Privacy Policy

Last updated: 25 May 2026 · Effective: 25 May 2026

1. TL;DR

SoulSync is a private space for two people. Your messages, voice notes, photos, and Instants are end-to-end encrypted on your device with keys we never see. Your location is shared only with your partner, and only when you choose. We don't sell your data. We don't show ads. We make money from a paid subscription (₹149/mo and up).

2. Who we are

SoulSync ("we", "us") is operated by the SoulSync team. For questions, email privacy@soulsync.app.

3. What we collect

Account data (we can read this)

• Email address (for sign-in and account recovery)
• Display name + optional username, avatar, pronouns, birthday, "love language"
• Push notification token (so we can send delivery alerts)
• Subscription status (free / Plus / Infinite)
• Couple-pairing code metadata (timestamps, who paired with whom)

Encrypted data (we cannot read this)

• Messages (text, voice notes, images, videos)
• Memory vault photos and videos
• Instants (24-hour disappearing posts)
• Time capsules (sealed messages to the future)
• Secret album contents

These are encrypted with tweetnacl box (Curve25519 + XSalsa20 + Poly1305) on your device before they leave it. Your private key lives in your phone's secure enclave (iOS Keychain / Android Keystore via expo-secure-store) and never leaves the device.

Sensor and device data (with your permission)

• Location — only if you turn on live sharing. Stored as GeoJSON points; visible only to your partner; respects your "Ghost mode" toggle.
• Battery + charging state — sampled while the app is active so the partner card on your partner's home shows "🔋 78%". Never sold; only your paired partner sees it.
• App foreground state — used for "active in chat" presence indicator. Never written to permanent logs.
• Microphone, camera, photos — only when you explicitly use voice notes, video calls, or photo upload. Files are encrypted before upload.

Operational metadata

• Crash logs (no message content, no PII other than your user ID)
• AI feature usage counts (model name, input/output character count, cost — used to enforce per-tier limits)
• Standard server logs (IP, request path, status code) retained for 30 days for abuse prevention

4. How we use it

• To deliver the service — route encrypted messages, push notifications, store encrypted media
• To keep your account secure — detect anomalous sign-ins, enforce rate limits
• To bill subscriptions — through Apple App Store and Google Play; we never see your card details
• To improve the product — aggregate, anonymous usage signals (e.g. "what % of couples use Instants weekly")

We do not use your data to train any AI model. AI features (compose-message, captions) call third-party APIs only with the prompt content you explicitly ask for, and those providers contractually do not retain data for training.

5. End-to-end encryption — what it means

When you tap "send" on a message:

1. Your phone generates a fresh nonce.
2. The plaintext is sealed with nacl.box(theirPublicKey, mySecretKey, nonce).
3. Only the resulting ciphertext + nonce reach our servers — the plaintext is mathematically inaccessible without the recipient's private key.
4. Your partner's device unwraps the ciphertext locally.

This means: even if our database were leaked, your messages would still be unreadable. We literally cannot hand your messages over in response to a subpoena, because we don't have them in any form we can decrypt.

The trade-off: if you lose your device and haven't set up any backup, prior messages are gone forever. There is no "reset password to recover messages" flow possible by design.

6. Sharing

We share data only with:

• Supabase (database + storage hosting) — they receive ciphertext, not plaintext
• Apple / Google — to deliver push notifications and process subscription payments
• OpenAI-compatible AI provider (configurable, default OpenAI) — only when you actively use AI features, only the prompt you submit
• Law enforcement — if compelled by a valid legal order. We can only provide what we have, which excludes message contents.

We do not sell, rent, or share your personal data with advertisers, data brokers, or any other third party.

7. Retention

• Active account data: kept while your account exists
• Disappearing messages: deleted at expires_at (typically minutes to days)
• Instants: hard-deleted 24 hours after creation
• Location pings: rolling 7 days hot, then deleted
• Server logs: 30 days
• Account deletion: triggers cascade delete of everything within 7 days

8. Your rights

You can, from inside the app:

• Export all your data (Settings → Export)
• Delete your account (Settings → Delete account — irreversible after 7 days)
• Toggle Ghost mode (hides your location and phone status from your partner)
• Revoke device sessions

Under the GDPR (EU/UK) and India's DPDP Act, you also have the right to access, correct, delete, or restrict processing of your data, and to lodge a complaint with your local data protection authority. Contact us first at privacy@soulsync.app and we'll resolve it within 30 days.

9. Children

SoulSync is for users 13 and older (or 16+ in some jurisdictions). We do not knowingly collect data from children below the applicable age. If you're a parent and believe your child created an account, email privacy@soulsync.app and we'll delete it.

10. Changes

We'll post material changes here and notify you in-app at least 7 days before they take effect. Continued use after the effective date constitutes acceptance.

11. Contact

Privacy questions: privacy@soulsync.app
Security disclosures: security@soulsync.app
General support: hello@soulsync.app