Privacy Policy

Last updated: April 17, 2026

1. Overview

InVenn is a privacy-first, end-to-end encrypted messaging application. This policy describes what data we collect (almost none), how the app works, and your rights regarding your information.

2. Data We Do NOT Collect

• No account registration — no email, phone number, or personal information required
• No message content — all messages are end-to-end encrypted; the relay server cannot read them
• No contact lists — your contacts are stored only on your device
• No analytics or tracking — no usage data, no behavioral tracking, no advertising IDs
• No location data — we do not access or store your location
• No cookies — the app does not use cookies or third-party trackers

3. Data Stored on Your Device

The following data is stored locally on your device using IndexedDB storage:

• Your cryptographic identity (public/private keypair, encrypted with your passphrase)
• Your contact list and group memberships
• Message history (text, images, voice messages)
• App settings and preferences

This data never leaves your device except as encrypted messages sent to your contacts. You can delete all local data at any time by clearing your browser/app data.

4. The Relay Server

InVenn uses a relay server to deliver encrypted messages between users. The relay server:

• Temporarily queues encrypted message blobs for offline recipients (up to 30 days)
• Cannot decrypt, read, or modify message content
• Does not store messages after successful delivery
• Does not log IP addresses or connection metadata beyond what is needed for rate limiting
• Uses rate limiting to prevent abuse (connection counts per IP are stored in memory only and not persisted)

5. Encryption

All direct messages use the Double Ratchet protocol (X3DH key agreement + ratcheting) with X25519 key exchange and XSalsa20-Poly1305 authenticated encryption via libsodium. Group messages use Sender Keys with XSalsa20-Poly1305. Your private key is encrypted at rest with Argon2id key derivation from your passphrase. We have no ability to recover your passphrase or decrypt your data.

6. Encrypted Backups

If you choose to enable backup, your identity keys are encrypted with your passphrase (Argon2id + XSalsa20-Poly1305) before being uploaded to the relay server. The server stores only the encrypted blob and cannot access its contents. An optional recovery email can be associated with your backup — this is the only personally identifiable information that may be stored, and only if you choose to provide it.

7. Push Notifications

If you enable push notifications, a push subscription token is stored on the server to deliver notifications. On Android, Firebase Cloud Messaging (FCM) is used. Notification content can be configured (preview on/off). Push tokens are deleted when you unsubscribe.

8. Permissions (Android)

• Internet — to connect to the relay server
• Camera — only when you choose to take a photo to send (not accessed otherwise)
• Microphone — only when you record a voice message or make a voice call (not accessed otherwise)

9. Third-Party Services

InVenn does not integrate with any third-party analytics, advertising, or tracking services. No data is shared with third parties. The only external services used are:

• Firebase Cloud Messaging — for Android push notifications only (if enabled by the user)
• Resend — for sending email verification codes only (if you set a recovery email)

10. Children's Privacy

InVenn does not knowingly collect any personal information from anyone, including children under 13. Since no personal information is collected or stored on our servers, there is no data to identify users of any age.

11. Data Deletion

Since all your data is stored locally on your device, you have full control over it. To delete all data: clear the app's storage from your device settings, or uninstall the app. If you have a backup on the server, it is automatically deleted after 90 days of inactivity, or you can delete it manually from the app settings.

12. Changes to This Policy

We may update this privacy policy from time to time. Changes will be reflected in the app and on this page with an updated date. Continued use of InVenn after changes constitutes acceptance.

13. Contact

If you have questions about this privacy policy, you can reach us at privacy@invenn.app.