Privacy Policy
Last updated: 8 May 2026 · This is the only policy. There is no separate one for any region.
The short version: TunnelTalk has no servers that handle your messages, no account system, no telemetry, and no logs. The only way for us to learn anything about you is if you email us. Everything below is the longer version of that same statement.
01What we collect
Nothing. TunnelTalk is designed so that the developers cannot collect data about you, even if we wanted to. Specifically, we do not:
- Run any account, login, or directory service.
- Operate any server that messages, calls, or attachments pass through.
- Embed any analytics, crash reporting, or telemetry SDK.
- Ship any third-party advertising, marketing, or social-media integration.
- Use cookies or browser storage for tracking.
Your identity in TunnelTalk is a keypair generated locally on your device. We never see the public half, and the private half never leaves your device.
02What stays on your device
The following is the entire on-disk surface of TunnelTalk:
- Identity keys — Ed25519 + X25519 keypair, encrypted with your passphrase via Argon2id and libsodium
secretstream. - Contact list — public-key fingerprints and the nicknames you give them, encrypted with the same key.
- Per-device settings — theme, idle timeout, anti-leak preferences. Never message content.
Messages, voice clips, attachments, call logs, and ratchet state live in memory only. They are wiped when the session ends — lock, close, idle timeout, or panic.
03Network requests
The TunnelTalk client makes the following network requests, and only these:
- Your I2P router — for message delivery, signaling, and (in anonymous call mode) media. Native builds embed i2pd; the web build connects to a router you run locally via SAM.
- Your peer's I2P destination — established directly through the I2P network. There is no third party that sees both ends.
- Font and icon CDNs on the marketing site only (
fonts.googleapis.com,cdnjs.cloudflare.com). The app itself bundles its assets locally and makes no CDN requests once installed.
The client does not contact any TunnelTalk-controlled server. There is no telemetry endpoint, no feature-flag service, no remote-config service, no update-check beacon. Updates are downloaded by you, manually, from a published location.
04End-to-end encryption
Every message, voice clip, attachment, and call is encrypted on the sender's device before it touches the network and decrypted only on the recipient's device. Encryption keys are derived from a Noise IK handshake between your identity key and your peer's. We could not read your messages even if a court ordered us to, because we are not in the path.
05Optional features that touch the network
A small number of features make optional, opt-in network requests. Each is documented and turned off until you turn it on:
- Out-of-band key sharing via QR scan uses the device camera locally; no images leave the device.
- Address-book lookup — not implemented and not planned. There is no directory.
- Push notifications — not used. The native client polls only when foregrounded; the web client cannot receive push without leaking metadata to a notification service we will not run.
06What we cannot protect against
Privacy software has limits. TunnelTalk's are written down on purpose:
- Endpoint compromise. If your device is compromised — malware, physical access, a coerced unlock — no encrypted messenger can save you.
- Screenshots in a browser. Web browsers do not expose an API to block OS-level screen capture. The app watermarks the view to make a leaked image identifiable, but the capture itself cannot be prevented in the web build. The Android and desktop builds use OS facilities (
FLAG_SECUREand equivalents) where available. - Recipient behaviour. If the person you are messaging chooses to screenshot, photograph, or transcribe the conversation, no protocol can prevent it.
- Reverse engineering. Any code that runs on your device can be read. We minify, obfuscate, and ship crypto in WebAssembly to raise the cost — but the security of TunnelTalk does not depend on its source being secret.
07Children's privacy
TunnelTalk does not knowingly collect any data from anyone of any age, because it does not collect data at all. There is nothing for us to delete or correct because there is nothing for us to hold.
08Changes to this policy
If anything in this policy changes, the change will be reflected on this page with an updated date. There is no mailing list; the policy is the policy that ships with the version of TunnelTalk you are using.
09Contact
If you have questions about this policy or about TunnelTalk's privacy posture more broadly, email tunneltalk@grangedev.io. That mailbox is read by humans; it is not a ticketing system. Sensitive disclosures should ideally be sent via TunnelTalk itself once you have it set up.