Privacy Policy — Ghost Protocol

The short version: Ghost Protocol is a messenger built so that the people who run the service cannot read your messages, cannot tell who you talk to, and cannot link your activity to your identity, your location, or your device. We collect almost nothing because the protocol does not transmit it. What little we do hold, we delete as soon as we can.

1. Who we are

Ghost Protocol is operated by CSB Group. The source code is open source under the AGPL-3.0-or-later license and is publicly available on GitHub. The relay server runs as a Tor-accessible service. Its address is distributed through the app only — we do not publish it publicly to reduce attack surface.

Contact for privacy, security, and legal process: see security.txt.

2. What we do NOT collect

The architecture refuses to collect the following. Not "we promise not to" — the protocol has no place to put these fields, and the relay code has tests that fail the build if any of them are added:

IP addresses. Not in our access logs, not in our error logs, not in our database, not in our metrics. The relay refuses to start if a configuration would expose IP addresses to the relay process.
Location data. No GPS coordinates, no coarse location, no cell tower information, no Wi-Fi network names.
Device identifiers. No IMEI, no Android ID, no advertising ID, no fingerprinting, no installation token tied to your real identity.
Phone numbers, email addresses, real names. None of these appear anywhere in the protocol.
Contact lists. We never learn who you have added as a contact.
Read receipts, typing indicators, "last seen" timestamps. None of these are sent to our server.
Message content. Every message is encrypted end-to-end on your device before it ever leaves the phone. We hold the encrypted ciphertext for at most 7 days; we cannot decrypt it.
Crash reports, analytics, telemetry. No Firebase Crashlytics, no Sentry, no Google Analytics, no Mixpanel, no PostHog, no Datadog, no Segment. Adding any of these is a build-time rejected change.

3. What we hold

The relay server holds exactly five categories of data:

Category	Where stored	How long	What it is
Encrypted messages waiting to be delivered	Server memory only	Up to 7 days; deleted on delivery	Opaque ciphertext we cannot read
Public-key bundles you chose to publish	Database, on disk	Until you rotate or delete them	Public keys only — already published for anyone to fetch
Anonymous-inbox settings	Database, on disk	Until you disable the inbox	Two flags (on/off, difficulty) and a counter
Rate-limit tokens	Server memory only	Seconds to minutes	Per-public-key counters that prevent spam
Public software-release log	Append-only, public	Permanent	Build hashes — already public

4. Encryption

Messages are encrypted on your device with X3DH + Kyber-768 key exchange (hybrid classical + post-quantum) and protected in transit by the Double Ratchet algorithm. Each message uses a fresh key. The relay never has access to your private keys.

The relay transport uses TLS 1.3. When you use Strict Tor mode, messages route through the Tor network to the relay's .onion address — TLS is still present end-to-end and Cloudflare is not in the path.

5. Children

Ghost Protocol is not directed at children under 13. We do not knowingly collect any information from children.

6. Changes to this policy

We will publish changes to this policy in the public GitHub repository and update the date at the top. Material changes will be noted in the release notes. The warrant canary history also records changes to what data we hold.

7. Contact

Security reports, privacy questions, and legal process: security.txt. We respond to all security reports within 72 hours.

8. Compelled disclosure

Our binding Compelled-Disclosure Policy describes exactly what we would and would not hand over under legal process. The short answer: there is almost nothing to hand over. The relay cannot produce plaintext messages, IP addresses, or contact lists because it does not hold them.