Privacy.

The most useful privacy policy is the shortest one we can honestly write. Here's the whole thing.

What we don't ask for

• Your phone number.
• Your email.
• Your real name.
• Your contacts.
• A profile photo.
• Your location.

We never ask for any of it. There's nowhere in the app to enter any of it. If we add a screen later that needs it, this page changes first and the change is announced before the screen ships.

What ends up on our server

• Your handle. The short lowercase name you picked at signup (3–20 characters; letters, digits, and the separators _ . -; e.g. @alice or @midnight_traveler). Public-by-design — your friends need it to message you.
• Your public key. Used to set up encrypted sessions. Public-by-design.
• Your selected animal. One of the avatar ids (e.g. fox, dragon). Public-by-design.
• An opaque device token. Issued by Vouchflow when your device passed an integrity check. Lets us reject bots without learning who you are.
• Undelivered ciphertext. If you message a friend who's offline, we hold the encrypted bytes until their next connection. We can't read them. Once delivered (or after 7 days, whichever comes first), they're deleted.
• A push token, if you allowed notifications. Used only to wake your device. We never include message content in pushes.
• Your feedback messages, if you choose to send any. Messages addressed to @feedback take a separate path: they go to the dev team in plaintext (not end-to-end encrypted), so we can actually read and act on the report. The chat surface above an @feedback conversation tells you this before you type. Nothing else you write reaches us in plaintext.
• Abuse reports you file against another handle. Stored as a small row (your handle, the reported handle, the reason you picked, an optional 200-character note) so our moderation team can act on threshold patterns. Deduped per pair — you can file one report per handle.

That's the whole list. There is no analytics SKU on our server. There's no event tracking. There's no advertising integration.

What we never see

• The contents of your messages. Encrypted on your device, decrypted on the recipient's device. We hold the bytes for delivery; we have no key. The one exception is the @feedback path above, which you knowingly opt into.
• Who you talk to, on the wire. Sealed-sender envelopes hide the sender's identity from the over-the-network frame we forward to the recipient. The buffered row on our database still records the sender ID so we can route delivery and acks — full server-blind sealed-sender (where even our delivery queue can't link sender to envelope) is a v2 effort that needs server-issued sender certificates.
• The audio of your calls. Voice calls are end-to-end encrypted. Cloudflare's TURN servers may relay encrypted packets — they can't decrypt them.
• Your contact list. We never read it.

What lives on your device only

• Your message history.
• Your private keys.
• Your settings (notification preferences, blocked handles, etc.).
• Your local copy of your face.

If you uninstall, this is gone with no recovery. We have no backup of it on our side.

Vouchflow

Speakeasy uses Vouchflow for device attestation — a system that proves "this is a real device with no obvious bot signals" without proving who the device belongs to. Vouchflow does not receive your handle, your public key, or any message content. They issue an opaque token; we store the token. See vouchflow.dev/privacy for their side.

Paid avatars

If you buy a paid avatar, payment goes through Apple's App Store or Google Play. Apple and Google handle the card data; we never see it. Their servers tell ours "device X owns SKU Y" via an anonymous receipt. Nothing tying it to your name reaches us.

Where the bits live

• Application server: Fly.io (Iowa, US).
• Database: Fly.io managed Postgres (same region).
• Push relay: Apple Push Notification Service (Apple) and Firebase Cloud Messaging (Google).
• Voice call relay: Cloudflare TURN, on demand only.

Your rights

• Delete the app any time. Local data is gone immediately.
• Delete your account from Settings → Account → Delete account. Server-side data is purged within 24 hours.
• Block individual handles. They can't message you again.
• Burn a conversation. Removes every bubble of the conversation from your device. Today this is a local-only action — your peer keeps their copy until their TTL (default 7 days) expires it. A future release will surface a burn frame to the peer so both sides clear together; until then, treat Burn as "wipe my side."

If you're in the EU, UK, or California: you have additional rights under GDPR / CCPA — access, deletion, portability. We're a small team. Email hello@speakeasy.app with any request and we'll respond within 30 days.

Children

Speakeasy isn't for children under 16. Our terms require minimum age 16, and we reserve the right to remove accounts we have reason to believe are younger.

If this changes

We'll update the date at the top and post a brief change summary in the next app release. Material changes (anything that affects what we collect or store) get a banner inside the app you have to dismiss before continuing.

Contact

hello@speakeasy.app. A real inbox, read by humans.