Privacy Policy

Veils is built on a zero-knowledge architecture. We collect the absolute minimum data required to operate the service: • Phone Number: Used solely for account registration and identity verification via one-time passwords. We do not store your phone number in association with your messages. • Public Keys: Your cryptographic public keys are stored on our servers to facilitate key exchange with other users. Private keys never leave your device. • Encrypted Messages: Messages in transit are stored temporarily as encrypted blobs that our servers cannot decrypt. They are deleted once delivered. • No Message Content: We cannot read your messages. The encryption keys exist only on your devices. • No Contacts: We do not upload or store your contact list. • No Metadata Logs: We do not log who communicates with whom, when, or how often.

The limited data we collect is used exclusively for: • Delivering encrypted messages between users • Facilitating cryptographic key exchange • Verifying account ownership during registration • Maintaining service availability and security We do not use your data for advertising, profiling, analytics, or any purpose beyond operating the messaging service. We do not sell, share, or monetize user data in any form.

• Location: All server infrastructure is located in Switzerland, subject to Swiss Federal Data Protection Act (FADP) and the Swiss Federal Act on Data Protection (nDSG). • Encryption at Rest: All server-side data is encrypted at rest using AES-256. • Encryption in Transit: All connections use TLS 1.3 with additional Noise Protocol encryption. • Local Storage: On-device data is stored in a SQLCipher-encrypted database (AES-256-CBC). • Key Management: Private keys are generated and stored exclusively on your device. They are never transmitted to our servers. • Data Retention: Encrypted messages are stored only until delivery, then permanently deleted. We maintain no message archives.

• We do not share data with third parties for any purpose. • We do not integrate third-party analytics, advertising, or tracking services. • We do not use third-party cloud providers for message storage. Our infrastructure is self-hosted in Swiss data centers. • Push notifications are sent through Apple Push Notification Service (APNs) and Google Firebase Cloud Messaging (FCM) using encrypted payloads that do not contain message content.

Under Swiss data protection law and the GDPR (where applicable), you have the right to: • Access: Request a copy of any personal data we hold about you. • Rectification: Request correction of inaccurate personal data. • Deletion: Request deletion of your account and all associated data. This is immediate and irreversible. • Portability: Export your data in a machine-readable format. • Objection: Object to any processing of your personal data. • Withdrawal: Withdraw consent at any time by deleting your account. To exercise any of these rights, contact us at privacy@veils.app.

For privacy-related inquiries: • Email: privacy@veils.app • Jurisdiction: Switzerland • Data Protection: Swiss Federal Data Protection and Information Commissioner (FDPIC) This privacy policy was last updated on February 2026.