No real-world identity
No name, email, phone number, address, date of birth, or government ID is ever requested or stored. Account creation is local on your phone.
01
Who runs this
The owned relay and this website are operated by an individual hobbyist from the European Union. For data-protection correspondence, including the formal identity of the controller required by Article 13(1)(a) GDPR, write to owned@spitzbub.app. owned has no employees, no investors, and no third-party processors handling user content.
02
What the relay does not have
The design points below are technical guarantees, not policies. They hold because of how the protocol works, not because the operator promises to be nice.
No message content
All message bodies, images, voice notes, and profile data are end-to-end encrypted on your device. The relay sees only ciphertext padded to a size bucket.
No sender link
Sealed-sender means every envelope on the wire carries only the recipient’s opaque per-install token. The relay does not learn who sent what to whom.
No IP address
The iOS app speaks to the relay through a Tor hidden service. The relay’s onion endpoint never sees a client IP.
No directory
There is no phonebook, no username index, no contact-discovery service. Two people pair by scanning each other’s QR codes in person.
No cookies, no analytics
This website sets no cookies, ships no JavaScript trackers, and uses no analytics provider. The page’s only network request is to the public stats JSON.
03
What the relay does process
A short, complete list of every data category the relay writes to disk, the legal basis under GDPR Art. 6, and how long it survives.
Recipient token (pseudonymous ID)
A 32-byte random identifier generated on your phone when you first onboard. Routes envelopes to your device. Legal basis: Art. 6(1)(b) — necessary to provide the service. Retention: until you reset the app or ask us to delete it.
Last-seen day
The UTC day (no time) your app most recently authenticated to the relay. Used to show inactive-contact hints to people who message you. Legal basis: Art. 6(1)(f) — legitimate interest in avoiding wasted media uploads to vanished contacts. Retention: overwritten daily; no history kept.
Apple Push Notification token
Stored only if you accept the push-notification prompt. Forwarded to Apple’s APNs each time a message arrives for you, so Apple can wake your device. Legal basis: Art. 6(1)(a) — consent. Retention: until the token is reported dead by Apple or you reset the app.
Encrypted envelope queue
Ciphertext deposited for you by your contacts. Indistinguishable from random bytes; relay cannot decrypt. Legal basis: Art. 6(1)(b). Retention: deleted on delivery or after seven days, whichever is sooner.
Prekey bundle
Public keys you publish so contacts can start a conversation with you. No private material, no personal data. Legal basis: Art. 6(1)(b). Retention: until you republish or reset the app.
Anti-replay nonce log
Each request’s nonce, briefly cached so a stolen message can’t be replayed. Legal basis: Art. 6(1)(f). Retention: five minutes, then deleted.
Aggregated daily stats
Per-day request counts and total bytes — the numbers shown on the public stats page. Contains no per-user identifiers. Retention: 30 days of rolled-up aggregates.
Server access log (operational)
The host operating system keeps short-lived logs (systemd journal) of relay process events — restart times, error backtraces — with no per-request content. Legal basis: Art. 6(1)(f). Retention: rotated by the OS, typically a week.
04
Third parties
Apple, Inc. — push notifications
If you opt into notifications, the relay sends Apple a content-free wakeup containing your APNs device token and the generic body “You got a message.” Apple processes this under its own privacy policy. Apple does not see message content, sender, or recipient handle.
Hetzner Online GmbH — relay hosting
The relay runs on a virtual server in Hetzner’s German datacenter (EU). Hetzner is a subprocessor under Art. 28 GDPR. Hetzner sees only encrypted Tor traffic on the relay’s public IP; it cannot decrypt user content.
Cloudflare — website hosting
This page is served from Cloudflare Pages. Cloudflare may briefly log request metadata for abuse prevention per its own policy. This affects only the marketing website, not the relay or app traffic.
iCloud Drive (optional, V6+)
If you enable encrypted cloud backup, your encrypted blob is stored in your iCloud Drive folder. Apple holds the ciphertext under your iCloud account’s terms; the operator of owned has no access to the file and no relationship with your iCloud storage.
05
Your rights
Under GDPR Articles 15–22 you can ask us to do the things below. Email owned@spitzbub.app including your recipient-token hex (Settings → account info in the app); we cannot identify you any other way because we hold no other identifying data.
Access (Art. 15)
We send you everything tied to your recipient token: last-seen day, push-token presence, envelope-queue size. Usually less than one screenful.
Erasure (Art. 17)
We delete every row referencing your recipient token. You can also erase yourself by uninstalling the app — the relay state ages out within a week, with the next push attempt revealing that your device is gone.
Rectification (Art. 16)
No identifying data to rectify. If your push token is stale you can simply re-register from the app, which overwrites it.
Portability (Art. 20)
Your message history lives in the SQLCipher database on your phone and (optionally) in the cloud-backup blob, both already in your possession. The relay holds no portable history.
Objection / restriction (Art. 18, 21)
Stop using owned. Disabling push and uninstalling the app produces the same effect as a formal objection; nothing further is processed.
Complaint (Art. 77)
You can lodge a complaint with your national data-protection authority. For the operator’s lead authority, contact us and we’ll name it.
06
International transfers
Relay processing happens in the European Union (Germany). Apple’s APNs is operated globally and processes pushes you opted into under Apple’s own Standard Contractual Clauses. Cloudflare Pages is an EU-routed CDN edge for this page. No other third-country transfer occurs.
07
Changes
Material changes to this notice are committed to the public source repository before they take effect. The footer below carries the date of the most recent revision. If a change alters what data is processed, the in-app onboarding flow will surface the change at next launch.