Terms of Service

Version 1.0 — Effective: April 2026

Last updated: April 2026

1. Agreement

By creating an account or using Cyfero ("the Service"), you agree to these Terms of Service ("Terms"). The Service is provided by xthAB Limited ("we", "us", "our"), a company registered in the United Kingdom. If you do not agree to these Terms, do not use the Service.

These Terms are supplemented by our Privacy Policy, which explains how we handle your data. Together, these documents form the complete agreement between you and xthAB Limited regarding your use of the Service.

2. Description of Service

Cyfero is a communication platform that provides end-to-end encrypted messaging, voice calls, and video calls. The Service is available on Android, iOS, and Web. All communications between Cyfero users are encrypted using the Signal Protocol (X3DH key agreement and Double Ratchet message encryption) — xthAB Limited cannot access message content or call audio/video.

On Android, Cyfero additionally provides local SMS management and call management functionality using the device's native capabilities. This data remains on your device and is never transmitted to our servers.

3. Eligibility

To use the Service, you must:

  • Be at least 13 years old (or the minimum age required by law in your jurisdiction, if higher).
  • Have the legal capacity to enter into a binding agreement.
  • Not be prohibited from using the Service under the laws of your jurisdiction.
  • Not have been previously terminated from the Service for a violation of these Terms.

By creating an account, you represent and warrant that you meet these eligibility requirements.

4. User Accounts

  • You may register with a phone number or email address — your choice.
  • You are responsible for maintaining the security of your account credentials, recovery codes, and encryption keys.
  • You are responsible for all activity that occurs under your account.
  • You must promptly notify us at security@cyfero.me if you suspect unauthorised access to your account.
  • You may delete your account at any time from the application Settings. Deletion permanently removes all server-side data, including hashed identifiers, cryptographic keys, device records, and queued messages.
  • If you lose access to your device and have not set up multi-device, your encryption keys and message history cannot be recovered by xthAB Limited or anyone else. This is a consequence of the encryption protecting your communications.

5. Acceptable Use

You agree not to use the Service to:

  • Violate any applicable laws or regulations in your jurisdiction.
  • Send spam, bulk unsolicited messages, or automated messages.
  • Distribute malware, ransomware, or other harmful software.
  • Engage in harassment, threats, abuse, or hate speech.
  • Distribute child sexual abuse material (CSAM) or exploit minors in any way.
  • Impersonate others or misrepresent your identity.
  • Interfere with, disrupt, or attempt to gain unauthorised access to the Service, its infrastructure, or other users' accounts or data.
  • Attempt to circumvent, reverse-engineer, decompile, or exploit the Service's security measures or source code.
  • Use the Service to facilitate any form of fraud or financial crime.
  • Create multiple accounts to evade enforcement actions.

While Cyfero uses end-to-end encryption and we cannot monitor message content, you remain solely responsible for your use of the Service and must comply with all applicable laws. Users who are reported for violating these Terms may be subject to account-level enforcement actions (warning, suspension, or termination) based on available metadata and user reports, without requiring access to message content.

6. Encryption and Privacy Commitments

Cyfero uses end-to-end encryption based on the Signal Protocol for all user-to-user communications. This means:

  • We cannot read your messages, view your media, or listen to your calls.
  • We cannot recover your encryption keys or message history if you lose your device.
  • We cannot identify you from the data on our servers — your phone number or email is stored only as an irreversible cryptographic hash that cannot be reversed, even by xthAB.
  • We cannot provide user-identifiable information from our servers — because we do not possess it. Your phone number or email is stored only as an irreversible cryptographic hash, message content is E2EE ciphertext, and accounts are identified by pseudonymous IDs not linked to real-world identities.
  • We will not build backdoors, weaken encryption, introduce key escrow mechanisms, or implement client-side content scanning.
  • We will not re-architect the system to store user-identifiable information.
  • We will not share, sell, or trade your personal information with any third party for any purpose.

Data accessibility: Due to the encryption and zero-knowledge architecture described above, user-identifiable information does not exist on our servers in any accessible form. This is an architectural reality, not a policy promise.

You accept that the strong encryption protecting your communications also means that data loss due to device loss is irrecoverable. This is a fundamental trade-off of genuine end-to-end encryption.

Please refer to our Privacy Policy for full details on data handling.

7. Data Processing

By using the Service, you acknowledge that:

  • Your phone number or email address is processed for account creation and verification through a stateless verification flow. After verification, only an irreversible cryptographic hash is stored — no encrypted copy, no plaintext copy, and no reversible representation of your identifier is retained on our servers.
  • Public cryptographic keys are distributed to other users to establish encrypted sessions.
  • End-to-end encrypted messages are temporarily queued on our servers for offline delivery (maximum 7 days), after which they are automatically deleted.
  • Minimal routing metadata (sender/recipient user IDs, timestamps) is processed transiently to deliver messages and is not retained beyond operational necessity.
  • When registering with a phone number, a third-party SMS provider delivers your verification code, necessarily receiving your phone number for that purpose. This provider is bound by a Data Processing Agreement.
  • We do not build social graphs, analyse communication patterns, or profile user behaviour in any way.

8. VoIP Services

Cyfero offers optional VoIP PSTN calling as a recurring subscription service. This service connects your Cyfero app to the public switched telephone network (PSTN), enabling outbound and inbound calls to landlines and mobile numbers worldwide.

  • VoIP subscriptions are billed on a recurring basis (monthly or annual) as selected at the time of subscription.
  • Pricing and per-minute calling rates are disclosed before subscription activation and may be updated with 30 days' prior notice.
  • You may cancel your subscription at any time via your account settings. Cancellation takes effect at the end of the current billing period. No refunds are issued for partial billing periods.
  • Dedicated VoIP phone numbers are provisioned per subscription and may be released upon cancellation after a 30-day grace period.
  • VoIP services use standard telephony infrastructure and are not end-to-end encrypted. This is a limitation of the PSTN system, not Cyfero's encrypted messaging features. VoIP calls are separate from Cyfero-to-Cyfero encrypted calls.
  • Payment processing is handled by Stripe. xthAB Limited does not store your payment card details.

8.1 Emergency Services

Cyfero's VoIP service is not a replacement for traditional telephone services and must not be relied upon for emergency calls (e.g., 999, 112, 911). VoIP calls may not support emergency number dialling, may not transmit your location to emergency services, and may be unavailable during internet outages. You must maintain access to a traditional telephone service for emergency calling.

9. Content Reporting

Because Cyfero uses end-to-end encryption, we cannot monitor or review the content of your messages. However, we provide mechanisms for user safety:

  • You may report an account for abusive behaviour through the in-app reporting feature.
  • Reports include the reported account identifier and your description of the issue. Reports do not include message content (we cannot access it).
  • We may take account-level enforcement actions (warning, suspension, termination) based on reports and available metadata, without requiring access to message content.
  • Serious reports involving child exploitation or terrorism will be escalated to the relevant authorities as required by law. Due to our zero-knowledge architecture, the data available is limited to pseudonymous account identifiers and the reporter's description — message content and real-world identity information do not exist on our servers.

10. Open-Source Attribution

Cyfero's end-to-end encryption is based on the Signal Protocol specifications (X3DH key agreement and Double Ratchet message encryption), which are published in the public domain by Signal Foundation. Cyfero's implementation is independent and is not affiliated with, endorsed by, or connected to Signal Messenger LLC or Signal Foundation.

Cyfero uses free and open-source software (FOSS) libraries in accordance with their respective licences. A full list of dependencies and their licences is available in the application's about screen.

11. Intellectual Property

Cyfero, its logo, brand identity, and all associated materials are the proprietary property of xthAB Limited. The Service's source code is proprietary and not available for public contribution. You may not use our trademarks, logos, or brand elements without prior written permission.

You retain ownership of all content you create or transmit through the Service. We do not claim any rights over your content. Due to end-to-end encryption, we cannot access your content in any case.

12. Service Availability

We strive to maintain the Service with high availability but do not guarantee uninterrupted access. The Service may be temporarily unavailable due to maintenance, updates, or circumstances beyond our control. We will endeavour to provide advance notice of planned maintenance where practicable.

13. Disclaimers

The Service is provided "as is" and "as available" without warranty of any kind. To the fullest extent permitted by law, xthAB Limited disclaims all warranties, express or implied, including but not limited to implied warranties of merchantability, fitness for a particular purpose, and non-infringement.

While we employ industry-leading encryption and security measures, no security system is infallible. We do not warrant that the Service will be immune to all forms of attack, interception, or compromise. We document our security architecture and known limitations transparently.

14. Limitation of Liability

To the fullest extent permitted by applicable law, xthAB Limited shall not be liable for any indirect, incidental, special, consequential, or punitive damages arising from your use of the Service, including but not limited to:

  • Loss of data or communications due to device loss or encryption key loss
  • Service interruption or unavailability
  • Security incidents affecting server-side data
  • Inability to make emergency calls via VoIP
  • Actions of other users of the Service

Nothing in these Terms excludes or limits liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation, or any other liability that cannot be excluded or limited under the laws of England and Wales.

15. Indemnification

You agree to indemnify and hold harmless xthAB Limited, its officers, directors, and employees from any claims, damages, losses, liabilities, and expenses (including reasonable legal fees) arising from your violation of these Terms, your misuse of the Service, or your violation of any applicable law.

16. Termination

We reserve the right to suspend or terminate accounts that violate these Terms. Enforcement actions are based on account-level signals and user reports, not on message content (which we cannot access). You may terminate your account at any time by deleting it through the application. Upon termination, your server-side data will be permanently deleted, including hashed identifiers, cryptographic keys, device records, and queued messages.

Sections 6 (Encryption Commitments), 11 (Intellectual Property), 13 (Disclaimers), 14 (Limitation of Liability), 15 (Indemnification), and 18 (Governing Law) survive termination.

17. Export Compliance

The Service incorporates cryptographic technology. You agree not to use or access the Service in violation of any applicable export control laws or regulations, including but not limited to the UK Export Control Act 2002, the US Export Administration Regulations (EAR), or EU Dual-Use Regulation (2021/821). You represent that you are not located in a country subject to comprehensive sanctions and are not on any restricted party list.

18. Governing Law and Dispute Resolution

These Terms are governed by the laws of England and Wales. Any disputes arising from or in connection with these Terms or your use of the Service shall be subject to the exclusive jurisdiction of the courts of England and Wales.

If you are a consumer in the European Union, nothing in this section limits your statutory rights under the consumer protection laws of your country of residence.

19. Force Majeure

xthAB Limited shall not be liable for any failure or delay in performing its obligations under these Terms where such failure or delay results from circumstances beyond our reasonable control, including but not limited to natural disasters, government actions, network failures, internet outages, or denial-of-service attacks.

20. General Provisions

  • Severability — If any provision of these Terms is held to be unenforceable or invalid, that provision will be modified to the minimum extent necessary to make it enforceable, and the remaining provisions will continue in full force and effect.
  • No waiver — Our failure to enforce any right or provision of these Terms does not constitute a waiver of that right or provision.
  • Assignment — You may not assign or transfer your rights under these Terms. We may assign our rights and obligations to a successor entity in the event of a merger, acquisition, or sale of substantially all assets, provided the successor assumes all obligations under these Terms.
  • Entire agreement — These Terms and the Privacy Policy constitute the entire agreement between you and xthAB Limited regarding the Service, superseding any prior agreements.
  • No third-party rights — These Terms do not confer any rights on any third party under the Contracts (Rights of Third Parties) Act 1999.
  • Electronic communications — By using the Service, you consent to receiving communications from us electronically (in-app notifications, email). These electronic communications satisfy any legal requirement that such communications be in writing.

21. Changes to These Terms

We may update these Terms from time to time. Material changes will be communicated to users through the application before they take effect, with at least 30 days' notice for material changes. The version number and effective date at the top of this page will always reflect the current version. Continued use of the Service after changes take effect constitutes acceptance of the updated Terms.

22. Contact

For questions about these Terms, contact us at:

xthAB Limited
Legal matters: legal@cyfero.me
General support: support@cyfero.me