Privacy Policy - Friendly Chat

Last Updated: January 2026

Introduction

Friendly App ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your information when you use Friendly App, a secure messaging application designed for people who have met in person.

Our Core Privacy Principle: We implement a zero-trust security model where your personal encryption keys never leave your device and are never shared with our servers. This means we cannot read your messages, even if we wanted to.

Information We Collect

1. Device Information

Device ID:

  • We collect a unique device identifier (UUID) that is generated on your device
  • This identifier is used to authenticate your device and enable message delivery
  • The device ID is stored on our servers and is required for the app to function
  • We do not link your device ID to your real-world identity

FCM Token (Firebase Cloud Messaging Token):

  • We collect a Firebase Cloud Messaging (FCM) token to send push notifications
  • This token is provided by Google Firebase and is required for background notifications
  • The token is stored on our servers and associated with your device ID
  • We do not use this token for any purpose other than sending notifications

2. Beta Testing Information (If Applicable)

Email Address:

  • If you sign up for beta testing, we collect your email address
  • This is used solely for beta access management and approval notifications
  • Email addresses are stored on our servers in a beta access database
  • We do not use your email for marketing or share it with third parties

3. Message Data

Encrypted Message Content:

  • Messages are encrypted on your device before transmission using end-to-end encryption
  • We store encrypted message content on our servers temporarily (until delivery is confirmed)
  • We cannot decrypt or read your messages - they are encrypted with keys that never leave your device
  • After delivery confirmation, message content is deleted from our servers (typically within minutes)
  • Only message metadata (sender, recipient, timestamp) may be retained for a limited time

Message Metadata:

  • We store minimal metadata: sender device ID, recipient device ID, timestamp, message type
  • This metadata is used for message routing and delivery
  • Metadata may be retained temporarily for operational purposes

4. Friendship and Group Data

Friendship Information:

  • We store friendship relationships between device IDs
  • This includes when friendships were created and their current status
  • We do not store or have access to your friends' real-world identities

Group Chat Information:

  • We store group metadata (group name, member device IDs, creation date)
  • Group metadata is encrypted and we cannot read it without your keys
  • We cannot see group names or member lists in plain text

5. Media Files

Encrypted Media:

  • Media files (photos, videos) are encrypted on your device before upload
  • Encrypted media is stored on our servers temporarily until delivery
  • We cannot view or access your media files - they are encrypted with keys we don't have
  • After delivery confirmation, media files are deleted from our servers

6. Usage Information

Connection Status:

  • We track whether your device is online or offline for message delivery purposes
  • This information is used to determine when to send push notifications
  • Connection status is not linked to your real-world identity

Last Seen Timestamp:

  • We store the last time your device connected to our servers
  • This is used for operational purposes and message delivery optimization

How We Use Your Information

We use the information we collect solely for the following purposes:

  1. Message Delivery: To route and deliver encrypted messages between devices
  2. Push Notifications: To notify you when you receive new messages (when the app is in the background)
  3. Service Operation: To maintain and improve the functionality of the app
  4. Beta Access Management: To manage beta testing program access (if applicable)
  5. Security: To prevent abuse, fraud, and ensure service security

We do NOT:

  • Sell your data to third parties
  • Use your data for advertising or marketing
  • Share your data with third parties except as required by law
  • Read or decrypt your messages
  • Track your location
  • Access your contacts or other personal information on your device

Zero-Trust Security Model

Friendly App implements a unique zero-trust security model:

Personal Encryption Keys:

  • Your personal encryption keys (RSA-2048 private keys) are generated on your device
  • These keys NEVER leave your device - they are never transmitted to our servers
  • Keys are stored securely on your device using encrypted secure storage
  • Keys are only exchanged with friends via Bluetooth during in-person meetings

Message Encryption:

  • Messages are encrypted on your device using your friend's public key
  • We receive only encrypted message content that we cannot decrypt
  • Even if our servers were compromised, attackers could not read your messages
  • Each message is encrypted per-recipient, ensuring privacy in group chats

Server Wrapper Encryption:

  • Messages are wrapped with a server wrapper key for relay purposes
  • The server can unwrap messages for routing but cannot decrypt the inner encryption layer
  • Wrapper keys are separate from your personal keys and stored encrypted

Data Storage and Retention

Server-Side Storage

Temporary Storage:

  • Encrypted message content is stored temporarily until delivery is confirmed
  • Typically deleted within minutes of successful delivery
  • Maximum retention: 7 days (for undelivered messages), then automatically deleted

Persistent Storage:

  • Device IDs and FCM tokens are stored indefinitely (required for app functionality)
  • Friendship relationships are stored while friendships are active
  • Message metadata may be retained for a limited time for operational purposes
  • Beta access email addresses are stored while in the beta program

Automatic Deletion:

  • Undelivered messages are automatically deleted after 7 days
  • Expired messages are cleaned up by automated background processes
  • When you revoke a friendship, associated messages are deleted from our servers

Client-Side Storage

Local Database:

  • Messages are stored locally on your device in an encrypted database
  • Decrypted message content is cached locally for display
  • You control local message storage - you can delete messages at any time

Secure Storage:

  • Encryption keys are stored in secure, encrypted storage on your device
  • Keys are protected by device-level security (iOS Keychain, Android Keystore)

Third-Party Services

Firebase Cloud Messaging (FCM)

Purpose: We use Google Firebase Cloud Messaging (FCM) to send push notifications.

Data Shared:

  • Your FCM token (provided by Google)
  • Message notification metadata (sender device ID, message ID - no message content)

Privacy:

  • FCM is a Google service subject to Google's Privacy Policy
  • We only use FCM for push notifications - we do not use Firebase Analytics
  • FCM tokens are not used for tracking or advertising
  • Message content is never sent to Firebase - only notification metadata
  • FCM data is processed by Google in the United States
  • For EU users: Google participates in the EU-US Data Privacy Framework (DPF), providing appropriate safeguards for data transfers

Firebase Privacy Policy: https://firebase.google.com/support/privacy

No Other Third-Party Services

We do not use:

  • Analytics services
  • Advertising networks
  • Crash reporting services (in production)
  • User tracking services
  • Location services

Your Rights and Choices

Access Your Data

Device Information:

  • You can view your device ID in the app settings
  • You cannot access server-side data directly, but you can request deletion

Local Data:

  • All your messages and data stored locally on your device are under your control
  • You can view, export, or delete local data at any time

Delete Your Data

Delete Messages:

  • You can delete individual messages or entire conversations from your device
  • Deleted messages are removed from local storage immediately
  • Server-side message content is already deleted after delivery

Revoke Friendships:

  • When you revoke a friendship, all messages with that friend are deleted
  • This deletion is permanent and cannot be undone
  • Server-side messages are also deleted when friendships are revoked

Delete Account:

  • To delete your account, contact us at friendly@friendlyapp.net
  • We will delete your device ID, FCM token, and all associated data
  • This action is permanent and cannot be undone
  • Note: Messages stored on your friends' devices will remain on their devices

Data Portability

Export Your Data:

  • You can export your local messages and data from the app
  • Contact us if you need assistance exporting your data

Opt-Out

Push Notifications:

  • You can disable push notifications in your device settings
  • Disabling notifications does not affect message delivery, only notifications

Beta Program:

  • You can request removal from the beta program at any time
  • Contact us to have your beta access data deleted

Children's Privacy

Friendly App is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately and we will delete the information.

International Users

Data Location:

  • Our servers are located in Knoxville, Tennessee, United States.
  • Your data may be processed and stored in Knoxville, Tennessee, United States.

International Data Transfers (GDPR):

  • If you are in the European Economic Area (EEA), your data will be transferred to and processed in the United States
  • The United States is not recognized by the European Commission as providing an adequate level of data protection
  • To ensure your data is protected in accordance with GDPR, we implement appropriate safeguards for international data transfers:
    • Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses for data transfers to the United States
    • Additional Safeguards: We implement technical and organizational measures to protect your data, including end-to-end encryption, secure storage, and data minimization
    • Data Minimization: We only transfer the minimum data necessary for service operation
    • Encryption: All message content is encrypted before transfer and we cannot decrypt it
  • By using Friendly App, you consent to the transfer of your data to the United States in accordance with these safeguards

GDPR (European Users):

  • If you are in the European Economic Area (EEA), you have additional rights under GDPR
  • You have the right to access, rectify, erase, restrict processing, and data portability
  • You have the right to object to processing and withdraw consent
  • You have the right to lodge a complaint with your local data protection authority
  • To exercise these rights, contact us at friendly@friendlyapp.net

CCPA (California Users):

  • If you are a California resident, you have additional rights under CCPA
  • You have the right to know what personal information we collect and how it's used
  • You have the right to delete your personal information
  • You have the right to opt-out of the sale of personal information (we do not sell data)
  • To exercise these rights, contact us at friendly@friendlyapp.net

Security Measures

We implement industry-standard security measures to protect your data:

  1. Encryption: All messages are encrypted end-to-end before transmission
  2. Secure Storage: Keys are stored in encrypted secure storage on your device
  3. Server Security: Servers use HTTPS/TLS for all communications
  4. Access Controls: Server access is restricted and monitored
  5. Regular Updates: We regularly update the app to address security vulnerabilities
  6. Zero-Trust Model: We cannot decrypt your messages even if we wanted to

However, no method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the new Privacy Policy in the app
  • Updating the "Last Updated" date at the top of this policy
  • Sending a notification through the app (for significant changes)

Your continued use of the app after changes become effective constitutes acceptance of the updated policy.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your data, please contact us:

Email: friendly@friendlyapp.net
Website: friendlyapp.io

Data Protection Inquiries: For GDPR-related inquiries, please contact our Data Protection Officer at friendly@friendlyapp.net

Legal Basis for Processing (GDPR)

For users in the EEA, we process your data based on:

  1. Legitimate Interest: Message delivery, service operation, and security
  2. Consent: Beta testing program participation (where applicable)
  3. Contractual Necessity: Providing the messaging service you requested

Data Breach Notification

In the event of a data breach that affects your personal information, we will:

  1. Notify affected users within 72 hours (as required by GDPR)
  2. Notify relevant authorities as required by law
  3. Provide details about what data was affected and what steps we're taking

Note: Due to our zero-trust encryption model, even in the event of a server breach, your message content would remain protected because we cannot decrypt it.

Additional Information

What We Cannot See

Due to our zero-trust security model, we cannot see:

  • Your message content (encrypted with keys we don't have)
  • Your friends' real-world identities (only device IDs)
  • Group chat names or member lists in plain text (encrypted metadata)
  • Media file content (encrypted before upload)
  • Your personal encryption keys (never leave your device)

What We Can See

For operational purposes, we can see:

  • Device IDs (anonymous identifiers)
  • Message routing metadata (sender/recipient device IDs, timestamps)
  • Connection status (online/offline)
  • FCM tokens (for push notifications)

Data Minimization

We follow the principle of data minimization:

  • We only collect data necessary for the app to function
  • We delete data as soon as it's no longer needed
  • We do not collect unnecessary personal information
  • We do not track your behavior or usage patterns

This Privacy Policy is effective as of the date listed above. By using Friendly App, you agree to the collection and use of information in accordance with this policy.