Disapp
Log in

Privacy

No data shared. No data sold. Most data not even collected.

This page is a plain-English description of what Disapp knows about you, what we do with it, and what we don’t. It is not a marketing page for the word “privacy”; it is a contract about how we treat your data. If we ever change what’s in it, we’ll tell you.

The short version. We cannot read your messages. We do not have access to your contact list. We do not share anything with advertisers, data brokers, social networks, or any third party that “pays for data.” There is no such third party in our stack. There is no analytics vendor either.

What we don’t collect

  • Message content. Message bodies are sealed with a per-message AES-256-GCM key, wrapped separately for each recipient device via X25519 ECDH. The server stores ciphertext and opaque wrappers; it has no key with which to decrypt them. If a court ordered us to produce your messages, we would respond with the ciphertext. The math does not permit more.
  • Your contact list. We never ingest your phone’s address book. We do not run “find friends.” If you want to find someone, you type their email, phone number, or username and we do a lookup against Disapp accounts only — not a reverse scrape.
  • Analytics or telemetry. No third-party analytics, no crash reporters that ship stack traces with user content, no A/B testing SDKs, no product-telemetry SDKs. None.
  • Advertising IDs. We don’t read IDFA / AAID / GAID. We don’t fingerprint.
  • Location. We do not request GPS. We do not resolve IP to city / neighborhood. We do not store it if we did.
  • Your read history on the open web. No cross-site tracking. No pixel trackers. The splash page does not load a single third-party script. Open DevTools and check.
  • Backup copies of your plaintext. The server never stores plaintext, and never will. Your device keys are stored locally, wrapped with your password — which is why you type the password once per session to unlock them in memory. Remember your password and your access is durable; forget it and nothing — not us, not a court, not an adversary — can recover your messages. That is the intended design, not a limitation.

What we do collect and why

The minimum set required to run an account system and move ciphertext between devices:

  • Email address. Used as your login identifier and for security notifications (e.g. “a new device was added to your account”). Required at registration. You may provide an alias if you prefer; we don’t validate that it’s your “real” email.
  • Display name. Whatever you want others to see.
  • Password (hashed). Stored as a salted Argon2id (or equivalent KDF) hash. We never see the plaintext; we cannot recover it if you forget it.
  • Device public keys. X25519 + ECDSA public halves, one pair per device you sign in from. Strictly public keys.
  • Encrypted message envelopes. Ciphertext + per-device wrappers + signatures. Stored until you or the server-side retention policy removes them.
  • Session metadata. Which device is currently signed in, when it last connected, and when its token expires. Used to enforce logout and device revocation.
  • IP address (transient). Inbound requests carry an IP at the network layer. We use it for rate-limiting abuse and for the hash-chained audit log; it is not sold, shared, or used to build a profile.
  • Phone number (optional). Only if you choose to set one for account recovery. Never required.

How long we keep it

  • Messages. Until you delete them or your organization’s retention policy expires them. We do not secretly hold deleted messages beyond the cryptographic and database erase.
  • Account data. As long as the account exists. You can delete it at any time and we permanently remove the account record; ciphertext that references it is tombstoned.
  • Audit log entries. Indefinitely, because they’re tamper-evident by design. They record that an action happened, not its plaintext content.
  • IP addresses on request logs. Rotated out of access logs within 30 days. The audit log captures only a truncated form suitable for abuse attribution.

Who we share it with

No one. Specifically:

  • We do not sell data. There is no data we could sell that would be valuable; we have deliberately structured the system that way.
  • We do not share with advertising, marketing, or analytics partners. We have no such partners.
  • We do not use third-party CDNs for the web app. Splash and SPA are served from our infrastructure under a strict Content-Security-Policy that blocks third-party code by default.
  • Law enforcement requests: we respond with the ciphertext we hold, the account metadata described above, and nothing else, because nothing else exists. We publish a transparency report annually.

Your rights

You can export your account record, delete your account, rotate your keys, revoke devices, and turn optional features (like compliance escrow) on and off — from inside the app, without writing to us. If you’re in a jurisdiction with rights under GDPR, the UK GDPR, or CCPA / CPRA, they apply as you’d expect, and our replies will beat the statutory deadlines.

Security incidents

We operate an intrusion-response policy that includes notification to affected users within 72 hours of confirming a breach that could expose ciphertext, wrappers, or account metadata. For anything less than that, see our Security page for specifics and the security.txt for reporting channels.

Children

Disapp is not directed to children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly process data from users below that age. If you believe a minor has registered, contact us and we will remove the account.

Changes

If this policy changes in a way that affects what we collect, how we use it, or who we share it with, we’ll announce it in-app and on this page at least 30 days before the change takes effect, except where a shorter notice is legally required.

Contact

Privacy questions: privacy@disapp.io. EU / UK data-subject requests reach the same mailbox; we do not use a gating form that filters out “inconvenient” requests.

Effective 2026-04-20 · Version 1.0 ← Back to home