Privacy Policy

Version 1.0 — Effective: April 2026

Last updated: April 2026

1. Introduction

Cyfero ("we", "us", "our") is a product of xthAB Limited, a company registered in the United Kingdom. This Privacy Policy explains how we handle information when you use the Cyfero application and services ("the Service").

Our guiding principle is simple: your data belongs to you. Cyfero is built with a zero-knowledge architecture — we minimise the data we collect, encrypt what we must store, and ensure we can never access the content of your communications.

As a UK-registered company, our primary data protection framework is the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We also comply with the EU GDPR (Regulation 2016/679), the California Consumer Privacy Act (CCPA/CPRA), the ePrivacy Directive (2002/58/EC), and other applicable international data protection laws.

This policy is written in plain language. We believe transparency builds trust — we will tell you exactly what we can and cannot access.

2. Data Controller

The data controller for the Service is:

xthAB Limited
United Kingdom
Email: privacy@cyfero.me

3. Zero-Knowledge Architecture: What We Cannot Access

Cyfero uses end-to-end encryption based on the Signal Protocol (X3DH key agreement and Double Ratchet message encryption). By architectural design, our servers mathematically cannot access:

  • Message content — Text, media, files, and voice messages are encrypted on your device before transmission. Only the intended recipient can decrypt them. Our server stores and forwards opaque ciphertext.
  • Voice and video call content — Calls use WebRTC with SRTP encryption, establishing a direct peer-to-peer connection. Our server relays signalling metadata only; it never handles audio or video streams.
  • Your private encryption keys — Generated on your device and stored exclusively in your device's secure enclave (Android KeyStore or iOS Keychain). Private keys are never transmitted to our servers.
  • Your contact list or address book — Never uploaded to or stored on our servers.
  • Your location data — We never collect, request, or store location data of any kind.
  • Your SMS messages or local call history — Stored and managed locally on your Android device only. Never transmitted to our servers.

Decryption keys exist only on your devices. Even if our servers were compromised or a database breach occurred, your messages cannot be read, your calls cannot be listened to, your private keys cannot be recovered, and your real-world identity cannot be determined from the data on our servers. This is enforced by the encryption architecture, not by policy.

Important: Your phone number or email address is stored exclusively as an irreversible cryptographic hash. No encrypted copy, plaintext copy, or reversible representation exists on our servers. User-identifiable information does not exist on the server in any accessible form.

4. What Our Server Stores

To provide the Service, we store the following on our servers. We are transparent about what we store and how it is protected:

4.1 Account Identifiers

Your phone number or email address is used during registration solely to deliver a one-time verification code. Cyfero uses a stateless verification flow — after verification is complete, your phone number or email address is not stored on our server in any recoverable form.

What we store permanently is an irreversible one-way hash (HMAC-SHA256) of your identifier, used for account lookup and uniqueness checks. This hash cannot be reversed — the original phone number or email address cannot be recovered from it, even with full server access. No encrypted copy, no plaintext copy, and no reversible representation of your phone number or email is ever retained on our servers.

4.2 Public Cryptographic Keys

Your Signal Protocol identity key, signed pre-keys, and one-time pre-keys are stored on the server. These are public keys by design — they enable other users to establish encrypted sessions with you. They cannot be used to decrypt messages.

4.3 Device Information

A device identifier and optional device name for multi-device message delivery.

4.4 Push Notification Token

Encrypted with AES-256-GCM. Used for data-less wake-up notifications only — no message content, sender information, or metadata is ever included in push notifications.

4.5 Undelivered Messages

End-to-end encrypted messages queued for delivery to offline devices. These are opaque encrypted blobs that our server cannot read. Automatically deleted after successful delivery or after 7 days, whichever occurs first.

4.6 Username

If you choose to set one, your username is stored as your public display name. Usernames are optional and pseudonymous — they are chosen by you, are not verified against any real-world identity, and cannot be used by xthAB or any third party to identify who you are. A username does not constitute a user detail that could link your account to your real identity.

4.7 Account Metadata

A randomly generated user ID, registration timestamp, and last-seen timestamp are stored for service operation. These are pseudonymous identifiers — because your phone number or email is stored only as an irreversible hash and your username is optional and self-chosen, none of this metadata can be linked back to your real-world identity by xthAB or any third party.

4.8 Routing Metadata

When delivering messages, our server transiently processes sender and recipient pseudonymous user IDs (random identifiers not linked to real-world identities) and timestamps. This metadata is minimised and not retained beyond operational necessity. We do not build social graphs, analyse communication patterns, or retain metadata for commercial purposes.

5. Data Stored on Your Device Only

The following data exists exclusively on your device and is never transmitted to our servers:

  • Decrypted message history and conversation content
  • Private encryption keys (in your device's secure enclave)
  • Session ratchet state (Double Ratchet cryptographic keys)
  • Contacts and address book data
  • SMS messages and call logs (Android only)
  • Application preferences and settings
  • Safety number verification state

6. How We Protect Your Data

Cyfero employs multiple independent layers of encryption:

  • End-to-end encryption (Signal Protocol) — All user-to-user messages and media are encrypted with AES-256-GCM using unique per-message keys derived through the Double Ratchet algorithm. Each message uses a unique encryption key, providing forward secrecy (past messages stay safe if current keys are compromised) and post-compromise security (sessions self-heal after temporary compromise).
  • Transport encryption (TLS 1.3) — All connections between your device and our servers use TLS 1.3 with modern cipher suites. Mobile apps use certificate pinning (SPKI SHA-256) to prevent man-in-the-middle attacks.
  • Zero-knowledge identifier storage — Phone numbers and email addresses are stored exclusively as irreversible HMAC-SHA256 hashes. No encrypted or plaintext copy is retained. Push notification tokens are encrypted with AES-256-GCM. Original identifiers cannot be recovered from these hashes, even with full server access.
  • Credential protection (Argon2id) — Passwords are hashed using Argon2id with OWASP-compliant parameters (64 MB memory, 3 iterations). Original passwords are never stored.
  • Call encryption (WebRTC SRTP) — Voice and video calls are peer-to-peer with SRTP encryption. Our server only relays signalling data to establish the connection.
  • Encrypted Client Hello (ECH) — Via our CDN edge layer, the destination hostname is hidden from passive network observers (RFC 9849).

7. Third-Party Services

Cyfero does not use any third-party analytics, advertising, tracking, or behavioural profiling services. We do not share data with data brokers. We work with a strictly limited number of service providers, each bound by a Data Processing Agreement:

  • SMS delivery provider — When you register with a phone number, we use a third-party SMS provider to deliver your one-time verification code. Your phone number is shared with this provider solely and transiently for the purpose of delivering the SMS. The provider is contractually bound by a Data Processing Agreement (GDPR Art. 28) and may not use the number for any other purpose.
  • Push notification services — We use platform notification services (FCM for Android, APNs for iOS) with data-less wake-up payloads only. No message content, sender information, or metadata is included in push notifications.
  • CDN and DDoS protection — We use a content delivery network for TLS termination and DDoS protection. Encrypted traffic metadata (IP address, connection timing) passes through this layer. The CDN provider is bound by a Data Processing Agreement.
  • Payment processor (VoIP subscriptions) — If you subscribe to VoIP PSTN calling, payment processing is handled by Stripe. xthAB Limited does not store, process, or have access to your payment card details. Stripe is PCI DSS Level 1 certified.

We do not sell, share, or trade your personal information. No advertising. No data brokers. No behavioural analytics. No telemetry. This applies universally, not just when required by law.

8. Lawful Basis for Processing (UK GDPR)

Under UK GDPR, we process your data on the following lawful bases:

  • Contract (Art. 6(1)(b)) — Account creation, message delivery, key distribution, push notifications, and VoIP subscription billing are necessary to provide the Service you have signed up for.
  • Legitimate Interest (Art. 6(1)(f)) — Rate limiting and security logging to protect the Service from abuse, balanced against the minimal data used (IP addresses and request counts only, with no message content or user identifiers logged).
  • Consent (Art. 6(1)(a)) — Contact discovery is optional, user-initiated, and can be withdrawn at any time through your settings.

9. Data Retention

  • Account data — Retained until you delete your account. Deletion is immediate and cascades to all associated server-side data (devices, keys, queued messages, sessions).
  • Undelivered messages — Automatically deleted after successful delivery or 7 days, whichever comes first. Content is end-to-end encrypted and unreadable by the server.
  • One-time pre-keys — Deleted immediately after use (single-use by design to provide forward secrecy).
  • Session tokens — Access tokens expire after 15 minutes. Refresh tokens expire after 7 days or upon revocation.
  • IP addresses — Held in memory for rate limiting during your active session only. Not persisted to disk. Not associated with your account.
  • Operational logs — Minimal logs retained for 30 days for security incident response. Logs contain no message content, no passwords, no decrypted PII, and no user identifiers.
  • Admin audit logs — Retained for 1 year for accountability purposes.

10. Your Rights

Under UK GDPR, EU GDPR, and applicable data protection laws, you have the following rights:

  • Right of access (Art. 15) — Request the personal data we hold about you. Available via in-app data export (machine-readable JSON format).
  • Right to rectification (Art. 16) — Correct inaccurate data via in-app profile editing (username, phone number with re-verification, email).
  • Right to erasure (Art. 17) — Delete your account and all associated server-side data at any time from Settings. Deletion is immediate and permanent.
  • Right to restrict processing (Art. 18) — Request restriction via account deactivation.
  • Right to data portability (Art. 20) — Export your account data in machine-readable JSON format.
  • Right to object (Art. 21) — Object to processing based on legitimate interests. Contact discovery can be disabled at any time.

You can delete your account at any time from the Settings screen. This permanently removes all server-side data associated with your account, including hashed identifiers, cryptographic keys, device records, and queued messages. This action is irreversible.

To exercise any right, use the in-app options or contact us at privacy@cyfero.me. We will respond within 30 days as required by law.

11. California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

  • Right to know — You may request disclosure of the categories and specific pieces of personal information we collect, the sources, the purposes, and third parties with whom we share information.
  • Right to delete — You may request deletion of your personal information (available via in-app account deletion).
  • Right to correct — You may request correction of inaccurate information (available via in-app profile editing).
  • Right to opt-out of sale or sharingCyfero does not sell or share your personal information. We have never sold personal information and will never do so. No opt-out is necessary, but the right is honoured.
  • Right to limit use of sensitive personal information — We collect and use sensitive personal information (phone number, email) only for providing the Service. No additional limitation is necessary.
  • Right to non-discrimination — We will not discriminate against you for exercising any CCPA rights.

We honour the Global Privacy Control (GPC) signal. Cyfero does not engage in cross-context behavioural advertising, so GPC has no practical effect on our processing, but the signal is respected as a matter of principle.

To exercise California-specific rights, contact us at privacy@cyfero.me. We will verify your identity before processing your request and respond within 45 days.

12. Data Accessibility and Transparency

xthAB Limited is a UK-registered company and acknowledges its obligations under applicable regulatory frameworks. As described in Sections 3 and 4 of this policy, Cyfero's zero-knowledge architecture limits the data that exists on our servers to the following:

  • Phone numbers and email addresses — Stored exclusively as irreversible HMAC-SHA256 hashes. No encrypted copy, no plaintext copy, and no reversible representation exists on our servers. Original values cannot be recovered from these hashes.
  • Message content — End-to-end encrypted with the Signal Protocol. Decryption keys exist only on user devices. Our server stores opaque ciphertext.
  • Call content — Voice and video calls are peer-to-peer with WebRTC SRTP encryption. Our server relays signalling data only; it never handles audio or video streams.
  • Private encryption keys — Generated and stored exclusively on user devices. Never transmitted to our servers.
  • Contact lists, SMS, and call history — Stored locally on your device only. Never uploaded to our servers.
  • Usernames — Optional and pseudonymous. Chosen by the user, not verified against any real-world identity.
  • Account metadata — Random user IDs and timestamps linked to irreversible hashes, not to real-world identities.

In summary: The data on our servers consists of pseudonymous identifiers, irreversible hashes, and encrypted content for which decryption keys exist only on user devices. User-identifiable information does not exist on the server in any accessible form.

Our commitments:

  • We will respond to valid, lawful requests — transparently explaining the data that exists on our servers
  • We will challenge overbroad or unlawful requests
  • We will notify affected users where legally permitted
  • We will never build backdoors, weaken encryption, introduce key escrow mechanisms, or implement client-side content scanning
  • We will never re-architect the system to store user-identifiable information
  • We will never retain data beyond operational necessity
  • We will publish a transparency report with aggregate statistics of requests received and our responses

13. International Data Transfers

Our servers are located in the United Kingdom. If you access Cyfero from outside the UK, your data is transmitted to and processed in the UK. The European Commission has granted the UK an adequacy decision (effective 28 June 2021), meaning EU-to-UK data transfers do not require additional safeguards under current adequacy status. For users in other jurisdictions, Cyfero's end-to-end encryption provides robust technical protection for communication content regardless of server location — the server stores only encrypted data it cannot read.

14. Children's Privacy

Cyfero is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. Age is confirmed via self-declaration at registration. If we become aware that a child under 13 has registered, we will promptly delete the account and all associated data. If you believe a child under 13 has created a Cyfero account, please contact us at privacy@cyfero.me.

15. Cookies and Tracking

Cyfero's web application uses essential cookies only:

  • Session cookie — Authentication token for the web application. Essential for service operation.
  • CSRF token — Cross-site request forgery protection. Essential for security.

We do not use:

  • Analytics cookies (no Google Analytics, no Matomo, no Plausible, no equivalent)
  • Advertising cookies or tracking pixels
  • Social media trackers or widgets
  • Browser fingerprinting
  • Cross-site tracking of any kind
  • Any non-essential cookies

16. Data Breach Notification

In the event of a personal data breach, we will notify the Information Commissioner's Office (ICO) within 72 hours where the breach is likely to result in a risk to individuals, as required by UK GDPR Art. 33. If the breach poses a high risk to your rights and freedoms, we will notify affected users without undue delay via in-app notification and email (where available), clearly stating what data was and was not affected. Due to our end-to-end encryption and zero-knowledge identifier storage, a server-side data breach does not expose message content or real-world user identifiers (phone numbers and email addresses are stored only as irreversible hashes).

17. Safety Number Verification

Cyfero provides a safety number verification feature that enables you to verify that your encrypted session with another user has not been intercepted (man-in-the-middle attack). Safety numbers are derived from both parties' public identity keys using iterated SHA-512 hashing and can be compared as a 60-digit number or scanned as a QR code. We encourage you to verify safety numbers for sensitive conversations.

18. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to users through the application before they take effect. The version number and effective date at the top of this page will always reflect the current version. Previous versions will be made available upon request. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

19. Supervisory Authority

If you are unsatisfied with how we handle your data, you have the right to lodge a complaint with a data protection supervisory authority. For UK residents, this is the Information Commissioner's Office (ICO) at ico.org.uk. For EU residents, you may contact your local supervisory authority. For California residents, you may contact the California Attorney General at oag.ca.gov.

20. Contact Us

For privacy-related enquiries, data subject requests, or complaints:

xthAB Limited
Privacy enquiries: privacy@cyfero.me
Security issues: security@cyfero.me
Legal matters: legal@cyfero.me