Legal

Privacy Policy

Last updated: 2025-01-15

This Privacy Policy describes how SpeakEasy ("we," "us," or "our") collects, uses, and handles your information when you use our applications and services.

What we collect

We collect the minimum data necessary to operate the service. Specifically, we collect connection metadata when you use SpeakEasy:

  • IP address — recorded when you connect to our relay servers.
  • Connection timestamps — when you connected and disconnected.
  • Socket events — connection lifecycle events (connect, disconnect, error).
  • Encrypted packet sizes — the size of packets relayed. Not the content.
  • Account data — email address and hashed password if you create an account.

What we do not collect

Due to the end-to-end encrypted design of SpeakEasy, we cannot collect and do not collect the following:

  • Message content — all messages are end-to-end encrypted with AES-256-GCM.
  • Call audio or video — call media is encrypted before leaving your device.
  • Identity keys — your ML-DSA-65 identity key is generated on your device and never sent to us.
  • Who you are communicating with — the relay server routes by session token, not user identity.
  • Your contact list — contact data is stored locally on your device.
  • Message metadata beyond packet sizes (e.g., we do not record message frequency or recipient identifiers).

How we use the data we collect

Connection metadata is used solely for:

  • Abuse prevention and rate limiting
  • Diagnosing server and network issues
  • Security incident investigation

We do not use connection metadata for advertising, profiling, or any purpose other than operating the service securely.

Data retention

Connection logs (IP address, timestamps, socket events) are retained for a maximum of 30 days and then permanently deleted. They are not backed up beyond this window.

Account data (email, hashed password) is retained until you delete your account. You can delete your account at any time from the app settings, which permanently deletes your account data.

Data sharing

We do not sell your data. We do not share your data with advertisers or data brokers.

We may disclose connection metadata to law enforcement if required by a valid legal process (subpoena, court order, or equivalent). We will notify you of such requests unless legally prohibited from doing so.

Third-party services

We use Cloudflare for network infrastructure and DDoS mitigation. Cloudflare's privacy policy governs their handling of network-level data.

We do not use Google Analytics, Facebook Pixel, or any third-party tracking services. We use Cloudflare Web Analytics, which processes analytics data on Cloudflare's network without cookies or cross-site tracking.

Self-hosted servers

If you use a self-hosted Community Server operated by a third party, that server operator's privacy practices apply for connection metadata logged by their server. We have no visibility into third-party server logs.

Your rights

You have the right to request a copy of any data we hold about you, to request correction of inaccurate data, and to request deletion of your account and associated data. Contact us at privacy@speakeasy.app for data requests.

Changes to this policy

We will update this page and the "last updated" date if this policy changes materially. Continued use of the service after a policy change constitutes acceptance of the updated policy.

Contact

Privacy questions: privacy@speakeasy.app