PRIVACY POLICY

Etoee ("we," "us," "our") operates the Etoee encrypted messaging platform, including the website at etoee.app, desktop applications, and mobile applications (collectively, the "Service"). This Privacy Policy explains how we collect, use, and protect information when you use the Service.

Etoee is built on a zero-knowledge architecture. We cannot read your messages, see your contacts, identify your group memberships, or access your files. The server processes encrypted blobs that are indistinguishable from random noise without your private keys, which never leave your device.

> Account data

• Handle — your chosen username, publicly visible on the network
• Public keys — your cryptographic public keys (identity, signed prekeys, one-time prekeys), required for end-to-end encryption to function
• Account creation date — timestamp of when your account was registered
• Access code — which access code was redeemed during registration (the code itself, not linked to payment identity)

> Technical data

• Connection timestamps — when your device connects to or disconnects from the Service
• Message delivery metadata — timestamps of when encrypted blobs are delivered to and retrieved from your mailbox (we cannot see sender, recipient, or content)
• IP addresses — processed transiently by our infrastructure provider (Cloudflare) for connection routing and abuse prevention; not logged or stored by Etoee

> Payment data (via Paddle)

• Transaction reference — a Paddle transaction ID associated with your access code purchase
• Rate-limit HMACs — one-way cryptographic hashes of your payment email and payment method, used solely to enforce purchase rate limits and prevent abuse. We cannot reverse these hashes to obtain your email or payment details.

Paddle (our Merchant of Record) processes your payment information directly. We never receive, store, or have access to your credit card number, billing address, or email address. Paddle's privacy policy governs their processing of your payment data.

The following data is never collected, stored, or accessible to Etoee by design:

• Your name, email address, phone number, or any personally identifiable information
• Message content — all messages are end-to-end encrypted
• Your contact list — stored only on your device
• Group names, membership, or messages — groups do not exist on our server
• Who sent a message to whom — sealed-sender delivery makes all traffic indistinguishable
• Voice or video call content — encrypted end-to-end using Insertable Streams
• File contents — encrypted on your device before upload
• Your private keys or recovery phrase — generated and stored on your device only

The limited data we collect is used exclusively to:

• Operate the Service — route encrypted messages, maintain your mailbox, facilitate key exchange
• Prevent abuse — enforce access code rate limits, respond to reports of prohibited content
• Comply with legal obligations — respond to valid legal process (see Section 08)

We do not use your data for advertising, analytics, profiling, or any purpose other than operating the Service.

• Encrypted messages — automatically purged from server mailboxes after 30 days. Disappearing message timers (if set) are enforced client-side within the encrypted payload.
• Encrypted files — retained until expiry (30 days) or until deleted by the sender
• Account data — retained for the lifetime of your account. Upon account termination, public keys and prekeys are deleted. Your handle is held for 90 days to prevent impersonation, then released.
• Access code records — retained indefinitely for abuse prevention and financial reconciliation

> Paddle

Paddle.com Market Limited acts as our Merchant of Record for access code purchases. Paddle collects and processes payment information subject to their own privacy policy. We receive only a transaction reference ID and one-way hashes for rate limiting.

> Cloudflare

Our infrastructure runs on Cloudflare Workers, Durable Objects, D1, and R2. Cloudflare processes connection-level data (IP addresses, TLS metadata) as part of normal network operations. Cloudflare does not have access to the content of encrypted messages or files.

We do not sell, rent, or share your data with any other third parties. We do not use third-party analytics, tracking pixels, or advertising networks.

The Etoee website and applications do not use tracking cookies, analytics scripts, or third-party trackers. Session authentication uses cryptographic tokens stored locally on your device, not browser cookies.

We may disclose the limited data described in Section 02 in response to valid legal process (subpoenas, court orders, search warrants). Due to our zero-knowledge architecture, data available to provide is limited to:

• Account creation date
• Access code used during registration
• Connection timestamps
• Message delivery timestamps (not content, not sender)

We cannot provide message content, contact lists, group information, file contents, or call recordings because this data is end-to-end encrypted and we do not possess the decryption keys.

We publish a quarterly transparency report detailing all law enforcement requests received.

Etoee is not intended for use by anyone under the age of 18. Registration requires an age affirmation. We do not knowingly collect data from minors. If we become aware that a user is under 18, their account will be terminated.

If you are located in the European Economic Area, United Kingdom, or Switzerland:

> Legal basis

We process account data and technical data on the basis of legitimate interest (operating the Service) and contractual necessity (providing the Service you requested). Payment processing by Paddle is based on contractual necessity.

> Your rights

Under the GDPR, you have the right to access, rectify, erase, restrict processing of, and port your personal data. You also have the right to object to processing and to lodge a complaint with your local data protection authority.

Due to our minimal data collection and zero-knowledge architecture, there is very little personal data to act upon. Your handle is your only user-chosen identifier, and we cannot link it to your real-world identity. To exercise your rights, contact us at the address in Section 13.

> Data transfers

Our infrastructure operates on Cloudflare's global network. Data may be processed in any country where Cloudflare operates edge nodes. Cloudflare maintains appropriate safeguards for international data transfers.

If you are a California resident:

• We do not sell your personal information
• We do not share your personal information for cross-context behavioral advertising
• We do not use sensitive personal information for purposes other than providing the Service
• You have the right to know what personal information we collect, to delete it, and to opt out of its sale (though we do not sell it)

The categories of personal information we collect are limited to identifiers (your handle) and internet activity information (connection timestamps). We do not collect real names, email addresses, phone numbers, geolocation, biometric data, or browsing history.

All messages, files, and calls are encrypted end-to-end using the Signal Protocol (X3DH + Double Ratchet) for direct messages and Sender Keys for group messages. Authentication uses FIDO2/WebAuthn passkeys. Infrastructure runs on Cloudflare's edge network with TLS encryption in transit.

Our primary security measure is architectural: we minimize the data we hold so that even in the event of a breach, there is minimal useful information to compromise.

For privacy-related inquiries, data subject requests, or questions about this policy, contact us at:

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated effective date. Continued use of the Service after changes constitutes acceptance of the revised policy.