Privacy Policy

Last updated: April 1, 2026

1. Introduction

Gosip ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our messaging and social platform.

2. Information We Collect

  • Phone Number: Used only for verification via OTP. We do not share your phone number.
  • Profile Information: Name, username, avatar, bio that you choose to provide.
  • Messages: Encrypted end-to-end using Signal Protocol. We cannot read your messages.
  • Contacts: Phone numbers are hashed locally using SHA-256 before being sent to our servers. Raw phone numbers never leave your device.
  • Device Information: Device type, OS version for session management. Ed25519 public keys for authentication.
  • Usage Data: Buzz/sip creation counts, community participation for health score calculation.

3. End-to-End Encryption

All direct messages are encrypted using the Signal Protocol (X3DH key exchange + Double Ratchet algorithm). Messages are encrypted on your device before transmission and can only be decrypted by the intended recipient. Our servers only see encrypted ciphertext.

4. Device-Bound Authentication

Gosip uses device-bound authentication instead of passwords. An Ed25519 key pair is generated on your device during registration. Your private key never leaves your device. All API requests are signed with your device key.

5. Data Retention

  • Messages auto-delete after 30 days (configurable by subscription plan)
  • Buzzes expire based on your plan: Free (30 days), Basic (90 days), Pro (180 days), Premium (365 days)
  • Account data is retained until you delete your account
  • Inactive follows are automatically removed after 6 months

6. Contact Discovery

Gosip uses a privacy-preserving contact discovery system. Your phone contacts are hashed locally using SHA-256 with a rotating salt (changes every 24 hours). Only hashed values are sent to our servers. We cannot reverse-engineer phone numbers from these hashes.

7. Third-Party Services

  • SMS Providers: Twilio/Sociair for OTP delivery
  • Firebase: Push notification delivery only
  • Convex: Serverless backend for real-time messaging
  • Neon: PostgreSQL database for social features

8. Your Rights

You can:

  • Export your data at any time
  • Delete your account and all associated data
  • Control who sees your last seen, profile photo, and about status
  • Block and report other users

9. Contact Us

For privacy-related questions, contact us at privacy@gosip.app