$ cat privacy.txt

privacy policy

plain language. last updated: April 2026.

// what we collect

username: the temporary handle you choose. stored in hashed form with your public key. deleted when your identity expires or is deleted.

public key: your ECDH public key, generated in your browser. stored so others can encrypt messages to you. it is not a secret.

ciphertext: the encrypted content of your messages. we store this to relay messages. we cannot read it. it expires and is deleted automatically.

metadata: we observe who initiated conversations with whom and when. message content is not observable. we do not store IP addresses persistently.

billing (pro and power): Stripe collects your payment details. plaintxt receives only a Stripe customer ID and subscription status — no card numbers, no billing address.

// your private key

your private key is generated inside your browser and stored in IndexedDB. it never leaves your device. plaintxt has no copy of it and cannot recover it. if you clear browser site data, close an incognito window, or switch to a different device, your key — and access to all past encrypted messages — is permanently gone. this is by design.

// ads

plaintxt does not serve ads. we do not accept payment from advertisers. the app is funded by Pro subscriptions.

// contact

privacy questions: contact page. we do not have a legal department — we are a small project. we will respond to reasonable requests as promptly as we can.

// what we do not collect

✗ no email address

✗ no phone number

✗ no real name

✗ no device fingerprinting

✗ no third-party analytics (no Google Analytics, Mixpanel, etc.)

✗ no advertising trackers

✗ no cookies beyond what is required for session management

✗ no selling or sharing of data with third parties

✗ no persistent logs of message content

// message expiry and deletion

messages are hard-deleted from our database automatically: 60 seconds after the recipient marks them as read, or 24 hours after sending — whichever comes first. "hard-deleted" means the row is removed, not soft-deleted or archived. identities are hard-deleted when they expire (24 hours) or when you manually delete them.

// third parties

Stripe: payment processing for Pro subscriptions. subject to Stripe's own privacy policy. plaintxt does not see your card details.

Cloudflare: infrastructure (Workers, D1, R2, Durable Objects). subject to Cloudflare's data processing terms. network-level metadata may be visible to Cloudflare as our infrastructure provider.