Privacy Policy

Last updated: February 2025

Overview

Private Pigeon is designed so that we do not have access to the content of your communications. Letter bodies and attachments are end-to-end encrypted on your device. Our servers store only ciphertext and the minimal metadata required for delivery and display.

What we store

On our servers we store:

Account and device data — User identifier, device public key and fingerprint, display name, and (if you choose) a verified email address for discoverability. We do not store your device private key; it never leaves your device.
Letter metadata — Sender and recipient references, timestamps, blob references, and size information so we can deliver letters and support inbox listing. We do not store or index the plaintext of your letters.
Encrypted content — Letter bodies and attachments are stored as ciphertext. We cannot decrypt them.
Session data — Short-lived tokens and related session state for authenticated API access. Sessions can be revoked.

What we do not do

We do not read, scan, or analyze the content of your letters.
We do not use your data for advertising or profiling.
We do not provide user search or directory listings that would allow enumeration of users.
We do not sell your data to third parties.

Email

If you verify an email address, we use it only for identity and discoverability (so others can reach you by email). We may send verification codes to that address. We do not use it for marketing unless you explicitly opt in.

Data retention and deletion

We retain ciphertext and metadata as long as needed to provide the service (e.g. until a letter is deleted or an account is removed). If you want your data removed, contact us (see Contact page). We will process deletion requests in line with our technical capabilities and applicable law.

Legal and security

We may disclose data if required by law or to protect the security and integrity of the service. We do not provide voluntary access to plaintext content because we do not have it.

Changes

We may update this policy from time to time. The “Last updated” date at the top will be revised when we do. Continued use of the service after changes constitutes acceptance of the updated policy.

Contact

For privacy-related questions or requests, see the Contact page.