Privacy Policy
The short version: Context is built so that we cannot read your content. Your messages, photos, voice notes, and journal entries are encrypted on your device with keys that only you and your partner hold. Our servers only ever see unreadable ciphertext. We have no user accounts, run no analytics, show no ads, and do not track you.
Context (“Context”, “the app”, “we”, “us”) is a private, two-person, end-to-end encrypted space for couples, published by [Developer / Legal Entity Name]. This policy explains what data the app handles, what leaves your device, and the choices you have.
1. Who this applies to
Context is intended only for adults aged 18 or older. It is designed for intimate communication between two consenting partners and may contain adult content. It is not directed to children, and we do not knowingly collect data from anyone under 18.
2. The data Context handles
2.1 Never leaves your device
- Your encryption keys are generated on your device and stored in the iOS Keychain / Android Keystore. Private keys are never transmitted to us or anyone.
- Your content, at rest (messages, photos, voice notes, journal entries shared and private, replies) is stored encrypted on your device (AES-256). Private journal entries are never transmitted anywhere.
- Biometric data: unlocking “spicy” content uses Face ID / fingerprint / passcode handled entirely by your operating system. We never receive or store it.
2.2 Passes through our servers — as ciphertext only
- Encrypted content in transit: shared items are sealed on your device and travel to your partner as ciphertext.
- Offline mailbox: if your partner is offline, their encrypted, undelivered items are held briefly, then delivered and removed. Never in readable form.
2.3 Operational data the relay stores
- Pairing records linking your device's public key to your partner's — public keys only, no content, no names.
- One-time pairing codes, held ~10 minutes and consumed on first use.
- Push notification tokens (from Apple/Google), if you enable notifications.
- Network metadata: like any internet service, our relay and hosts receive your device's IP address while connected, to route traffic. We do not profile you.
2.4 What we do not collect
No name, email, phone number, date of birth, account/password, contacts, location, advertising identifiers, or analytics. No ads, no trackers, no engagement metrics (no likes, view counts, or read receipts).
3. Notifications
When new content arrives while the app is closed, we send a content-free push via Apple (APNs) or Google (FCM). The text is generic (e.g. “💗 New moment”) and never contains your messages — the real content stays encrypted in your mailbox and is decrypted only on your device when you open the app.
4. Permissions
| Permission | Why |
|---|---|
| Camera | Take a photo to share with your partner. |
| Microphone | Record a voice note. |
| Photo library | Choose a photo to share; save a received photo when you ask. |
| Notifications | Alert you that your partner sent something (content-free). |
| Face ID / biometrics | Unlock “spicy” content (handled by your OS). |
You can revoke any of these in device settings; denying one only disables that feature.
5. Service providers (subprocessors)
None receive your decrypted content.
| Provider | Role | Receives |
|---|---|---|
| Fly.io | Hosts the relay | Ciphertext traffic; connection IP |
| Upstash (Redis) | Temporary encrypted mailbox | Ciphertext only |
| Apple APNs | iOS push delivery | Device token; content-free push |
| Firebase Cloud Messaging | Android push delivery | Device token; content-free push |
| Apple App Store / Google Play | App distribution | Per their own policies |
6. Data retention
- On your device: until you delete it (Unpair & wipe, or uninstall).
- Encrypted mailbox: removed on delivery, or after ~7 days for messages/ photos/voice/journals and ~60 seconds for “pulses.”
- Pairing records: until you unpair (then removed for both devices).
- Pairing codes: ~10 minutes or until used.
- Push tokens: until you unpair, uninstall, or the OS invalidates them.
7. Your choices and rights
- Unpair & wipe ends a pairing unilaterally, deletes shared content on your device, and clears your relay mailbox.
- Uninstall deletes all on-device data including your keys; content secured with them becomes permanently unrecoverable (zero-knowledge, by design).
- Access / deletion requests: we hold no account and no readable content, so there is little to provide or erase beyond your push token and pairing record (both cleared by Unpair & wipe). Contact [privacy@yourdomain.com].
Depending on where you live you may have rights under the EU/UK GDPR or California CCPA/CPRA. We honor these at the contact above. We do not sell or share personal information for advertising.
8. Security — and its honest limits
We use end-to-end encryption (X25519 → HKDF-SHA256 → AES-256-GCM), encryption at rest, and keys stored in your device's secure store, plus a six-emoji check to verify your pairing. Honestly, these protections cannot:
- protect a compromised, jailbroken, or unlocked device, or one in someone else's hands;
- stop screenshots, screen recording, or someone photographing your screen — the in-app “spicy” blur and biometric gate control viewing inside the app only.
No method of transmission or storage is 100% secure.
9. International transfers
Our relay and providers operate primarily in the United States; limited operational data (ciphertext in transit, push tokens, connection metadata) may be processed there and in other countries where our providers operate.
10. Children's privacy
Context is for adults (18+) and not directed to children. We do not knowingly collect data from anyone under 18. Contact us if you believe a minor has used the app.
11. Changes
We will update the “Last updated” date for any change and notify you in-app for material changes. Continued use after an update means you accept the revised policy.
12. Contact
[Developer / Legal Entity Name]
[privacy@yourdomain.com]