Privy Privacy Policy

Introduction

Welcome to Privy. We are committed to protecting your privacy and giving you control over your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our end-to-end encrypted messaging service.

Please read this Privacy Policy carefully. By using Privy, you agree to the collection and use of information in accordance with this policy.

Table of Contents

1. Information We Collect
2. How We Use Your Information
3. Information We Cannot Access (Zero-Knowledge)
4. How We Share Your Information
5. Data Security
6. Data Retention
7. Your Privacy Rights
8. Children's Privacy (COPPA Compliance)
9. State-Specific Privacy Rights
10. International Data Transfers
11. Cookies and Tracking Technologies
12. Changes to This Privacy Policy
13. Contact Us

1. Information We Collect

1.1 Information You Provide Directly

Account Registration:

• Email address (required for account creation and verification)
• Username and tag (your unique identifier, e.g., @alice#1234)
• Password (hashed using Argon2id - we never store plaintext passwords)
• Cryptographic public keys (for end-to-end encryption)

Profile Information:

• Display name (optional)
• Profile status (optional)

Communications:

• Messages you send (stored encrypted on our servers - we cannot read them)
• Friend requests and associated messages

1.2 Information Collected Automatically

Device Information (Device Fingerprint):

For security and fraud prevention, we collect:

• Device identifiers: Browser user agent, device type, operating system
• Network information: IP address, ISP, connection type
• Device characteristics: Screen resolution, color depth, pixel ratio, hardware concurrency, device memory
• Browser features: Language preferences, timezone, cookies enabled, Do Not Track setting
• Interaction data: Touch support, max touch points
• Geolocation data: City, region, country, country code (derived from IP address)
• Security hashes: Canvas, WebGL, and audio fingerprints (for device recognition)

Session Information:

• Session tokens and refresh tokens (for authentication)
• Login timestamps
• Session duration
• Active device list

Message Metadata:

• Sender and recipient identifiers
• Timestamp (obfuscated ±5 minutes for privacy)
• Message delivery status
• Conversation identifiers

Note: We do NOT collect:

• Message content (encrypted end-to-end)
• Contact lists (stored only on your device)
• Call records or voice data
• Photos, videos, or file contents (encrypted)

1.3 Information from Third Parties

Email Service Providers:

• Email delivery status (bounces, successful deliveries)
• Email open rates (if your email client loads images)

Infrastructure Providers:

• Server logs and performance metrics
• Error reports and crash logs

2. How We Use Your Information

2.1 Service Delivery

• Account Management: Create and maintain your account, verify your email, manage authentication
• Message Delivery: Route encrypted messages between users, maintain delivery queues
• Friend Connections: Process friend requests, manage your contacts list
• Notifications: Send email notifications for verification, friend requests, and important account events

2.2 Security and Fraud Prevention

• Authentication: Verify your identity when you log in
• Fraud Detection: Identify and prevent spam, abuse, and malicious activity
• Rate Limiting: Prevent automated abuse and ensure fair use
• Multi-Factor Authentication: Verify login attempts from new devices

2.3 Service Improvement

• Performance Monitoring: Analyze server performance and optimize delivery
• Bug Fixes: Identify and resolve technical issues
• Feature Development: Understand usage patterns to improve the service

2.4 Legal Compliance

• Law Enforcement: Respond to valid legal requests (limited to metadata - we cannot provide message content)
• Dispute Resolution: Investigate Terms of Service violations
• Export Controls: Comply with encryption export regulations

2.5 Communications

• Service Updates: Notify you of important changes to the service
• Security Alerts: Inform you of potential security issues
• Policy Changes: Update you about changes to our Terms or Privacy Policy

3. Information We Cannot Access (Zero-Knowledge)

Important Implications:

• ✅ Privacy: We cannot read your messages, even if legally compelled
• ✅ Security: Server breaches cannot expose message content
• ⚠️ Recovery: We cannot recover messages if you lose your device or keys
• ⚠️ Moderation: We cannot proactively moderate message content (we rely on user reports)

4. How We Share Your Information

4.1 We Do Not Sell Your Data

4.2 Service Providers

We share limited information with trusted service providers who assist in operating our service:

Infrastructure Providers:

• Purpose: Server hosting, database management, content delivery
• Data Shared: Encrypted messages, server logs, performance metrics
• Restrictions: Providers are contractually obligated to protect your data and use it only for providing services to us

Email Service Providers:

• Purpose: Sending verification and notification emails
• Data Shared: Email addresses, notification content
• Restrictions: Subject to their own privacy policies and data protection agreements

4.3 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities:

Law Enforcement Requests:

• We require valid legal process (subpoena, court order, warrant)
• We will notify you when legally permitted
• Limited Scope: We can only provide metadata (account info, timestamps, sender/recipient IDs)
• No Content Access: We cannot provide message content due to end-to-end encryption

Transparency: We may publish transparency reports detailing law enforcement requests we receive.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets:

• User data may be transferred as part of the transaction
• We will notify users and provide options before transfer
• The acquiring entity must honor this Privacy Policy

4.5 Protection of Rights

We may disclose information to:

• Enforce our Terms of Service
• Protect the security or integrity of our service
• Protect our rights, property, or safety
• Protect against legal liability

5. Data Security

5.1 Encryption

End-to-End Encryption:

• Signal Protocol: Industry-leading encryption using X3DH key agreement and Double Ratchet
• ChaCha20-Poly1305: Authenticated encryption with associated data
• Perfect Forward Secrecy: Each message uses unique ephemeral keys
• Post-Compromise Security: System self-heals from key compromise

Transport Layer Security:

• TLS 1.3: All connections use modern encryption standards
• Certificate Pinning: Protection against man-in-the-middle attacks

At-Rest Encryption:

• Database Encryption: ChaCha20-Poly1305 encryption for database contents
• Per-Table Keys: Separate encryption keys for different data types
• Key Derivation: HKDF-SHA256 for deriving encryption keys

5.2 Security Measures

Access Controls:

• Multi-factor authentication for staff access
• Role-based access control (RBAC)
• Audit logging of all administrative actions

Infrastructure Security:

• Regular security audits and penetration testing
• Automated vulnerability scanning
• Secure software development lifecycle
• Dependency monitoring and updates

Data Protection:

• Secure key storage and management
• Memory zeroization for sensitive data
• Secure deletion of expired keys
• Rate limiting and DDoS protection

5.3 Security Limitations

Your Responsibility:

• Use strong, unique passwords
• Enable multi-factor authentication
• Keep your devices secure and updated
• Protect your encryption keys
• Report suspicious activity

6. Data Retention

6.1 Account Data

Active Accounts:

• Account information retained while your account is active
• Profile data retained until you delete your account

Deleted Accounts:

• Account deletion is processed within 30 days
• Some data may be retained for legal or security purposes

6.2 Message Data

Encrypted Messages:

• Messages are stored encrypted until delivered
• After delivery, retention depends on user settings
• Default: Messages retained encrypted indefinitely
• User Choice: Users can enable auto-deletion

Message Metadata:

• Delivery metadata (sender, recipient, timestamp) retained for up to 30 days
• Used for debugging, security investigations, and compliance
• Automatically deleted after retention period

6.3 Session Data

• Session Tokens: Expire after 7 days of inactivity
• Refresh Tokens: Expire after 30 days
• Device Fingerprints: Retained for 90 days for security analysis

6.4 Log Data

• Server Logs: Retained for 30 days for debugging and security
• Error Logs: Retained for 90 days for troubleshooting
• Security Logs: Retained for 1 year for compliance and investigations

6.5 Backup Data

• Backups retained for 90 days for disaster recovery
• Backups encrypted with the same standards as production data
• Old backups automatically deleted

7. Your Privacy Rights

7.1 Access and Portability

Right to Access:

• Request a copy of your personal data
• Review what information we have about you

Right to Data Portability:

• Export your data in a machine-readable format
• Transfer your data to another service

How to Exercise: Contact privacy@privyapp.org or use the data export feature in the app.

7.2 Correction and Deletion

Right to Correction:

• Update your profile information
• Correct inaccurate data

Right to Deletion:

• Delete your account and associated data
• Request deletion of specific data

How to Exercise: Use account settings in the app or contact support@privyapp.org.

Limitations:

• We may retain some data for legal compliance, fraud prevention, or security
• Encrypted messages may persist (we cannot delete what we cannot access without your keys)

7.3 Restriction and Objection

Right to Restrict Processing:

• Limit how we use your data
• Object to certain processing activities

How to Exercise: Contact privacy@privyapp.org with specific restrictions you'd like to implement.

7.4 Withdraw Consent

You may withdraw consent at any time by:

• Deleting your account
• Adjusting privacy settings
• Opting out of email notifications
• Revoking device access

Note: Withdrawing consent may limit or prevent use of certain features.

8. Children's Privacy (COPPA Compliance)

8.1 Age Requirement

Privy is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13 years of age.

8.2 Parental Consent

If you are between 13 and 18 years old (or the age of majority in your jurisdiction), you may only use Privy with the permission and supervision of a parent or legal guardian.

8.3 If We Learn We Have Collected Data from Children Under 13

If we become aware that we have collected personal information from a child under 13 without parental consent:

• We will take immediate steps to delete such information
• We will terminate the account
• We will not use or disclose the information

8.4 Parental Rights

Parents or legal guardians may:

• Review their child's personal information
• Request deletion of their child's data
• Refuse further collection or use of their child's information

To exercise these rights, contact: privacy@privyapp.org with subject line "COPPA Request"

9. State-Specific Privacy Rights

9.1 California Residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know:

• What personal information we collect
• Categories of sources from which we collect
• Business purposes for collection
• Categories of third parties we share with

Right to Delete:

• Request deletion of your personal information
• Exceptions: legal compliance, security, fraud prevention

Right to Opt-Out:

• Opt out of the "sale" or "sharing" of personal information
• Note: We do NOT sell or share your personal information for advertising

Right to Correct:

• Request correction of inaccurate personal information

Right to Limit Use of Sensitive Personal Information:

• Limit use of sensitive information to service provision only

Right to Non-Discrimination:

• We will not discriminate against you for exercising your rights

Authorized Agents:

• You may designate an authorized agent to make requests on your behalf
• We may require verification of authorization

How to Exercise California Rights:

• Email: privacy@privyapp.org
• Subject Line: "CCPA Request"
• Include: Your email address, specific request, and proof of California residency

Response Time: We will respond within 45 days (may extend up to 90 days with notice).

9.2 Virginia, Colorado, Connecticut, Utah Residents

If you are a resident of Virginia, Colorado, Connecticut, or Utah, you have rights under your state's privacy laws:

• Right to confirm whether we process your personal data
• Right to access your personal data
• Right to delete your personal data
• Right to data portability
• Right to opt out of targeted advertising (N/A - we don't do targeted advertising)
• Right to opt out of sale of personal data (N/A - we don't sell data)

How to Exercise: Contact privacy@privyapp.org with your state's name in the subject line.

9.3 Nevada Residents

Nevada residents may opt out of the sale of personal information. We do not sell your personal information.

10. International Data Transfers

10.1 Data Location

Our servers are located in the United States. By using Privy, you consent to the transfer and processing of your data in the United States.

10.2 European Economic Area (EEA) Users

If you are in the EEA, please note:

• The U.S. may not have the same data protection laws as your country
• We implement appropriate safeguards to protect your data
• We comply with GDPR requirements for international transfers

Legal Basis for Processing:

• Consent: You consent by using our service
• Contract Performance: Necessary to provide the service
• Legitimate Interests: Security, fraud prevention, service improvement
• Legal Obligations: Compliance with applicable laws

GDPR Rights:

• Right to access, rectification, erasure, restriction, portability
• Right to object to processing
• Right to lodge a complaint with a supervisory authority
• Right to withdraw consent

Data Protection Officer Contact: dpo@privyapp.org

10.3 UK Users

UK users have rights under the UK GDPR similar to EEA rights listed above.

10.4 Other International Users

If you are outside the U.S., your personal information may be transferred to and processed in the United States. We will take appropriate steps to ensure your data is protected in accordance with this Privacy Policy.

11. Cookies and Tracking Technologies

11.1 What We Use

Session Cookies:

• Purpose: Maintain your logged-in session
• Type: Essential (required for service functionality)
• Expiration: Session-based (deleted when you close browser)

Authentication Tokens:

• Purpose: JWT tokens for API authentication
• Storage: LocalStorage (browser-based)
• Expiration: 7 days (access tokens), 30 days (refresh tokens)

Local Storage:

• Purpose: Store application settings and preferences
• Data: Non-sensitive user preferences, UI state
• Control: Cleared when you delete browsing data

11.2 What We Do NOT Use

11.3 Do Not Track (DNT)

We respect browser Do Not Track signals and do not track users across websites.

11.4 Your Control

You can control cookies by:

• Adjusting browser settings to refuse cookies
• Deleting cookies through browser settings
• Using private/incognito browsing mode

Note: Disabling essential cookies may prevent you from using the service.

12. Changes to This Privacy Policy

12.1 Updates

We may update this Privacy Policy from time to time to reflect:

• Changes in our practices
• Legal or regulatory requirements
• New features or services
• User feedback

12.2 Notification

When we make changes:

• We will update the "Last Updated" date at the top
• Material changes will be communicated via:
  • Email notification to your registered email address
  • In-app notification
  • Prominent notice on our website
• You will be required to accept the new policy to continue using the service

12.3 Your Choices

If you disagree with the updated Privacy Policy:

• You may delete your account before the effective date
• Continued use after the effective date constitutes acceptance

12.4 Review

We recommend reviewing this Privacy Policy periodically to stay informed about how we protect your information.

13. Contact Us

13.1 Privacy Questions

For questions, concerns, or requests regarding this Privacy Policy or our data practices:

Email: privacy@privyapp.org
Subject Line: Include "Privacy Inquiry" or specific request type
Response Time: We aim to respond within 5 business days

13.2 Data Protection Officer (DPO)

For GDPR-related inquiries:

Email: dpo@privyapp.org

13.3 Data Rights Requests

To exercise your privacy rights (access, deletion, correction, etc.):

Email: privacy@privyapp.org
Subject Line: "[Your State/Country] Privacy Request"
Include:

• Your registered email address
• Specific request
• Verification information (we may require proof of identity)

13.4 Security Issues

To report security vulnerabilities:

Email: security@privyapp.org

Important: Do not publicly disclose security issues. We will respond promptly and work with you to address the issue.

13.5 Mailing Address

Privy
123 Privacy Lane, Suite 500
San Francisco, CA 94102
United States

14. Additional Information

14.1 Third-Party Links

Our service may contain links to third-party websites or services. This Privacy Policy does not apply to those third-party sites. We recommend reviewing their privacy policies before providing any personal information.

14.2 Data Breach Notification

In the event of a data breach that affects your personal information:

• We will notify affected users within 72 hours of discovery
• Notification will include: nature of the breach, data affected, steps we're taking, steps you should take
• We will report to relevant authorities as required by law

Note: Due to end-to-end encryption, message content cannot be exposed in a breach.

14.3 User Responsibility

You are responsible for:

• Keeping your account credentials secure
• Protecting your devices and encryption keys
• Using strong passwords
• Reporting suspicious activity
• Complying with our Terms of Service

We are NOT responsible for:

• Security breaches caused by your negligence
• Unauthorized access due to weak passwords or shared credentials
• Loss of data due to device loss or failure

14.4 Open Source

Privy uses open-source components. Our use of these components does not affect your privacy rights under this policy.

15. Legal Compliance Summary

This Privacy Policy is designed to comply with:

Federal Laws:

• Children's Online Privacy Protection Act (COPPA)
• Federal Trade Commission Act (FTC Act)
• Digital Millennium Copyright Act (DMCA)
• Export Administration Regulations (EAR)

State Laws:

• California Consumer Privacy Act (CCPA) and CPRA
• Virginia Consumer Data Protection Act (VCDPA)
• Colorado Privacy Act (CPA)
• Connecticut Data Privacy Act (CTDPA)
• Utah Consumer Privacy Act (UCPA)

International Laws:

• General Data Protection Regulation (GDPR) - EU
• UK GDPR

Acknowledgment and Consent

If you do not agree to this Privacy Policy, you must not use Privy.

Privacy Policy Change Log