Privacy Policy
Effective date: [EFFECTIVE DATE] · Provider: [LEGAL ENTITY NAME] · Contact: [SUPPORT EMAIL]
TalkOnce is a private messenger built so that we cannot read your messages, and we do not want your personal data. You don't give us your name, phone number, or email to sign up. Your messages, calls, photos, and files are end-to-end encrypted — sealed on your device and only decryptable on your recipient's. We never hold the keys. This policy explains, honestly, the little that our servers must handle to deliver a message, and the much larger amount we deliberately never collect.
1Information we do not collect
To create and use a TalkOnce account, we do not require or collect:
- Your name, phone number, email address, or any government identifier
- Your contacts or address book
- Your location
- Advertising identifiers or any cross-app or cross-website tracking data
- Analytics, behavioral, or usage-profiling data
TalkOnce contains no third-party advertising, no analytics SDKs, and no trackers. We do not sell, rent, or share personal data, because we do not collect it. Our app's privacy declaration to Apple is "Data Not Collected."
2Your messages and calls are end-to-end encrypted
Message text, photos, videos, files, voice messages, and call audio and video are end-to-end encrypted using modern, post-quantum-resistant cryptography. This means:
- Content is encrypted on your device before it leaves it.
- Only you and the people in your conversation can decrypt it.
- We cannot read your messages or listen to your calls, and we could not produce their content to anyone — including law enforcement — because we never possess the keys.
3What our servers necessarily process
To deliver a message from you to your recipient, our servers handle a limited amount of technical routing information. We are honest that this exists:
- A routing address — an opaque identifier that tells our server which device should receive an encrypted message. It is not your name, phone, or email.
- Encrypted message envelopes — the ciphertext in transit, which we cannot decrypt, held only until delivered.
- Approximate timing and size of encrypted messages, as an unavoidable property of any network that delivers data.
- A delivery/notification flag, if you enable push notifications (see §5).
We keep this to the minimum required to route messages, and we do not build advertising or behavioral profiles from it.
4Data retention — ephemeral by design
- Undelivered messages and encrypted attachments are stored on our servers only until delivered, and in any case no longer than 30 days, after which they are automatically and permanently deleted.
- Delivered messages are deleted from our servers immediately upon delivery to your device.
- We do not keep a copy of your conversation history on our servers. Your history lives on your device.
5Push notifications
If you enable notifications, we send a signal through Apple's Push Notification service (APNs) so your device knows a message is waiting. The notification does not contain your message content. Apple's handling of push traffic is governed by Apple's own privacy policy. You can disable push notifications at any time in your device settings, and TalkOnce will still work.
6Calls
Voice and video calls are end-to-end encrypted. To connect a call, encrypted media may be relayed through our own call infrastructure when a direct device-to-device connection isn't possible. The relay cannot decrypt your call — it only forwards encrypted media. We do not record calls and do not retain call content.
7GIF search
If you search for GIFs, your search term is sent through our own server to a third-party GIF provider. The GIF provider sees our server, not you — your device's identity and IP address are never exposed to it. GIF search is optional; if you don't use it, no such request is made.
8Backups
TalkOnce backups are optional and zero-knowledge. If you create a backup, it is encrypted on your device with a passphrase only you know, and the resulting file is placed wherever you choose to save it. We could not read your backup even if compelled — we never receive it and never hold its passphrase. If you lose the passphrase, the backup cannot be recovered, by us or anyone.
9Law enforcement and government requests
Because of how TalkOnce is built, there is very little we could ever produce:
- We cannot provide message or call content — it is end-to-end encrypted and we hold no keys.
- We do not hold your name, phone number, or email, so we cannot produce them.
- If legally compelled, the most we could produce is the limited routing and timing metadata described in §3, for data that still exists within the 30-day window.
We will respond to valid legal process as required by law, and we aim to publish transparency information about such requests.
10Children
TalkOnce is not directed to children under 13 (or the minimum age in your jurisdiction), and we do not knowingly collect personal data from them. Because we collect no personal data at signup, we have none to identify.
11Security
We use post-quantum end-to-end encryption, encrypt sensitive data at rest on your device, and design our servers to hold only ciphertext and minimal routing metadata. No system is perfectly secure, but our architecture is built so that a breach of our servers exposes encrypted data and minimal metadata — never your message content.
12Changes to this policy
If we make material changes, we will update the effective date above and, where appropriate, notify you in the app. Continued use after an update means you accept the revised policy.
13Contact
Questions about privacy? Contact us at [SUPPORT EMAIL].
Note for launch — the bracketed fields above must be filled before this page goes live: the effective date, the legal entity that operates TalkOnce, and a monitored support email. If you launch to EU or California users, a short "Your rights" section (GDPR / CCPA) may be required.