Why Raven How It Works Features Privacy FAQ Try the Beta

Privacy Policy

65 questions answered — your data, your rules. We believe in full transparency.

Last updated: February 2026

🛡️ Our Philosophy

RAVEN is built on a simple principle: your data belongs to you. We collect the minimum information necessary to operate the service, and we will never sell, share, or monetize your personal data. No hidden terms. No data harvesting. No third-party access.

🛡️
General & Transparency
Minimal data. Maximum transparency. We collect only what's needed to deliver your messages. We never sell, share, or trade your data. Our business model is based on optional premium features, not advertising or data harvesting.
RAVEN is an independent project built by a small team focused on privacy-first communication. We are not owned by or affiliated with any advertising or data brokerage company.
Not currently. We plan to open-source the mesh networking protocol and encryption layer in the future so the community can verify our privacy claims independently.
Our servers run on Google Cloud Platform in Europe (Belgium). Data is encrypted at rest and in transit. We do not store data in countries with weak privacy laws.
Yes. We follow GDPR principles: data minimization, purpose limitation, right to erasure, and right to data portability. You can delete your account and export your data at any time.
We respond only to legally valid requests. Because messages are encrypted, we can only provide minimal metadata (account creation date, last login). We cannot provide message content.
No. We do not use tracking pixels, cross-app identifiers, or third-party analytics SDKs. We have no advertising partners and no interest in tracking your behavior.
Only essential cookies for authentication on our website. We do not use tracking cookies, analytics cookies, or any third-party cookie services.
Email privacy@raven-messager.com. We respond to all privacy inquiries within 48 hours.
Yes. Material changes will be announced via in-app notification and email (if provided). The revision date at the top of this page always reflects the latest version.
👤
Account & Registration
A username and email address. You can also sign in with Apple or Google. Profile photo and bio are optional and can be changed or deleted at any time.
Your email is used for account recovery and critical security notifications only. We never send marketing emails. Your email is encrypted at rest on our servers.
No. Your email is never displayed to other users. Only your username and optional display name are visible.
Passwords are hashed using bcrypt with a unique salt. We never store plaintext passwords. Even our team cannot recover your original password.
We receive only your name and email (with Apple's relay, if you choose to hide it). We do not access your Apple or Google contacts, photos, or other account data.
Everything: profile, messages, posts, media, friend list, group memberships, and all server-side metadata. Deletion is irreversible and completes within 30 days.
Yes. Go to Settings → Account → Download My Data. You'll receive a ZIP file containing all your messages, posts, media, and profile data.
Your messages in their chat history remain but show as "Deleted User". They cannot interact with your profile anymore.
Yes, profile photos are stored securely and encrypted at rest. They are deleted when you remove the photo or delete your account.
We store a device token for push notifications and a user-agent string for session management. We do not collect your device's unique hardware identifier, IDFA, or location.
Birth year is used only for age verification to comply with children's privacy laws (COPPA). It is not displayed publicly or shared with anyone.
💬
Messages & Chats
Messages use TLS encryption in transit and AES-256 encryption at rest on our servers. Full client-side end-to-end encryption is in active development.
Our staff does not access user messages. Messages are encrypted at rest and access is restricted by strict internal policies. With full E2EE, even server-side access is impossible.
Messages are stored until you delete them. If you delete a message, it is removed from our servers within 24 hours.
Yes. Messages are cached locally in an encrypted SQLite database for offline access. This data stays on your device only.
No. We do not scan, read, or analyze message content. Spam detection relies on metadata patterns (rate, volume), not content.
Yes. When you delete a message, it is removed from your device immediately and from our servers within 24 hours. We do not keep shadow copies.
Media is uploaded to our secure cloud storage (encrypted at rest). Files are linked to your account and deleted when you delete the message.
We retain minimal metadata (sender, recipient, timestamp) for delivery confirmation. IP addresses are not permanently logged. Metadata is purged after 90 days.
Yes. Go to Settings → Account → Download My Data to export all your messages and media as a ZIP file.
They cannot send you messages, see your online status, or view your profile. Existing messages remain in your history but can be deleted.
👥
Groups
Group names, member lists, and role assignments are stored on our servers. Group messages follow the same storage policy as direct messages.
Admins can: rename the group, change the photo, add/remove members, promote/demote roles, and reset invite links. Admins cannot read private messages.
Members can export their own messages via Settings → Download My Data. They cannot bulk-download other members' messages.
You stop receiving messages. Your past messages remain visible to group members but you can delete them before leaving.
Invite links are generated with a unique random token. They do not expire by default but can be reset by admins, which invalidates the old link.
Yes. Admins can reset the invite link at any time, which immediately invalidates the previous link.
Public groups appear in search and allow join via link. Private groups are hidden from search and can restrict link joining.
Your user ID, the group ID, a reason category, and optional description. Message content is not automatically included in reports.
📇
Contacts
Only if you explicitly enable Contact Sync in Settings. By default, contacts are never uploaded.
Contact identifiers are hashed (SHA-256) before upload. We never receive or store raw contact data from your contact list.
SHA-256 with a server-side rotating salt. The salt changes periodically and old hashes are discarded.
Hashed contacts are retained only while Contact Sync is enabled. They are deleted within 24 hours of disabling sync.
Yes. Go to Settings → Privacy → Contact Sync → Off. This is off by default.
Yes. Previously uploaded hashes are deleted from our servers within 24 hours.
Never. We do not send SMS, emails, or notifications to your contacts without your explicit action.
Only if Contact Sync is enabled. Suggestions are based on matched hashes, not raw numbers. You can disable this separately.
📝
Posts & Feed
Posts are visible to your followers by default. You can change this per-post or set a global default in Settings → Privacy.
Yes. Deleted posts and their media are removed from our servers within 24 hours. Cached copies on other devices expire naturally.
View counts are real and based on unique authenticated views. We do not inflate or estimate view numbers.
Yes, for search and discovery purposes. This index is used only within RAVEN and is not shared externally.
User-reported content is reviewed by our moderation team. We do not use automated content scanning or AI moderation on posts.
Yes. Your data export includes all your posts, comments, and associated media files.
📡
Mesh / Offline / Bridge
Encrypted message payloads, sender/recipient IDs, timestamps, and TTL counters. No personal profile data is shared.
Yes. All mesh payloads are encrypted before transmission. Relay devices cannot read the content.
A Bridge device relays messages between offline users and the server when it regains connectivity. It acts as a courier, not a reader.
No. Messages are encrypted end-to-end for mesh transfer. Relay devices only see opaque encrypted payloads.
Messages have a TTL (Time to Live) of 24 hours and a maximum of 5 hops. After either limit, the message is discarded.
Each message has a unique nonce. Devices maintain a seen-nonce cache to reject duplicates. Expired TTL messages are also rejected.
No. When your device relays messages for others, your identity is never attached to the payload. Relay devices are anonymous couriers — they cannot read the message, and neither the sender nor the recipient knows which device relayed it.
🔗
Third-Party Services
Apple (push notifications), Google (sign-in, AI features), RevenueCat (subscription management), and our cloud hosting provider.
Only when you explicitly use AI features (like 'Ask Gemini' or 'Voice Transcription'). The specific post or audio file is sent securely to Google for processing. Your private DMs are NEVER sent to AI or used to train public models.
No. RAVEN has no advertising partners, no data brokers, and no third-party tracking SDKs.
🔐
Security & Data Retention
All data is encrypted at rest using AES-256. Database volumes use full-disk encryption. Backups are encrypted with separate keys.
Server access logs are retained for 30 days for security monitoring. IP addresses are not stored beyond the active session. Device metadata is retained while your account is active and deleted within 30 days of account deletion.
No topics match your search. Try different keywords.

Questions about your privacy? Email us at privacy@raven-messager.com