Veil LogoVeilApp

Privacy Policy

Last updated: May 2026

1. Introduction

VeilApp ("Veil", "we", "us", or "our") is a privacy-first communication platform. This Privacy Policy explains how we collect, use, store, and protect information when you use the VeilApp mobile application and related services (collectively, the "Service"). By using VeilApp, you agree to the practices described in this policy. If you do not agree, please do not use the Service.

2. Our Privacy Principle

Privacy is not an add-on at VeilApp — it is foundational. We designed VeilApp so that personal identifiers are not required to communicate. You do not need to provide a phone number, email address, or any personally identifiable information to create an account and begin using the Service. Your identity on VeilApp is cryptographic, not personal. Your VeilID is generated locally on your device and serves as your presence on the platform — not your personal information.

3. Information We Do Not Collect

  • Phone numbers (not required for account creation or use)
  • Email addresses (not required for account creation or use)
  • Contact lists or address books
  • Location data or GPS coordinates
  • Behavioural profiles or usage analytics for advertising
  • Message content (messages are end-to-end encrypted; we store only ciphertext)
  • Biometric data (biometric lock settings are processed locally on your device)

We do not monetise user data. We do not sell behavioural profiles. We do not operate advertising networks or integrate third-party ad SDKs.

4. Information We Collect

We collect the minimum information necessary to operate the Service:

a) Account Information

When you create an account, your device generates a cryptographic identity (VeilID). We store your VeilID and your chosen alias (display name). If you voluntarily provide additional profile information, that information is stored on our servers.

b) Encrypted Message Data

Messages are stored as encrypted payloads consisting of ciphertext, a nonce, and a version field. We cannot read, access, or decrypt message content. Plaintext never touches our servers — not in transit, not at rest.

c) Device Information

We collect limited device metadata necessary for device attestation, session management, and security enforcement (such as device revocation in workspaces). This does not include device identifiers used for advertising.

d) Subscription Information

If you subscribe to a paid plan, payment processing is handled by third-party payment processors. We store your subscription status and plan type to manage feature access. We do not store full payment card details on our servers.

e) Usage Metadata

We may collect limited operational metadata such as timestamps of message delivery and read receipts, typing indicator state, and connection events. This data is used solely to operate the Service and is not used for profiling or advertising.

5. How We Use Information

  • To provide, maintain, and improve the Service
  • To manage your account and subscription status
  • To enforce security policies (device revocation, abuse prevention, rate limiting)
  • To facilitate real-time communication (message delivery, call signaling, typing indicators)
  • To enforce workspace and group policies set by administrators
  • To maintain audit logs for workspace governance (admin actions only, sanitised for safety)
  • To prevent abuse, fraud, and platform manipulation

6. Encryption and Security

VeilApp employs a multi-layered security architecture: • End-to-end encrypted messaging — message payloads are encrypted on your device before transmission. Our servers store only ciphertext. • Device-bound cryptographic identity — your key material is generated and managed locally on your device. • Encryption epoch rotation — group and workspace encryption keys are rotated automatically when membership changes, ensuring forward secrecy. • Device attestation — we verify device integrity as part of our admission control layer. • Anti-automation protections — proof-of-work challenges and intelligent rate limiting protect against coordinated abuse. • Secure enclave key storage — where supported by your device hardware, keys are stored in the secure enclave. We do not implement backdoors. We cannot decrypt your messages, and we have architected the system so that we do not need to.

7. Identity and Anonymity

VeilApp supports multiple identity modes: • Real identity (optional) — you may choose to associate your real name with your account. • Alias identity — communicate under a chosen alias without revealing personal information. • Ghost mode — operate with maximum anonymity. • Verified business identity — organisations can verify their identity through domain verification. We believe anonymity and accountability can coexist intelligently. Our admission control layer evaluates device integrity and abuse risk indicators — not your personal identity — to maintain platform safety.

8. Data Retention

We retain account data for as long as your account is active. Encrypted message data is retained in accordance with any disappearing message timers set by you or your conversation's administrator. When disappearing messages are enabled, messages are permanently deleted on schedule — enforced at the server level. If you delete your account, we will delete your account data from our active systems. Some data may be retained in encrypted backups for a limited period for operational recovery purposes, after which it is permanently purged. Workspace audit logs are retained for the duration of the workspace's existence to support administrative governance requirements.

9. Third-Party Services

VeilApp integrates with the following categories of third-party services: • Cloud storage providers — for encrypted media and file storage (e.g., Supabase, Cloudflare R2). • Real-time communication infrastructure — for voice and video call transport (e.g., Agora). • Payment processors — for subscription billing. These providers are selected for their security practices and are contractually bound to handle data in accordance with our privacy standards. We do not share your personal information with third parties for marketing or advertising purposes.

10. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Object to or restrict certain processing activities
  • Data portability where technically feasible
  • Withdraw consent where processing is based on consent

To exercise any of these rights, please contact us using the information provided below. Because VeilApp collects minimal personal data by design, many traditional data subject requests may not apply.

11. Children's Privacy

VeilApp is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that a child under 16 has created an account, we will take steps to delete that account promptly.

12. International Data Transfers

VeilApp operates globally. Your encrypted data may be processed in jurisdictions outside your country of residence. Because message content is end-to-end encrypted and we do not collect personal identifiers, the privacy risks associated with international transfers are substantially mitigated by design. Where required by applicable law, we implement appropriate safeguards for any data transfers.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes through the Service. Your continued use of VeilApp after any changes constitutes acceptance of the updated policy.

14. Contact

If you have questions about this Privacy Policy or our data practices, you can reach us at: • Email: privacy@myveilapp.com • In-app: Settings → Help → Contact Us We are committed to responding to legitimate inquiries in a timely manner.