Privacy Policy
Relay is an end-to-end encrypted messenger operated by Relay Labs. This policy describes what data we collect, how we use it, and your rights. It is deliberately short and concrete.
1. What we collect
Account
- Email address, encrypted at rest with
AES-256-GCM. - Username, display name, biography (optional).
- Profile picture (optional, stored unencrypted because it is public to other users).
- Messaging public key
X25519(public by design). - Password hashed with
Argon2id. The plaintext password is never stored. - Encrypted backup of your private key (decryptable only with your password, never readable by our servers).
Minimal activity
- Account creation date.
- Last-message timestamp (to sort conversations).
- Push notification token (to deliver notifications).
- IP addresses, transient, used only for rate limiting and abuse detection, never persisted in our databases.
What we do NOT collect
- The content of your messages, calls, voice notes, files (end-to-end encrypted, unreadable by our servers).
- Your contact list (never uploaded).
- Location, browsing history, advertising ID.
- No behavioural tracking data of any kind.
2. End-to-end encryption
Every message, call, file, and note exchanged via Relay is encrypted on your device before it leaves. The server only relays opaque bytes.
X25519for key exchange.XChaCha20-Poly1305for authenticated symmetric encryption.Argon2idto derive keys from your password.
We cannot technically read the content of your communications, including in response to a legal request. We can provide authorities the metadata listed in section 1, and nothing more.
3. Sub-processors
We use a deliberately small set of vendors:
| Vendor | Use | Data shared |
|---|---|---|
| Resend | Transactional email delivery | Recipient email address |
| Apple Push Notification Service | iOS notifications | Push token, payload |
| Google Firebase Cloud Messaging | Android notifications | Push token, payload |
| Expo | Unified proxy to APNS / FCM | Push token, payload |
| Hetzner Online GmbH | Server hosting (Germany, EU) | All our data, encrypted at rest |
No tracking tools: no Google Analytics, no Facebook Pixel. No advertising SDK.
4. Data retention
- Active account: kept for as long as you use the app.
- Account deletion: immediate deletion of all your data from our servers. Encrypted daily backups are purged within 30 days.
- Server logs: 30 days max, anonymised beyond.
- IP addresses: not persisted beyond the request.
5. Your rights
Under the GDPR (and similar laws in your jurisdiction) you can:
- Access your data. Contact below.
- Rectify your data directly from the app, in Settings.
- Delete your account via "Delete my account" in Settings.
- Export your data. Contact below.
- Lodge a complaint with your local data protection authority.
Contact: privacy@relay-labs.xyz. We respond within 30 days.
6. Security
- All transfers use TLS 1.3.
- Passwords hashed with Argon2id (memCost 19 MB).
- Emails encrypted at rest with AES-256-GCM.
- The server has no plaintext copy of messaging private keys.
7. Minors
Relay is not intended for children under 13. If we identify an account created by a minor, we delete it.
8. Changes
Any material change to this policy will be notified in the app at least 30 days before it takes effect.
9. Contact
- General support: support@relay-labs.xyz
- Privacy and GDPR: privacy@relay-labs.xyz