Black Line Technology Inc. ("TruCrypt", "we", "us") operates the TruCrypt iOS application (the "App"). This policy explains what we collect, how we use it, who we share it with, and your choices. Contact: privacy@gettrucrypt.com.
The defining fact of TruCrypt is that your message content is end-to-end encrypted: it is encrypted on your device and we hold no key to decrypt it. We cannot read your messages. Much of this policy follows from that.
| Message content | End-to-end encrypted. We store ciphertext only and cannot decrypt it. |
| Your private keys | Generated and stored on your device; never sent to us (except a backup you create, encrypted with a password only you know). |
| Vault files | Encrypted and stored only on your device. Never uploaded to us. |
| What we hold on our servers | Account data (email, username) and message metadata (sender/recipient IDs, timestamps, conversation/Room membership), push token, subscription tier. |
| Analytics / tracking | No tracking SDKs in the app. Our website uses cookieless analytics only (see Section 6). |
| Payment cards | We never see them. Subscriptions are processed by Apple. |
| Selling data | We do not sell your personal data. |
| Permission | Why | Leaves your device? |
|---|---|---|
| Microphone | Record voice messages. | Audio is encrypted on-device before sending; we store ciphertext only. |
| Camera | Scan a QR code to import an encryption key. | No — processed on-device. |
| Contacts | Find which contacts already use TruCrypt. | Yes — see below. |
| Face ID / Touch ID | Unlock the App / verify identity locally. | No — handled by iOS; never shared with us. |
Contacts matching. If you grant Contacts access, the App reads your contacts' email addresses and sends them to our server to check which belong to existing TruCrypt users. This is optional — you can decline and add people manually, and revoke access anytime in iOS Settings. We use these email addresses only to return matches at the time of lookup; we do not store the contacts you don't match.
To create and secure your account, deliver messages and notifications, provide subscription features, detect and respond to security events and abuse, provide support, and comply with law. We do not use your information for advertising or profiling, and we do not sell it. We do not use end-to-end encrypted content for advertising or to train models.
The TruCrypt app contains no analytics or usage telemetry, no advertising identifiers, no location data, no payment card details, and no identity/KYC documents, and uses no third-party tracking SDKs (no Sentry, Crashlytics, Firebase, Mixpanel, PostHog, Datadog, or Segment).
Our website (gettrucrypt.com) uses Cloudflare Web Analytics — a privacy-focused, cookieless tool that measures aggregate traffic and performance without using cookies, fingerprinting, or tracking you across sites. We do not use advertising or cross-site tracking cookies.
We do not sell your data. We share the minimum necessary with providers who process it on our behalf:
| Provider | Purpose | What they can access |
|---|---|---|
| Supabase (hosting, database, auth; on AWS, US) | Stores account data, message ciphertext, metadata; handles auth. | Ciphertext + metadata. Not message content. |
| OneSignal | Push notification routing. | Routing metadata + an encrypted payload blob. |
| Apple | APNs delivery; App Store / StoreKit subscriptions. | Notification transport; subscription/payment (Apple handles all card data — we never receive it). |
We may disclose information if required by valid legal process or to protect rights and safety. Because content is end-to-end encrypted, a legal request to us can only yield ciphertext and metadata — never message content.
Account data and metadata are processed and stored in the United States (AWS, us-west-2). If you are outside the US, your information is transferred to and processed in the US. Where required, EEA/UK transfers rely on the Standard Contractual Clauses in place with our subprocessors.
We protect your information through the architecture itself: end-to-end encryption of content, on-device key storage, TLS in transit, encryption at rest for our database, row-level access controls scoping data to your account, and a minimal subprocessor footprint. Even a compromise of our servers exposes ciphertext and metadata — not your message content.
The Services are not intended for persons under 18, and we do not knowingly collect personal information from children under 13 (COPPA). If you believe a child has provided us data, contact us and we will delete it.
We may update this policy and will post the new version here with a revised date. Material changes will be communicated in the App or by other reasonable means.
This policy is governed by the laws of the State of Delaware, USA. Questions or requests: privacy@gettrucrypt.com — Black Line Technology Inc., 100 Wilshire Blvd, Ste 700, Santa Monica, CA 90401, USA.