Privacy Policy

This Privacy Policy explains how unsaid collects, uses, and protects your information. By using unsaid you agree to these practices. Contact us with any questions at privacy@unsaid.to.

1. Information We Collect

  • Account data: verified phone number (E.164 format), display name, and Privy user identifier.
  • Waitlist details: email address, phone number, and submission source so we can send onboarding updates and comply with anti-spam rules.
  • Content: encrypted message bodies, VALUE trait scores, and metadata needed to deliver the service.
  • Usage: aggregate analytics events (e.g., unlock attempts, VALUE scoring success) without personal identifiers.

2. How We Use Information

  • Authenticate you with Privy and keep your account secure.
  • Deliver, score, and unlock VALUE messages across the inbox and sent tabs.
  • Maintain wallet balances, purchases, and value ledger entries.
  • Send waitlist updates, onboarding notices, and respond to requests you send us.
  • Monitor for abuse, respond to reports, and improve reliability.

3. Waitlist Communications

  • We use your phone number and email to send confirmation codes, onboarding updates, and product announcements while you are on the waitlist.
  • You can opt out of SMS at any time by replying STOP, and unsubscribe from emails via the link included in each message.
  • We log confirmation events and consent metadata (time, IP, device) to demonstrate compliance with CAN-SPAM and similar regulations.

4. Contacts & Discovery

We never upload raw contacts. The app normalizes numbers to E.164, hashes them with an HMAC salt on-device, and sends only hashes for matching. Matches are cached locally for up to 24 hours; the server discards hashes after processing.

5. Encryption & Security

Message bodies are encrypted with per-message AES-GCM keys that are wrapped and stored securely. Only authorized moderators, under audit logging, can decrypt content when a safety review is required. Said value transactions run on server-side RPCs with strict row-level security.

6. Data Sharing

We use trusted processors to run unsaid: Supabase (database), Railway (API hosting), Privy (authentication), and Sentry (error monitoring). We do not sell personal data. We share information only when legally required or to enforce our Terms.

7. Retention & Deletion

You can request deletion in-app. We aim to delete personal data within 24 hours, subject to legal holds. Value ledger records and moderation audit logs may be retained as required by law or to prevent abuse.

8. Your Rights

Depending on where you live, you may have rights to access, correct, or delete data. Contact us at privacy@unsaid.to to submit a request. We may verify your identity before responding.

9. Updates

We will post updates to this Privacy Policy on this page. Material changes will be highlighted in-app or via email when available.