What we collect
Account: email or hardware key, display name. Optional: phone number for contact discovery (k-anonymous SHA-256 prefixes — we never see numbers).
Operational: server holds encrypted message blobs and message metadata (timestamp, conversation participants by anonymous ID, delivery state). We cannot read the contents.
Telemetry: anonymous crash reports if you opt in. No usage analytics. No tracking pixels.
What we do not collect
We do not collect: message contents (encrypted client-side), voice audio (transcribed on-device), your contact list (we receive only k-anonymous prefixes), browsing or click-through analytics.
Your rights
GDPR data export — one click in Settings → Privacy → Export data. Right to erasure — one click; deletion propagates within 30 days across all backups.
Subprocessors
We publish our subprocessor list at sajlink.com/privacy/subprocessors. We give 30 days notice before adding a subprocessor.
Contact
Privacy enquiries: [email protected].