someone

1. Introduction

Someone ("we," "our," or "us") operates an ephemeral messaging service that prioritizes user privacy and data minimization. This Privacy Policy explains how we collect, use, and protect information when you use our service.

Our Core Commitment: We believe privacy is a fundamental right. Our service is designed with privacy-first principles, collecting only the minimal data necessary to operate the service and provide usage insights to improve performance.

2. Information We Collect

2.1 Message Data (End-to-End Encrypted v4.0.10+)

• Message Content: Encrypted using AES-256-GCM in your browser BEFORE transmission (admin cannot decrypt)
• Encryption Key: Generated per-message in browser, stored in URL fragment, never sent to server
• Sender Name: Optional field, encrypted with message
• Server Storage: Only stores encrypted blob (unreadable without client-side key)
• Message Lifecycle: Messages automatically deleted 30 seconds after first read or 24 hours if unread
• Access Control: Each message has unique, unpredictable identifier plus encryption key requirement
• Zero Admin Access: Encryption keys never reach server, admin cannot decrypt any message

2.2 Analytics Data (Non-Personal)

We collect minimal, anonymized usage statistics to improve service performance:

• Message Statistics: Count of messages created, read, and deleted (no content)
• Message Size: Character count for performance optimization
• Sender Type: Whether sender provided a name or remained anonymous
• Timestamp: When events occurred (for usage patterns)
• IP Address Hash: SHA-256 hash of IP address (irreversible, for unique user counting)
• User Agent: Browser type and version (for compatibility)

3. How We Use Information

3.1 Message Processing

• Encrypt and temporarily store messages until accessed
• Generate unique access links for message retrieval
• Automatically delete messages after the 30-second viewing period
• Remove expired messages from storage

3.2 Analytics and Service Improvement

• Monitor service performance and reliability
• Understand usage patterns to improve user experience
• Generate daily administrative reports for service optimization
• Ensure system security and detect potential abuse

3.3 Legal Compliance

• Comply with applicable laws and regulations
• Respond to legal requests where required
• Protect our rights and the rights of users

4. Data Storage and Security

4.1 Encryption

• Client-Side (E2EE): All messages encrypted with AES-256-GCM in your browser before transmission
• Encryption Key: Random 256-bit key generated per-message, stored in URL fragment only
• In Transit: HTTPS/TLS encryption for all communications
• Server Storage: Encrypted blobs only (server cannot decrypt without client-side key)
• Key Security: Keys never transmitted to server, eliminating server-side decryption risk

4.2 Data Retention

• Messages: Maximum 30 seconds after first read, or 24 hours if unread
• Analytics Data: Automatically purged after 90 days
• System Logs: Minimal operational logs, purged regularly

4.3 Infrastructure Security

• Hosted on secure VPS infrastructure with regular security updates
• File-based storage with appropriate access controls
• Regular security monitoring and incident response procedures
• No database storage - reduces attack surface

4b. End-to-End Encryption (E2EE) - v4.0.10

What is E2EE and why does Someone use it?

End-to-End Encryption means messages are encrypted on your device BEFORE reaching our servers, and remain encrypted until the recipient decrypts them locally. This ensures:

• Zero-Knowledge Architecture: Someone's servers and admin cannot read message content
• True Privacy: Even if servers are compromised, encrypted messages remain unreadable
• Mandatory by Default: All messages encrypted E2EE automatically (no user choice to weaken security)
• Client-Side Key: Encryption keys generated in browser and stored in URL fragment only

How E2EE Works in Someone:

1. You write a message in your browser
2. Your browser generates a random 256-bit encryption key
3. Message is encrypted with AES-256-GCM using that key
4. Only the encrypted blob is sent to our server (server cannot read)
5. Share link includes decryption key in URL: https://someone.app/read/abc123#key=xyz789
6. URL fragment (#key=) is NOT sent to server in HTTP request
7. Recipient opens link, browser extracts key from URL and decrypts locally
8. Only recipient sees plaintext message

🔒 Admin Cannot Read: Without the URL-fragment encryption key, messages are mathematically impossible to decrypt. Admin and server have zero technical capability to read encrypted messages.

5. Data Sharing and Disclosure

5.1 No Data Sales

We do not sell, rent, or trade user data to third parties for commercial purposes.

5.2 Limited Disclosures

We may disclose information only in the following circumstances:

• Legal Requirements: When required by valid legal process (note: we cannot decrypt E2EE messages)
• Safety: To protect against harm to users or others
• Service Providers: To trusted partners who assist in service operation (under strict confidentiality)
• Business Transfer: In the event of merger, acquisition, or asset sale

5.3 Anonymous Analytics

Aggregated, anonymized usage statistics may be shared for research or service improvement purposes, but cannot be linked to individual users.

6. User Rights and Controls

6.1 Message Control

• Messages are automatically deleted - no user action required
• No message recovery possible after deletion
• Users control message content, sender identification, and encryption (always E2EE)
• URL fragment key gives recipients full control over message access

6.2 Analytics Opt-Out

While our analytics collection is minimal and anonymous, users concerned about any data collection may:

• Use browser privacy modes or VPN services
• Contact us for specific concerns
• Note that complete opt-out may affect service functionality

6.3 Data Subject Rights

Given our minimal data collection and automatic deletion:

• Access: Limited due to encryption and automatic deletion
• Deletion: Automatic after message viewing or expiration
• Portability: Not applicable due to ephemeral nature
• Correction: Not applicable - messages cannot be edited

7. International Data Transfers

Our service is hosted on secure VPS infrastructure. Data may be processed in different jurisdictions as part of normal operations. We implement appropriate safeguards to protect data regardless of location.

8. Children's Privacy

Our service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will delete such information immediately.

9. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or applicable law. Material changes will be prominently posted on our service. Continued use after changes indicates acceptance of the updated policy.

Version Control: This policy is versioned alongside our software releases to ensure consistency with actual practices.

10. Contact Information

For questions about this Privacy Policy or our privacy practices, please contact:

11. Legal Disclaimer

Service "As-Is": Someone is provided "as-is" without warranties of any kind. While we implement strong privacy protections, users should understand the inherent risks of digital communication.

Limitation of Liability: To the maximum extent permitted by law, we shall not be liable for any indirect, incidental, special, or consequential damages arising from use of our service.

Governing Law: This Privacy Policy is governed by applicable local laws where the service is operated.