Privacy Policy

Last updated: January 6, 2026

The short version: Gossamer doesn't want your personal information. No phone number. No email. No name. You're just a random ID on a device.

What We Collect, generated by the app itself on first start.

Random account ID
Cryptographic public key

And Also

Your messages
Push token (opt in per thread)

What We Never Collect

Phone numbers
Email addresses
Names or usernames
Contacts or address book
Location data
Advertising IDs
Browser fingerprints

Ghost Accounts

When you first open Gossamer, a "ghost account" is created automatically. This is a technical session account containing only:

A randomly generated identifier
A cryptographic key pair

Ghost accounts contain NO personal data and cannot be linked to your real identity by us.

How We Use Data

Your data is used exclusively to:

Deliver messages between you and your connections
Send push notifications (only if you enable them)
Respond to valid legal requests

Data Sharing

We do not sell, rent, or share your data with third parties for marketing or advertising. We do not display ads. We do not track you across apps or websites. We do not use analytics SDKs.

We may share data with law enforcement when legally required.

Data Retention

Active Data:

Messages: Stored while the thread is active
Ghost accounts: Stored while you use Gossamer
Push tokens: Stored while notifications are enabled
Connection tokens: Single-use, expire after 24 hours

After Deletion:

For legal compliance and abuse prevention, deleted data is retained in a secure archive before permanent deletion:

Data Type	Retention Period
Account data	90 days
Message content	180 days
Message metadata	365 days
Abuse reports	365 days

After retention periods expire, data is permanently deleted unless under legal hold.

Law Enforcement & Legal Requests

We may disclose account data when required by law, such as in response to:

Valid subpoenas
Court orders
Search warrants
Emergency requests involving imminent harm

Because we don't collect personal information, we can only provide what we have: random account IDs, cryptographic keys, message content, and timestamps. We cannot identify users by name, phone, or email—we don't have that information.

Abuse Prevention

Gossamer is private, not lawless.

We take abuse seriously and maintain the ability to:

Restrict or ban accounts that violate our terms
Review reported threads to investigate abuse
Cooperate with law enforcement for serious violations

Privacy protects you from data harvesting and tracking. It does not protect bad actors from consequences.

Your Rights

You can delete your account and all associated data at any time from within the app.

Since we don't have your email or phone number, we can't identify you to respond to external data requests. Your ghost account is the only record we have.

Security

All API requests are cryptographically signed using Ed25519
Messages are transmitted over HTTPS
Device credentials are stored in encrypted secure storage

Changes to This Policy

We may update this policy as the service evolves. Continued use of Gossamer after changes constitutes acceptance.

Contact

Questions about privacy? Email privacy@gossamer.chat