Privacy policy
Plain-English statement of what Obsidian does and does not collect. Obsidian is a privacy-first, end-to-end-encrypted messenger for a handful of close friends (max 5). This describes the current behaviour of the app + relay — not aspirations. The precise, skeptic-facing version, including what we cannot hide, is the threat model.
This is a self-authored policy for a personal project, distributed as a sideloaded APK (no app stores). It is not legal advice.
The short version
Your messages and media are end-to-end encrypted — only you and your friend can read them. The cloud relay stores ciphertext only and deletes everything after 24 hours. Your private keys never leave your device. What the relay does see is the bare minimum needed to deliver a message: an opaque delivery token (not your identity) and roughly when — and even that is wiped within 24 hours. It does not see who sent a message, or who it is for.
What is stored, and where
On the relay — your account
These profile fields live on the relay so friends can find and message you. They are not end-to-end encrypted — the relay can read them:
| Field | Why | Optional? |
|---|---|---|
| Login identifier | Required | |
| Username + code | Your username#1234 handle, so friends can find you | Set at signup |
| Display name | The name friends see | Optional |
| Phone number | Only if you enter one | Optional |
| Public key | Shared by design so friends can encrypt to you | Set at signup |
| Push token | So the relay can send a "new message" push | Optional |
| Theme preference | Your colour theme (cosmetic) | Optional |
| Avatar | Profile image | Optional |
On the relay — messages & media (ephemeral, ≤24h)
- Content: stored as ciphertext only (AES-256-GCM; the key is wrapped with your friend's RSA-2048 public key). The relay cannot decrypt it.
- Sender: not stored. The sender's identity is sealed inside the encrypted envelope ("sealed sender") — the relay never has a sender field to read.
- Recipient: routed by an opaque, rotating mailbox token, not a user ID. The relay matches the token to deliver, but the token → user mapping exists only on devices, so the relay sees an unlabelled token, not who the message is for.
- What the relay still sees (honest caveat): the opaque token, the ciphertext, and roughly when a message arrived — for up to 24 hours. It also sees the IP addresses that connect to it and message sizes. So it can observe that traffic is flowing to some token, and when, but never what, from whom, or to which person. The full list of residual leaks (and the one moment friendships briefly show — see below) is in the threat model.
- Automatic deletion: an hourly job wipes all messages and media (database records and stored files) 24 hours after creation. Mailbox routing tokens are not message data and are not wiped on this schedule.
On your device only — never sent to the relay
- Private keys — in the OS secure store.
- Decrypted message history — in an encrypted local database (SQLCipher).
- Your contacts / friends — friendships are local; there is no server-side friends graph.
What Obsidian never collects
- The plaintext of any message or media file.
- Your private keys or any decrypted data.
- A persistent social graph (who your friends are). Friendships live on your device; the only server trace is a short-lived friend-request record naming both accounts, deleted once both sides sync — so the relay can glimpse that two accounts became friends at that moment, but keeps no standing list. (Detailed in the threat model.)
- Analytics, advertising identifiers, location, or behavioural tracking.
Push notifications
A push contains no message content — only a generic title/body ("New message" / "You have a new encrypted message") plus the message's ID, so the app can fetch and decrypt it on-device.
Third parties
Fly.io runs the relay container and Cloudflare R2 stores encrypted media blobs — both receive only ciphertext + the routing metadata above. Expo's push service delivers the content-free notification described above. No data is sold or shared with advertisers.
This website
obsidianchat.in serves static files. It sets no cookies, runs no JavaScript, embeds no analytics, and makes no third-party requests. The host (GitHub Pages) may keep standard server logs (IP, user agent) like any web host; we add nothing on top.
Your control
- Deleting your account removes your relay profile; messages are auto-deleted within 24 hours regardless.
- Decrypted history lives only on your device — uninstalling the app permanently deletes your local history.
Contact
Questions about this policy: contact@obsidianchat.in.