Privacy Policy

We can't read your messages. We don't want your data.

Pre-launch draft · last updated 2026-05-28

This is a pre-launch draft. Lumes has no public users yet; the policy will be finalized, dated, and versioned before any public release. It describes how the software is built to behave — an architecture that is documented and going to independent external audit.

The short version

Lumes is end-to-end encrypted. The content of your messages, calls, and files is sealed on your device and can only be read by the people you send it to. We — and any server, ours or yours — only ever handle ciphertext. We collect as little as is physically possible to move an encrypted blob from one device to another. No ads, no trackers, no profiles.

What we cannot see

Message, call, and media content; your private keys (they never leave your device unencrypted); who you talk to (recipient identities are rotating sealed-sender hashes, not a contact directory). Lumes does not require a phone number or an email address to function.

What the relay necessarily handles

To deliver an encrypted message the server briefly handles: the ciphertext in transit (not retained after delivery); one-time pre-keys (consumed and deleted after use); a push token, only if you enable notifications; and the connection itself (an IP address exists at connect time, used to route the socket — not written to a plaintext activity log). There is no server-side message store after delivery.

Push notifications

If you enable notifications, Lumes sends data-only, encrypted pushes through Apple (APNs) and Google (FCM). Those providers see a device token and delivery metadata — never message content. You can disable push entirely; the app still works.

What we do not do

No advertising. No third-party analytics or tracking SDKs. No behavioral profiling. We do not sell, rent, or share your data — there is effectively nothing to sell, by design.

Retention & deletion

Messages are not retained after delivery. Pre-keys are one-time and deleted after consumption. Server logs are redacted (user identifiers replaced) and mostly silenced in production. On-device, disappearing messages are forward-securely deleted at expiry — the key material is zeroed, not just the text.

Legal requests

We can only produce what we actually hold: ciphertext we cannot decrypt. We do not hold your keys or any plaintext. On enterprise or sovereign deployments your organization holds the server and the keys, so any request is yours to answer under your own counsel and jurisdiction.

Your control over your data

Local data is encrypted at rest (database under AES-256; long-term secrets wrapped in PIN-bound Argon2id envelopes). You can wipe everything from the app, including a duress wipe. Because Lumes has no accounts and no server-side key escrow, losing your device and PIN means your data is unrecoverable — that is the security model, not a limitation.

Children

Lumes is not directed at children and is not intended for use by anyone under the age of digital consent in their jurisdiction.

Changes to this policy

We will update this policy as the product evolves and will record the date and version on this page. Material changes will be noted in the changelog.

Contact

Questions about privacy or this policy: gonxaa@proton.me