This privacy policy applies to the Secure Chats app for iOS (iPhone and iPad), together with any related services operated by Secchats Ltd (collectively, the "Application"). Secchats Ltd is hereby referred to as the "Service Provider". For the Android edition of the app, see the Android privacy policy.

The Application collects information when you download and use it. This information may include:

• Your device's Internet Protocol address (used to transport messages)
• The display name you choose at registration, and the opaque user ID the Service Provider's server assigns to you
• The text and image messages you send and receive, transported as ciphertext (see "End-to-end encryption" below)
• Photos you explicitly attach to a message via the in-app image picker
• The iOS version and device model your installation reports as part of standard HTTP request metadata
• The pages of the Application that you visit, the time and date of your visit, and the time spent on those pages

The Application does not request your phone number, email address, or contacts. The Application does not access location services. The Application does not use Apple's advertising identifier (IDFA) and does not request App Tracking Transparency permission.

Text and image messages you send through the Application are encrypted on your device under a key derived from an Elliptic Curve Diffie-Hellman exchange with the recipient, using AES-256-GCM. The Service Provider's server stores only the ciphertext and cannot read the plaintext content of your messages. The on-device database is additionally wrapped in an AES-256-GCM layer keyed on a per-install secret so that loss or seizure of the device does not automatically disclose your message history.

The Application requests the following iOS permissions only at the moment they are needed:

• Camera — used solely to scan a QR code generated by another user to join a group chat. The Application does not record video and does not transmit camera frames off-device.
• Photo Library — used solely to let you pick an image to send as an encrypted message. The Application does not browse your photo library beyond your explicit selection.
• Notifications — used to display local banners for new messages, friend requests, and group invitations while the Application is alive. The Application does not use Apple Push Notification service (APNs); no push tokens are collected.

You may revoke any of these permissions at any time in the iOS Settings app under Settings > Privacy & Security, or in the per-app permission screen under Settings > Secure Chats.

The Application ships an Apple-format PrivacyInfo.xcprivacy manifest declaring every Required-Reason API it accesses and every data category it collects. This file is included in the application bundle and is auditable by Apple, by on-device privacy tooling, and by you.

The Application does not embed third-party analytics SDKs, advertising SDKs, or tracking pixels. The Application does not use cookies. The Service Provider does not perform cross-app or cross-website tracking of you on iOS. The Privacy Manifest reflects this: NSPrivacyTracking is set to false.

You may request access to, correction of, or deletion of your personal data held by the Service Provider. To exercise these rights, or to withdraw consent where processing is based on consent, contact the Service Provider at admin@secchats.com.

If you are a California resident, you have the right to know what personal information is collected, the right to delete personal information, the right to opt out of the sale or sharing of personal information, and the right to non-discrimination for exercising these rights. The Service Provider does not sell or share personal information for cross-context behavioural advertising. To exercise your CCPA/CPRA rights, contact the Service Provider at admin@secchats.com.

The Service Provider may use the information you provide to send important information, required notices, and, where permitted by law, marketing communications.

For a better experience while using the Application, the Service Provider may require you to provide certain personally identifiable information, including but not limited to Secchats Ltd, 71-75 Shelton Street, Covent Garden, London WC2H 9JQ. The information the Service Provider requests will be retained and used as described in this privacy policy.

The Application does not transmit your personal information to third-party services. The Application's only network destination is the Service Provider's server at secchats.com, and the bytes transmitted are end-to-end ciphertext as described above. Distribution and crash diagnostics provided by Apple (App Store Connect, Xcode Organizer crash reports) are governed by Apple's own privacy terms.

The Service Provider may transfer personal data to countries outside your country of residence, including outside the European Economic Area (EEA). Where applicable law requires safeguards for international transfers, the Service Provider will use appropriate mechanisms:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions or other legally recognized transfer mechanisms
• Your consent, where required and legally permitted

Data protection laws in other countries may differ from those in your jurisdiction. Where required by law, the Service Provider will apply appropriate safeguards and obtain any consent required for the transfer.

The Service Provider may disclose User Provided and Automatically Collected Information:

• as required by law, such as to comply with a subpoena, or similar legal process;
• when they believe in good faith that disclosure is necessary to protect their rights, protect your safety or the safety of others, investigate fraud, or respond to a government request;
• with their trusted services providers who work on their behalf, do not have an independent use of the information the Service Provider discloses to them, and have agreed to adhere to the rules set forth in this privacy statement.

To request deletion of your personal data, to withdraw consent, or to exercise any of your rights, contact the Service Provider at admin@secchats.com.

The Service Provider retains personal data based on its necessity for the stated purposes:

• User Provided Data: Retained for the duration of your use of the Application plus 12 months thereafter, unless longer retention is required by law
• Encrypted message ciphertext awaiting delivery: Retained only until successful delivery to the recipient device, plus a short grace window for retry
• Automatically Collected Data: Retained for up to 24 months from collection, unless longer retention is required for legal compliance
• Aggregated and Anonymized Data: Retained indefinitely as it no longer identifies you
• Data required for legal compliance: Retained as long as required by applicable law

You may request deletion of your personal data, subject to any legal obligation to retain it. If you want the Service Provider to delete User Provided Data submitted through the Application, please contact them at admin@secchats.com. Please note that some User Provided Data may be required for the Application to function properly.

The Application is not intended for children under 16 years of age, or such higher age as required by applicable law. The Service Provider does not knowingly solicit data from children or market the Application to them. The Service Provider does not use Apple's Ask to Buy or Family Sharing features as a basis for processing children's data.

The Service Provider is concerned about safeguarding the confidentiality of your information. End-to-end encryption (AES-256-GCM under an ECDH-derived shared secret) protects message content in transit. An additional AES-256-GCM layer protects message content at rest on your iOS device. The Service Provider provides physical, electronic, and procedural safeguards to protect information the Service Provider processes and maintains.

If a data breach occurs that affects your personal data, the Service Provider will notify you in accordance with applicable legal requirements, including, where required, providing information about the nature of the breach and the steps being taken to address it.

The Service Provider may update this Privacy Policy from time to time. The Service Provider will notify you of material changes by posting the updated Privacy Policy with an effective date. Where required by law, the Service Provider will seek your consent to material changes before they take effect.

Previous versions of this Privacy Policy will be maintained and made available upon request by contacting the Service Provider at admin@secchats.com.

This privacy policy is effective as of 2026-06-14

Where processing is based on consent, you provide that consent by affirmatively opting in to the relevant feature or action (for example, by granting the Camera permission to scan a QR code, or by granting the Photo Library permission to attach an image to a message). You may withdraw consent at any time without affecting processing carried out before withdrawal. Processing based on other lawful bases is carried out as described above.

If you have any questions regarding privacy while using the Application, or have questions about the practices, please contact the Service Provider via email at admin@secchats.com.