OTPPhone — Privacy Policy

Effective date: 2026-06-07

OTPPhone is an end-to-end encrypted messenger. This policy explains, honestly and in full, what the app and its relay server do and do not process. The guiding principle: message content is end-to-end encrypted and is never readable by us or by anyone operating the infrastructure.

Who we are

OTPPhone ("the app") is provided by Vernam Technologies ("we", "us"), based in the United Kingdom, who is the data controller for the limited processing described below. Contact: contact@vernamtechnologies.com.

The short version

We have no user accounts. You do not give us a name, email address, or phone number.
We cannot read your messages. They are end-to-end encrypted on your device and the relay only ever sees ciphertext.
The relay server unavoidably processes connection metadata (such as your IP address and who you exchange messages with) in order to deliver messages. It does not store message content.
Your messages, contacts, and keys live only on your device, encrypted. There is no cloud backup. If you lose or reset the device, that data is gone.
We run no advertising, no analytics, and no third-party tracking.

What stays on your device

The following never leaves your phone except as end-to-end encrypted ciphertext you choose to send:

Message history — stored in a database that is encrypted at rest (SQLCipher, AES-256).
Contacts — the public identifiers and local nicknames you add. Contacts are not uploaded to us and we never read your device address book.
Cryptographic keys and one-time pads — your private keys are held in the Android Keystore (hardware-backed where available) and are non-exportable. One-time pads are exchanged directly between two phones in person over Bluetooth and never touch the internet or our servers.

Backups are disabled for the app (allowBackup=false), so this data is excluded from Android cloud backup and device-to-device transfer by design.

What the relay server processes

To deliver messages between people who are not in the same place, the app connects to a relay server we operate (hosted on Fly.io in London (lhr)). The relay is a "blind" forwarder:

Processed (metadata), because delivery is impossible without it:

Your IP address and connection timestamps — used to establish and route your connection. Your IP is not written to our logs (see Logs below); it is processed at the network layer by us and our hosting provider.
Your public user identifier (a cryptographic fingerprint derived from your device's public keys — not a name, email, or phone number).
The recipient identifier, message timing, and approximate size of each forwarded message.
Your online/offline status while connected.

Not accessible to the relay:

Message content. Every message is encrypted to the recipient's device key (HPKE, X25519 + AES-256-GCM) before it leaves your phone. The relay forwards opaque ciphertext and has no key to read it. Messages you protect with the optional one-time-pad layer are encrypted a second time with key material the server has never seen.

Temporary offline queue. If a recipient is offline, the relay holds your (still-encrypted) message in memory and delivers it when they reconnect, then discards it. The queue is capped per recipient and is never written to disk; a server restart drops anything still queued.

Logs. The relay emits minimal operational logs — connection and routing events keyed by your public user identifier (for example: connect, disconnect, message routed, rate-limit hit), with timestamps — to keep the service running and to prevent abuse such as flooding. These logs do not include message content (we cannot read it) and do not record your IP address. The relay does not write logs to persistent storage; they are emitted to our hosting provider (Fly.io) and retained only transiently per that platform's defaults, not stored long-term by us.

What we do not collect

No names, email addresses, or phone numbers; no account registration.
No message content on our servers.
No advertising identifiers, analytics SDKs, or third-party trackers.
No location tracking. (See permissions below — location access exists only because Android requires it for Bluetooth scanning during the in-person pad exchange.)

Permissions and why the app asks for them

Internet / network state — connect to the relay to send and receive messages.
Notifications — alert you to new messages. You control whether previews are shown.
Foreground service (data sync) — keep the relay connection alive in the background so messages arrive promptly. Used only for message delivery.
Camera — scan a contact's QR code when you add them. No photos are taken or stored.
Bluetooth and Nearby Wi-Fi devices — exchange one-time-pad key material directly with a nearby phone, in person.
Location (approximate and precise) — Android requires location permission for Bluetooth scanning used by the in-person exchange (declared with neverForLocation where possible). We do not use it to determine or track your location, and no location data is collected or sent anywhere.
Biometric / device credential — optional app lock to require your fingerprint, face, or device PIN to open the app.

Legal bases (UK/EU GDPR)

Where GDPR or UK GDPR applies, we process the limited metadata above on the basis of: (a) performance of a contract — to deliver the messaging service you are using; and (b) our legitimate interests in keeping the service secure, reliable, and free from abuse. Message content is end-to-end encrypted and is not processed by us at all.

Sharing and sub-processors

We do not sell or rent personal data. We rely on infrastructure providers strictly to operate the service:

Fly.io — hosts the relay server (processes the connection metadata described above).
Cloudflare — serves the app's download page (for distribution outside Google Play).

On your device, the in-person exchange uses Google Play services (Nearby Connections) for Bluetooth; that interaction is local to your device and the nearby peer.

International transfers

The relay runs in London (lhr). If you connect from another country, the metadata needed to route your messages is processed there for the purpose of delivering your messages.

Data retention

Message content: never stored on our servers; retained on your device until you delete it or uninstall the app.
Offline queue: transient, in memory only, discarded on delivery or server restart.
Connection logs: not stored by the relay; emitted to the hosting platform and retained only transiently there, not long-term by us.
On-device data: under your control; uninstalling the app removes it.

Your rights

Subject to applicable law (including UK/EU GDPR), you may have the right to access, correct, or erase personal data, and to object to or restrict certain processing. Because we hold no account and no message content — only short-lived connection metadata — most of your data is on your device and within your control: deleting a conversation or uninstalling the app erases it. For requests about server-side metadata, contact contact@vernamtechnologies.com. You also have the right to complain to your local data protection authority (in the UK, the ICO).

Security

Messages are end-to-end encrypted (HPKE: X25519 + AES-256-GCM), optionally with an additional in-person one-time-pad layer. Transport to the relay uses TLS. On-device data is encrypted at rest with SQLCipher (AES-256) and keys held in the Android Keystore. No system is perfectly secure, and the relay operator can still observe metadata as described above.

Children

OTPPhone is not directed to children. You must be at least the age of digital consent in your country (for example, 13 in the United States, and 13–16 across the UK/EU) to use it.

Changes to this policy

We may update this policy; we will revise the "Effective date" above and, for material changes, provide a more prominent notice. The current version is always at https://vernamtechnologies.com/privacy.

Contact

Questions or requests: contact@vernamtechnologies.com.