$ cat privacy.txt

privacy policy

plain language. last updated: April 2026.


// what we collect

username: the temporary handle you choose. stored in hashed form with your public key. deleted when your identity expires or is deleted.

public key: your ECDH public key, generated in your browser. stored so others can encrypt messages to you. it is not a secret.

ciphertext: the encrypted content of your messages. we store this to relay messages. we cannot read it. it expires and is deleted automatically.

metadata: we observe who initiated conversations with whom and when. message content is not observable. we do not store IP addresses persistently.

billing (pro and power): Stripe collects your payment details. plaintxt receives only a Stripe customer ID and subscription status — no card numbers, no billing address.

// your private key

your private key is generated inside your browser and stored in IndexedDB. it never leaves your device. plaintxt has no copy of it and cannot recover it. if you clear browser site data, close an incognito window, or switch to a different device, your key — and access to all past encrypted messages — is permanently gone. this is by design.

// ads

plaintxt does not serve ads. we do not accept payment from advertisers. the app is funded by Pro subscriptions.

// android app

the plaintxt Android app follows this same policy. on Android your private key is stored encrypted by the Android Keystore on your device, never in cloud backups, and never leaves the device unencrypted. uninstalling the app destroys your keys.

push notifications (optional): if you allow notifications, a delivery token is registered with Google Firebase Cloud Messaging (Android) or your browser's push service (web). notification payloads contain only opaque message IDs — never message content or usernames. tokens are deleted when your identity is deleted or expires.

deleting your identity and data is immediate and self-service — see plaintxt.app/delete-account.

// contact

privacy questions: contact page. we do not have a legal department — we are a small project. we will respond to reasonable requests as promptly as we can.

// what we do not collect

no email address

no phone number to create an identity or send messages (SMS notifications are separate and opt-in — see below)

no real name

no device fingerprinting

no third-party analytics (no Google Analytics, Mixpanel, etc.)

no advertising trackers

no cookies beyond what is required for session management

no selling or sharing of data with third parties

no persistent logs of message content

// message expiry and deletion

messages are hard-deleted from our database automatically: 60 seconds after the recipient marks them as read, or 24 hours after sending — whichever comes first. "hard-deleted" means the row is removed, not soft-deleted or archived. identities are hard-deleted when they expire (24 hours) or when you manually delete them.

// third parties

Stripe: payment processing for Pro subscriptions. subject to Stripe's own privacy policy. plaintxt does not see your card details.

Cloudflare: infrastructure (Workers, D1, R2, Durable Objects). subject to Cloudflare's data processing terms. network-level metadata may be visible to Cloudflare as our infrastructure provider.

Telnyx: delivers SMS verification codes and account notifications, and only if you opt in with your mobile number. subject to Telnyx's own privacy terms.

// SMS messages (opt-in only)

plaintxt does not require a phone number. if you choose to opt in, we collect the mobile number you enter solely to send you one-time verification codes and account notifications, delivered through our SMS provider (Telnyx). message frequency varies; message and data rates may apply. reply STOP to opt out at any time, or HELP for help.

your mobile information will not be sold or shared with third parties for promotional or marketing purposes. we do not build marketing lists or send promotional SMS.