Legal

Privacy Policy

Effective Date: March 14, 2026 · App Version 1.0.9+ · iOS · Android

01Overview

Sealed is a blockchain-based, end-to-end encrypted private messaging application. This policy explains what data is collected, where it lives, who controls it, and what rights you have.

A foundational principle of Sealed's architecture is that no single party has full control over all your data. Depending on where data lives, the controller is different — and in some cases it is you, the user, alone. We explain each data category explicitly below.

02Who We Are

“Sealed”, “we”, “us”, and “our” refers to the operator of the Sealed indexer service and application.

For the purposes of applicable data protection law, we act as the data controller only for the data stored on infrastructure we operate (the indexer server). We are not the controller of data that exists only on your device or data written to a public blockchain — that distinction is critical and explained in full below.

03The Three Data Realms — Who Controls What

Understanding Sealed requires understanding that your data exists in up to three distinct realms, each with a different controller:

Realm A — Your Device (You are the sole controller)

The following data never leaves your device in unencrypted form and is stored in your device's secure enclave (iOS Keychain or Android Keystore):

Data	Storage Location
12-word BIP39 mnemonic (seed phrase)	Device secure storage only
Ed25519 wallet signing keypair (private key)	Device secure storage only
X25519 encryption keypair (private key)	Device secure storage only
Message plaintext / decrypted conversations	Local SQLite database on-device
Contact list (wallet addresses + usernames)	Local SQLite database on-device

We have zero access to this data. If you lose your device and your seed phrase backup, there is no recovery mechanism — no one can restore access on your behalf. You are the sole custodian.

Realm B — The Public Blockchain (No one is the controller)

Every message sent through Sealed is transmitted as a transaction on a public blockchain (currently Algorand TestNet; previously Solana devnet). By design, this data is:

Public — visible to anyone with access to the ledger
Permanent — blockchain transactions are immutable; they cannot be deleted by you, by us, or by anyone
Pseudonymous — tied to your wallet address, not your name or phone number

Data	Description
Encrypted message ciphertext	AES-256-GCM ciphertext; content is unreadable without your private key
Ephemeral sender public key	One-time X25519 public key per message, not your permanent identity key
Recipient tag	A 32-byte HMAC used for stealth addressing; does not directly identify you
Transaction timestamp	Block-level timestamp
Sender wallet public key	Your public wallet address (pseudonymous identity)
Optional username	If you register a human-readable username, it is written to the blockchain permanently

Because blockchain data is permanent and publicly accessible, no right of deletion or correction applies to on-chain data. You should treat any information you choose to commit to the blockchain as irreversibly public (albeit encrypted where applicable).

Realm C — Our Indexer Server (We are the data controller)

To provide real-time notifications and efficient message delivery, we operate an indexer service. This server stores the following data about you:

Data	Purpose	Retention
Wallet public address	User identity and authentication	Until account deletion or 90 days of inactivity
X25519 view (scan) private key	Allows the indexer to detect incoming messages addressed to you — without reading message content	Until account deletion or 90 days of inactivity
SHA-256 hash of view key	Lookup index	Same as above
Firebase Cloud Messaging (FCM) token	Push notification delivery	Until account deletion, token refresh, or 90 days of inactivity
Device platform (`ios` / `android`)	Notification routing	Same as FCM token
Username (if registered)	Human-readable identity	Until account deletion
Message metadata pointers	Blockchain transaction references used for sync; not message content	30 days
Last seen timestamp	Service quality and inactivity cleanup	90 days
IP address	Rate limiting and operational logging	Server logs rotated per standard practice (typically 7–30 days)

Regarding the view key: This is the most significant privacy trade-off in the architecture. Your X25519 scan/view private key is shared with our indexer so it can recognise messages addressed to you on-chain and deliver push notifications. The view key does not allow us to decrypt message content. Content encryption uses a separate key path. The view key allows us only to determine that a message was sent to you, not what it says.

04Authentication

Sealed uses wallet-based authentication only. There is no email address, phone number, or password associated with your account. When authenticating to our indexer API, your app signs a time-limited challenge string with your Ed25519 wallet private key — the signing key never leaves your device.

05Data We Do Not Collect

We explicitly do not collect:

Your real name
Email address
Phone number
Contacts from your device address book
Location data
Device advertising identifiers (IDFA / GAID)
Biometric data
Analytics or behavioural tracking data
Crash reports or telemetry beyond server-side operational logs

06Third-Party Data Processors

We use one external third-party service that processes your personal data:

Google Firebase (Firebase Cloud Messaging)

Purpose: Delivering push notification alerts when a new message is addressed to you
Data shared with Google: Your FCM device token and notification payload. Notification payloads contain only the sender's wallet address and a message reference — not message content
Google's privacy policy: policies.google.com/privacy
Google's role: Independent data processor; FCM token data is subject to Google's terms

Public Blockchain RPC Endpoints

AlgoNode (testnet-api.algonode.cloud) — public Algorand node operated by a third party. Transactions you broadcast are by nature globally visible. No personal identifying data beyond your wallet address and message ciphertext is transmitted.

No advertising networks, analytics platforms, data brokers, or any other third parties receive your data.

07How We Use Your Data

Data we hold on our indexer server is used exclusively for:

Delivering push notifications — detecting new messages addressed to you and alerting your device
Message sync — helping your app efficiently retrieve relevant on-chain messages after periods offline
Rate limiting and abuse prevention — protecting the service from excessive API requests
Service operation — standard logging for diagnosing failures

We do not sell, rent, or share your data with any third party for commercial purposes.

08Data Retention and Deletion

Data Type	Automatic Retention Policy
Indexer message metadata	Deleted after 30 days
User account (view key, FCM token)	Deleted after 90 days of inactivity
Server IP logs	Rotated per operational practice
Blockchain data	Permanent — cannot be deleted
Device data	Controlled entirely by you; deleting the app removes local data

Account deletion: You may request deletion of all data we hold on our indexer by sending a signed deletion request via the app settings. We will delete your view key, FCM token, and all associated metadata within 30 days. This does not affect blockchain data.

09Security

All message content is encrypted end-to-end using AES-256-GCM with per-message ephemeral keys derived via X25519 + HKDF
Messages are padded to a uniform 1,024 bytes before encryption to prevent length-inference attacks
Our indexer API uses Ed25519 signature-based authentication with signed time-limited nonces
HTTPS/TLS is enforced for all API communication
Our server uses helmet security headers and rate limiting (100 requests/minute per IP)
Private keys are stored in platform secure enclaves (iOS Keychain, Android Keystore)
Keys are zeroed in memory after use

Post-quantum encryption (upcoming): A planned upgrade will add ML-KEM-512 (Kyber-512) as a hybrid layer on top of X25519 for forward-looking quantum resistance.

10Children's Privacy

Sealed is not directed at children under the age of 13 (or 16 where applicable under local law). We do not knowingly collect data from children. If you believe a child has used the service, please contact us and we will delete indexer-side data promptly.

11Your Rights

Depending on your jurisdiction, you may have the right to:

Access the personal data we hold about you
Rectification of inaccurate data (where technically possible)
Erasure (“right to be forgotten”) of data held on our servers — note this cannot extend to blockchain data
Portability of your indexer-held data
Object to processing
Withdraw consent at any time (e.g., disabling push notifications revokes FCM token registration)

We will respond within 30 days.

Important limitation: Rights of deletion, rectification, and erasure do not apply to data written to the public blockchain (Algorand or Solana). That data is outside our technical control by design.

12International Data Transfers

If you access Sealed from outside the region where our indexer server is hosted, your indexer-held data may be transferred internationally. We implement appropriate safeguards in accordance with applicable law.

Public blockchain data (Realm B) is replicated globally across all blockchain nodes and is not subject to geographic data transfer restrictions.

13Changes to This Policy

We may update this policy as the app evolves. Material changes will be communicated via an in-app notice. Continued use of Sealed after such notice constitutes acceptance.

14Contact

For privacy-related questions, data requests, or complaints, please reach out to us. We will respond within 30 days.

If you are in the EU/EEA and believe we have violated your rights under the GDPR, you have the right to lodge a complaint with your local supervisory authority.

Sealed is designed on the principle that private communication should be verifiably private — not just by policy, but by cryptographic architecture. This privacy policy reflects that design honestly, including the trade-offs involved.

← Back to Home