Legal

Privacy Policy

Last updated: May 2026

Architectural Commitment

Tunnel's privacy model is structural, not contractual. Communication content is encrypted end-to-end before it leaves your device. The server processes only opaque ciphertext. We cannot access your messages, and no change in policy can alter this architectural guarantee.

Information We Collect

Account Information

Account creation requires only a username and passkey registration. No phone number, email address, or personal information is required.

Operational Data

Minimal technical data necessary for service operation: device tokens for message delivery, connection timestamps, and basic server logs. This data is retained only as long as operationally necessary and is never used for profiling or analytics.

Information We Cannot Access

Message content — encrypted end-to-end

Contact lists — encrypted client-side before optional sync

Communication patterns — excluded by architecture

Location data — not collected

Address book data — not scanned or uploaded

Advertising or tracking identifiers — do not exist

Encryption Architecture

All messages, voice communications, and shared files are encrypted using a hybrid X3DH key agreement (X25519 + ML-KEM-768, FIPS 203) and the Double Ratchet protocol with AES-256-GCM. Encryption keys are generated on-device and never leave it. Server compromise does not expose communication content. Privacy is protected by mathematics, not by policy.

Encrypted Vault

The Vault stores notes, passwords, identity documents, and files. Vault content is encrypted on your device with an AES-256-GCM key derived from your identity private key via HKDF-SHA-256 (salt: tunnel-vault-v1, info: vault-aead). The derivation key never leaves your device.

Server-side multi-device sync stores only opaque ciphertext and a 12-byte nonce. Even with full server access, the operator cannot decrypt Vault content. Deletions are propagated as tombstones; the original ciphertext is purged.

Subscription Data

Tunnel Pro is processed entirely by Apple and Google. We receive a signed receipt or purchase token from the platform and store it solely for: (a) replay protection — preventing a single receipt from granting Pro to multiple accounts, (b) audit trail, (c) future server-to-server verification with Apple App Store Server API and Google Play Developer API.

We do not receive, see, or store payment-card information, billing addresses, or any other financial data. Refund and cancellation are handled directly by Apple or Google per their standard terms.

Data Retention

Encrypted messages are stored on the server only until delivered, then deleted. Minimal operational logs are retained for security purposes and automatically purged after 30 days. Account information is retained until account deletion.

Third Parties

We do not sell, share, or provide access to user data for any purpose. Infrastructure providers are bound by strict data processing agreements. Enterprise deployments operate on dedicated infrastructure under organizational control.

Your Rights

You have the right to access data we hold about you, request account deletion, export your data, and object to any processing. Under GDPR (EU/EEA/UK residents) you also have the right to data portability, restriction of processing, and to lodge a complaint with your supervisory authority. Under CCPA / CPRA (California residents) you have the right to know, delete, correct, and limit the use of personal information. We do not sell or share personal information under any of these definitions.

Contact privacy@tunnelmessenger.com for any privacy-related request. We respond within 30 days.

Apple & Google Data Disclosures

On Apple App Store privacy labels and Google Play Data Safety, we declare:

User content (messages, calls, files, Vault items): not collected by us — encrypted end-to-end with keys we cannot access

Identifiers (username, device ID): collected, linked to user, used only to deliver messages

Diagnostics (crash logs): not collected by default; opt-in only

Purchases (subscription receipt): collected, linked to user, used solely to verify entitlement

Contact info, location, browsing history, financial info, advertising data: not collected

Policy Changes

Material changes to this policy will be communicated through the platform. Continued use after notification constitutes acceptance. Architectural privacy guarantees — specifically end-to-end encryption and zero-knowledge server design — are not subject to policy modification.