us.
  • Your address book — we do not upload your contacts or build a social graph.
  • Per-message metadata beyond what is strictly required to route and deliver.
  • Your face or voice — AI features that process them run entirely on your device.
  • A phone number — Cipher accounts are not anchored to one.

03What we do handle

  • A routing identifier needed to deliver encrypted messages to the right device.
  • Encrypted backup blobs, if you enable backup — unreadable to us, decryptable only with your recovery phrase.
  • Account timestamps (e.g. creation date, last connection) — the minimum needed to operate the service.
  • Subscription status as a simple valid / not-valid signal, with no billing identity attached.

04Payment is isolated from messaging

Payments are processed by the App Store or Play Store, which hold the billing relationship. Cipher receives only a signed receipt proving a device has a valid subscription — never a name or card number.

No user ID, device ID, or account ID is shared between the payment system and the messaging system. Because there is no shared identifier, the two cannot be cross-referenced, including in response to legal process.

05Legal requests

We respond promptly and in good faith to valid legal process for the non-content data we actually have — which is very little, and never includes message content, because we cannot decrypt it.

We intend to publish regular transparency reports describing the requests we receive and how we respond.

06The limits, stated honestly

Our architecture's privacy properties do not exempt us from applicable laws such as GDPR or CCPA where we serve those regions, and we will honor data-subject rights for the limited data we hold.

Zero-access protects data in transit and at rest on our servers. It does not protect a device that is unlocked, stolen, or compromised by spyware — that is a device-security problem no messaging app solves.

07Changes to this policy

If we change what we collect, we will say so clearly and in advance — never quietly. Material changes will be surfaced in the app, not buried.

CIPHER
Terms of ServiceAcceptable UseSecurity