Privacy Policy

Effective Date: May 15, 2026
Operator: Secretly LLC

Secretly - Privacy Policy

This Privacy Policy describes what data we collect, how we use it, and the rights available to users of the Secretly service (hereinafter referred to as "Secretly," "we," "us," or "our").

1. Introduction

Secretly is a private, encrypted messenger that allows users to exchange messages, create group chats, and make secure voice and video calls using a unique Secretly ID, without requiring a mandatory phone number or email address.

2. Data Controller and Contact Information

• Data Controller: Secretly

• Legal Name and Address: [Insert the legal name and address of the controller]

Contacts:

• Technical Support: technical.support@secretlyapp.com

• General Support: support@secretlyapp.com

• Legal/Law Enforcement Requests: legal@secretlyapp.com

3. What Data We Collect

3.1 Registration Data

Secretly ID, alias/profile name, avatar (if uploaded), email address, or phone number—only if you choose to provide them.

3.2 User Content

Messages, media (photos, videos), files, and other attachments sent by you via Secretly. By default, message content is protected by end-to-end encryption and is not accessible to us in plaintext.

3.3 Metadata and Identifiers

Account and device identifiers, chat/room IDs, delivery metadata (sent/delivered timestamps, message size), delivery statuses, push notification tokens, and aggregated usage data.

3.4 Payments and Donations

Secretly may provide links to third-party payment providers for donations or payments. If you make a payment outside the application, it is processed by the selected provider. Secretly does not store full bank card details (card number, CVV). If digital goods or subscriptions are sold within the application, they are processed through platform solutions (Apple In-App Purchase on iOS, Google Play Billing on Android) in accordance with the respective app store policies.

3.5 Technical, Operational, and Service Data

IP addresses, request and error logs, security events, and rate-limiting data. This data is used to ensure service functionality, detect and prevent fraud, investigate incidents, and improve service quality.

3.6 Website Data

When you visit our website, we may process limited technical data: IP address, browser type and version, basic request headers, and performance metrics. We only use strictly necessary cookies for website security and functionality. We do not use third-party behavioral tracking tools for advertising.

3.7 Diagnostics and Analytics

Anonymized or aggregated application usage data, error reports, and crash reports. If we use third-party analytics or monitoring services, they are listed in the "Third-Party Data Transfer and Processing" section below.

4. How We Use the Information

We use the collected data to:

• Provide messaging, calling, and related services;

• Authenticate users and devices;

• Deliver encrypted messages and notifications;

• Provide user support and resolve technical issues;

• Ensure security, as well as detect and prevent abuse;

• Comply with legal obligations.

5. Legal Bases for Processing (Where Applicable)

Depending on the applicable law, we may rely on one or more of the following legal bases for processing: performance of a contract (to provide services), consent (for optional features), legitimate interests (such as security and fraud prevention), and compliance with legal obligations.

6. Encryption and Metadata

Messages and calls are encrypted on the users' devices and decrypted on the recipients' devices. In normal operation, our servers do not have access to message content in plaintext—they relay encrypted payloads and store minimal metadata necessary for routing and delivery (identifiers, timestamps, size, delivery status).

Important: Encryption does not protect data if the recipient's device is compromised, if the user voluntarily discloses the content, or if key backup mechanisms are utilized that are explicitly stated in this policy.

Technical Summary (for Export Compliance / App Store):

We use proven cryptographic primitives and libraries. NOTE: Replace the examples below with the actual algorithms and libraries used in your application:

• Key Agreement Scheme: X25519 (example)

• Symmetric AEAD Encryption: XChaCha20-Poly1305 or AES-GCM (example)

• Signatures: Ed25519 (example)

• KDF: HKDF-SHA256 (example)

If you use cloud-based key backups or a recovery mechanism, describe how backups are encrypted and who has access to the recovery materials.

Push Notifications and Calls:

Push notifications (APNs, FCM) do not contain decrypted message content. For incoming VoIP calls, we use minimal metadata (caller ID, room/offer ID) in the notification; the actual media connection is established via secure channels and is encrypted end-to-end with the support of appropriate protocols.

7. Third-Party Data Transfer and Processing

We do not sell personal data. We may transfer or process data with/for the following categories of providers and services:

• Infrastructure providers (hosting, S3, CDN);

• Push notification services (Apple APNs, Firebase Cloud Messaging);

• Audio/video providers (TURN/STUN/media relays);

• Payment providers (Stripe, PayPal, etc.)—only in case of external payment processing;

• Support and communication services (email, ticketing systems);

• Analytics and monitoring services (if applicable);

• Legal authorities—only in response to a valid legal request.

Each third-party provider is selected based on security requirements, and appropriate data protection agreements are executed with them. A full list of vendors and links to their privacy policies is published at: [Insert URL with the vendor list].

8. Data Retention Periods

We retain data only for the period necessary to fulfill the purposes described in this Policy, unless otherwise required by law. Examples of recommended retention periods (replace with the actual values of your infrastructure):

• Pending/undelivered messages (on the server): up to 30 days;

• Copies for delivery/relay: deleted immediately after delivery, maximum 30 days;

• Request and error logs: 30–90 days;

• Security/audit logs: up to 365 days;

• Backups: up to 180 days;

• Account and profile data: stored until the account is deleted by the user, and thereafter to the extent required to comply with laws and legal obligations.

These periods may change due to legal requirements or for security purposes. If you need precise retention periods for a specific data type, please contact technical.support@secretlyapp.com.

9. Account Deletion and User Choices

You can delete your account within the app via: Settings → Account → Delete Account. Upon deletion:

• Your profile and account data (including linked devices and keys) will be deleted.

• Device keys and records will be removed.

• Service information associated with the account will be deleted within the specified retention periods.

Deletion does not affect data that has already been transmitted to other users (e.g., messages saved by recipients). Some data may be retained in backups or logs for a limited time to ensure security and comply with legal obligations.

10. User Rights

Depending on your jurisdiction, you may have the right to access, rectify, erase, restrict processing, and port your data, as well as the right to withdraw your consent. To submit a request, please write to technical.support@secretlyapp.com. We may request proof of identity to process your request. We aim to respond to requests within 30 days, except for complex cases that legally allow for an extension.

11. International Transfers

Data may be processed and stored in countries other than your country of residence. We ensure appropriate technical and legal safeguards (such as Standard Contractual Clauses) are in place where required by law.

12. Children

Secretly is not intended for children under the age of 13 (or below the minimum age required by local law). If we learn that a child has registered without parental/guardian consent, we will take steps to delete the account and associated data.

13. Security

We implement organizational and technical security measures, including encryption, access controls, monitoring, and regular updates. However, no absolute guarantee of security exists—your security also depends on the strength of your passwords, device security, and online behavior.

14. Legal Requests and Data Disclosure

We will disclose personal data only in response to a valid legal request (e.g., a court order, subpoena) or if required by law. We strive to notify affected users prior to disclosure unless notification is prohibited by law.

Legal requests should be directed to: support@secretlyapp.com. Please include contact information and the relevant legal documentation (court order, subpoena, etc.) in your request.

15. Updates to This Policy

We may update this Policy from time to time. All material changes will be posted on this page with an updated effective date. Your continued use of the service after such changes constitutes acceptance of the updated policy.

16. Platform-Specific Notes (iOS / Android)

• In-App Purchases: If digital goods or subscriptions are offered within the app, they are processed via Apple In-App Purchase on iOS and via Google Play Billing on Android, in accordance with the respective app store policies. If payments redirect to an external website, such payments are handled by an external provider, and Secretly does not store card data.

• Sign in with Apple: When offering login via third-party services (Google, Facebook, etc.), we comply with Apple’s requirement to provide "Sign in with Apple" where applicable.

• VoIP and Push: For incoming calls to function properly, we use CallKit/PushKit (iOS) and FCM (Android) in accordance with platform guidelines. Push notifications do not contain decrypted message content.

17. Technical Description for Export Compliance (App Store Connect)

Secretly implements end-to-end encryption for messages and media content. Keys are generated and stored locally on the device; the server serves to relay encrypted blocks and store minimal metadata. Example of cryptographic primitives used (fill in with actual values): X25519 (key exchange), XChaCha20-Poly1305 or AES-GCM (AEAD), Ed25519 (signatures), HKDF-SHA256 (KDF). There are no backdoors or brute-force access mechanisms. Standard and proven libraries/implementations are used. [Replace this block with the exact algorithms and libraries of your application before publishing.]

18. Key Vendor List (Examples and Placeholders)

Below are categories and examples—replace them with the actual list of services you use and links to their privacy policies:

• Hosting/Infrastructure: [AWS / DigitalOcean / other provider] — [Link to policy]

• Push Notifications: Apple APNs — https://developer.apple.com/support/notifications/; Firebase Cloud Messaging — https://firebase.google.com/support/privacy

• Media/Calls: [STUN/TURN/media provider] — [Link]

• Payments: [Stripe / PayPal] — [Link]

• Analytics/Crash Reports: [Sentry / other] — [Link]

19. Our Stance on Tracking and Advertising

We do not use third-party advertising networks to display targeted ads inside the application. We do not share personal data with third parties for ad targeting purposes. If this changes in the future, we will update this Policy and notify users.

20. Contact

support@secretlyapp.com
https://www.secretlyapp.com

Secretly LLC  (Reg.No. 40203722244)

DUNS - 565891304