Privacy Policy

Last Updated: October 21, 2025

🔒

Privacy-First Design

At Guardyn, your privacy is our top priority. We use end-to-end encryption (Signal Protocol) to ensure that only you and your intended recipients can read your messages. We cannot access your encrypted content.

Table of Contents

  1. Overview
  2. Information We Collect
  3. How We Use Your Information
  4. End-to-End Encryption
  5. Data Storage and Retention
  6. Information Sharing
  7. Security Measures
  8. Your Privacy Rights
  9. Children's Privacy
  10. International Users
  11. Changes to This Policy
  12. Contact Us

1. Overview

This Privacy Policy explains how Guardyn collects, uses, and protects your information when you use our secure messaging service.

Key Principles:

  • Privacy by Design: End-to-end encryption is built into every message
  • Minimal Data Collection: We only collect what's necessary to operate the service
  • User Control: You control your data and can delete it at any time
  • Transparency: We're open about what data we collect and why
  • Open Source: Our code is publicly auditable on GitHub

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address or phone number (for self-hosted authentication)
  • Username (your chosen display name)
  • Password (hashed and never stored in plain text)
  • Profile picture (optional, encrypted)
  • Two-Factor Authentication settings (if enabled)

2.2 Message Metadata

We collect minimal metadata to deliver messages:

  • Sender and recipient IDs (to route messages)
  • Timestamp (when message was sent)
  • Message ID (unique identifier)
  • Delivery status (sent, delivered, read)

Important: Message content is end-to-end encrypted. We cannot read your messages.

2.3 Technical Data

To maintain service quality and security:

  • IP address (for rate limiting and abuse prevention)
  • Device information (OS, app version)
  • Connection logs (login times, connection errors)
  • Crash reports (anonymized debugging data)

2.4 What We DON'T Collect

  • ❌ Message content (encrypted, unreadable to us)
  • ❌ Contact lists (stored locally on your device)
  • ❌ Location data
  • ❌ Browsing history
  • ❌ Social media data
  • ❌ Advertising identifiers

3. How We Use Your Information

We use collected information for:

  • Service Operation: Delivering messages, managing accounts, providing features
  • Security: Detecting abuse, preventing spam, protecting against attacks
  • Support: Responding to your inquiries and troubleshooting issues
  • Improvement: Analyzing anonymized usage patterns to enhance the service
  • Legal Compliance: Meeting legal obligations and responding to valid requests

We never use your data for advertising, tracking, or selling to third parties.

4. End-to-End Encryption

🔐 Signal Protocol Implementation

Guardyn uses the industry-standard Signal Protocol for end-to-end encryption. This is the same protocol used by Signal, WhatsApp, and other secure messengers.

What is end-to-end encrypted:

  • Text messages
  • Photos and videos
  • Files and documents
  • Voice and video calls
  • Profile information

Technical Details:

  • Key Exchange: X25519 (Curve25519 ECDH)
  • Signatures: Ed25519 (EdDSA)
  • Encryption: AES-256-GCM (authenticated encryption)
  • Key Derivation: HKDF-SHA256
  • Forward Secrecy: Double Ratchet algorithm

Your encryption keys are generated on your device and never leave it. Guardyn servers cannot decrypt your messages even if compelled by law.

5. Data Storage and Retention

Where Data is Stored:

  • Account Data: PostgreSQL database (self-hosted or cloud)
  • Encrypted Messages: ScyllaDB (high-performance NoSQL)
  • Media Files: MinIO (encrypted S3-compatible storage)
  • Session Cache: Redis (temporary, ephemeral)

Retention Periods:

  • Messages: Stored until delivered, then deleted from server (configurable)
  • Media: Retained for 30 days after upload (or until deleted by you)
  • Account Data: Retained while account is active
  • Logs: Kept for 90 days for security and debugging
  • Backups: Retained for 30 days, then permanently deleted

Self-Hosted Option: You can deploy Guardyn on your own servers for complete data control. See our deployment guide.

6. Information Sharing

We do NOT sell, rent, or share your personal data with third parties for marketing purposes.

Limited Sharing Scenarios:

  • Service Providers: Cloud hosting providers (if not self-hosted). These providers are bound by strict confidentiality agreements.
  • Legal Obligations: We may disclose information if required by valid legal process (court orders, subpoenas). We will notify you unless prohibited by law.
  • Security Threats: To prevent harm, fraud, or abuse of the service
  • Business Transfers: In case of merger or acquisition (you will be notified)

Important: Due to end-to-end encryption, we cannot provide message content even if legally requested, as we do not have access to decryption keys.

7. Security Measures

We implement multiple layers of security:

Encryption

  • • End-to-end encryption (Signal Protocol)
  • • TLS 1.3 for transport
  • • Encrypted database storage

Access Control

  • • Two-factor authentication
  • • Role-based access control
  • • Secure key management

Infrastructure

  • • DDoS protection
  • • Regular security audits
  • • Intrusion detection systems

Development

  • • Security code reviews
  • • Penetration testing
  • • Bug bounty program (planned)

Security Audits: We plan to conduct independent security audits with Cure53 and Symbolic Software. Reports will be published publicly.

8. Your Privacy Rights

You have the following rights regarding your data:

  • Access: Request a copy of your personal data
  • Correction: Update or correct inaccurate information
  • Deletion: Delete your account and associated data
  • Export: Download your data in a portable format
  • Objection: Object to certain data processing activities
  • Restriction: Limit how we process your data

How to Exercise Your Rights:

  • In-App: Use Settings → Privacy → Manage Data
  • Email: privacy@guardyn.app
  • Response Time: We'll respond within 30 days

9. Children's Privacy

Guardyn is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13.

Users aged 13-17 must have parental or guardian consent to use Guardyn.

If you believe a child under 13 has created an account, please contact us at privacy@guardyn.app.

10. International Users

Guardyn is accessible globally. Data may be processed in various jurisdictions depending on your deployment choice.

GDPR Compliance (EU Users):

  • Legal basis for processing: Contract performance, legitimate interests
  • Data transfers use standard contractual clauses
  • Right to lodge complaint with supervisory authority

CCPA Compliance (California Users):

  • We do not sell personal information
  • You have the right to opt-out of data sales (not applicable)
  • No discrimination for exercising privacy rights

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect:

  • Changes in our practices
  • New features or services
  • Legal or regulatory requirements

Notification: We will notify you of material changes via:

  • In-app notification
  • Email to your registered address
  • Notice on this website

Continued use after changes constitutes acceptance. If you disagree, please delete your account.

12. Contact Us

For privacy-related questions, concerns, or requests:

Privacy Summary

🔐

End-to-End Encrypted

We can't read your messages

📊

Minimal Data

Only what's needed to operate

🎯

Your Control

Delete anytime, export data