Privacy & Security

How Privacy Works Here

What is protected, what is not, and exactly why. No marketing language.

How Privacy Works Here

This page explains the actual privacy model. Not what sounds reassuring — what is true. Read it. You deserve to understand what you are trusting.

What is protected

Your family data

Your family tree lives on your device. Not on a server owned by us. Not in a database we control. When you export your tree, you control where that export goes. When you delete the app, your tree is gone from that device. There is no cloud backup unless you made one.

When tree data is shared between family members, it travels encrypted. The encryption key is derived from the cell secret — a random value that exists only on devices that have accepted an invitation. A third party who intercepts the transmission cannot read it.

Invitation contents

When you send an invitation over the internet (via the relay server), the invitation payload is encrypted with AES-256-GCM before it reaches the relay. The relay stores ciphertext. It cannot read the cell secret, the person ID, or any family information. Even if the relay is compromised or seized, invitation contents are not exposed.

Your identity

There is no account. No username. No email address. No phone number. The apps generate a local pseudonymous identifier on first launch. This identifier is never sent to us. It is used for cryptographic operations on your device.

If you invite someone, they can link your pseudonym to "the person who sent this invitation" — but only if they know who sent it (because you told them). We cannot link your pseudonym to you.

Communication

Direct messages between family members are end-to-end encrypted. Group chats within a family cell are encrypted for all cell members — no one outside the cell can read them.

What is not protected

Who you talk to, and when

Encrypted communication still reveals that two pseudonyms are communicating. Metadata — connection frequency, message timing, cell size — can leak information about family structure even without reading message content.

The Tor transport reduces this (your ISP does not see who you connect to), but it does not eliminate it.

Your device itself

If someone has access to your unlocked device, they have access to your tree, your messages, and everything else on your phone. Use a screen lock. Use a strong PIN. Do not hand your unlocked phone to someone you do not trust.

Encryption protects data in transit. It does not protect data from someone holding the device.

The relay server's traffic patterns

The relay server's operator (you or whoever runs your relay) can see that tokens are being posted and claimed, and approximately when. They cannot see the content. If you are running your own relay behind Tor, even the IP addresses of clients are hidden.

If you use a relay run by someone else, that operator can see traffic patterns. Choose your relay operator the same way you choose any other trusted service.

What you choose to share

If you put your real name, real birthdate, and your village in your tree — that information is there. The app does not stop you from over-sharing. Think carefully about what you enter, especially for living people.

An invitation link (token URL) can be seen by any platform you send it through — WhatsApp, SMS, your carrier. The token alone is useless without the ciphertext stored on the relay, and the ciphertext is meaningless without the token. But the fact that you sent a link to a specific relay address may be visible.

If this concerns you, use in-person QR code invitations instead.

The threat model, plainly stated

These apps are designed to protect against:

  • Corporate data harvesting — no company has your family data.
  • Platform censorship — no company can delete your tree or suspend your access.
  • Mass surveillance — mass dragnets that harvest cleartext data from servers get nothing.
  • Invitation interception — an intercepted link cannot be used to join your family cell.

These apps are not designed to protect against:

  • A determined state-level adversary with physical access to your device. If they have your phone and know what they are doing, they have your data.
  • Social engineering. If someone tricks you into generating an invitation for them and accepting it, they are in your family cell.
  • Bugs. This software is young. Security is a goal, not a guarantee.

Questions to ask yourself

Before using any feature, ask: what would it mean if this was exposed?

  • The tree data: who would be harmed if someone outside the family saw it?
  • The invitation link: who can see the link in transit? Does that matter?
  • The device: who has physical access to it?

You do not need to be paranoid. But you do need to think. This guide gives you the tools. The thinking is yours to do.