SecureChats Keyboard

Contents 1. Privacy Policy 2. How the App Works 3. Data Collection & Storage 4. Encryption & Keys 5. Permissions 6. Terms of Service 7. Disclaimer of Liability 8. Children's Privacy 9. Changes to This Policy 10. Contact

1. Privacy Policy

SecureChats Keyboard ("the App") is developed by R00tedbrain. This privacy policy explains how the App handles user data. Our core principle is simple: we do not collect, store, transmit, or have access to any of your data.

Zero Data Collection. The App does not collect any personal information, usage data, analytics, diagnostics, telemetry, crash reports, or any other form of data from its users. Period.

No Servers. The App does not connect to any server, cloud service, API, or remote endpoint. There is no backend infrastructure. All operations happen exclusively on your device.

No Third-Party SDKs. The App contains no third-party analytics, advertising, tracking, or data collection frameworks of any kind.

2. How the App Works

SecureChats Keyboard is a custom keyboard extension for iOS that provides end-to-end encrypted (E2EE) messaging capabilities directly from your keyboard. It operates as follows:

Keyboard Extension: The App installs as a custom keyboard that can be used in any text input field across iOS. It provides a standard QWERTY layout for normal typing.
End-to-End Encryption: The App implements the Signal Protocol with post-quantum Kyber (ML-KEM) key encapsulation for message encryption. Messages are encrypted on the sender's device and can only be decrypted on the recipient's device.
Key Exchange: Users exchange cryptographic identity information through a manual invite/accept process. This is done by copying and pasting encoded text — no server or intermediary is involved.
Message Encoding: Encrypted messages can be encoded using multiple formats (Base64, raw JSON, or steganographic Unicode encoding) and are inserted into the host app's text field for the user to send through any messaging platform of their choice.
Decryption: Incoming encrypted messages are pasted into the keyboard's internal interface for decryption and reading.

The App is essentially a local encryption/decryption tool. It does not send or receive messages by itself — it relies entirely on the user manually copying and pasting text through existing messaging platforms.

3. Data Collection & Storage

3.1 What We Do NOT Collect

Personal information (name, email, phone number, address, etc.)
Device identifiers (IDFA, IDFV, serial numbers, etc.)
Usage or analytics data
Keystrokes, typed text, or input data
Location data
Contacts or address book data
Photos, files, or media
Browsing history
Crash reports or diagnostics
Any data transmitted to external servers

3.2 What Is Stored Locally on Your Device

The App stores the following data exclusively on your device. This data never leaves your device and is not accessible to us or any third party:

Cryptographic Keys: Your Signal Protocol identity key pair, registration ID, and account identifiers are stored in the iOS Keychain, which is hardware-backed by the Secure Enclave on supported devices and protected by your device passcode.
Session Data: Signal Protocol session records, pre-keys, signed pre-keys, and Kyber (ML-KEM) post-quantum pre-keys are stored in the App Group container, encrypted at-rest using AES-256-GCM.
Contacts & Messages: Your E2EE contact list and message history are stored in the App Group container, encrypted at-rest using AES-256-GCM with a master key stored in the iOS Keychain.

Encryption at Rest: All sensitive files stored on disk are encrypted using AES-256-GCM. The encryption master key is a 256-bit key generated by Apple's CryptoKit framework, stored in the iOS Keychain with the kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly protection level. This means data cannot be accessed on a locked device and cannot be transferred to another device or extracted from backups.

3.3 Network Activity

The App makes zero network requests. It does not require an internet connection to function. There are no API calls, no WebSocket connections, no server pings, no update checks, and no telemetry transmissions. The App operates entirely offline.

4. Encryption & Keys

4.1 We Have No Access to Your Keys

All cryptographic key generation occurs locally on your device using established cryptographic libraries. We do not generate, store, manage, escrow, backup, or have any access to your encryption keys. There is no key server, no key recovery mechanism, and no backdoor.

4.2 Cryptographic Protocols

Signal Protocol: The App implements the Signal Protocol (Double Ratchet Algorithm, X3DH key agreement) for forward secrecy and post-compromise security.
Post-Quantum Security: The App uses Kyber (ML-KEM) key encapsulation via the PQXDH (Post-Quantum Extended Diffie-Hellman) key agreement protocol, providing resistance against future quantum computing attacks.
Storage Encryption: Local data is encrypted using AES-256-GCM via Apple's CryptoKit framework.
Keychain Protection: Identity keys are protected by the iOS Keychain, backed by the Secure Enclave hardware security module.

4.3 If You Lose Your Keys

If you uninstall the App, perform a factory reset, or otherwise lose access to your device's Keychain, your cryptographic keys are permanently lost. We cannot recover your keys, decrypt your messages, or restore your sessions. You will need to generate a new identity and re-establish sessions with your contacts.

5. Permissions

The App requests the following iOS permissions:

Full Access (Keyboard Extension): iOS requires the "Allow Full Access" permission for custom keyboards that need to access the App Group shared container (used to store encrypted data shared between the main app and the keyboard extension). The App does NOT use Full Access to transmit data over the network — it is used exclusively for local encrypted storage access. No keystrokes or typed content are recorded or transmitted.

The App does not request access to your contacts, location, camera, microphone, photos, notifications, or any other system permission.

6. Terms of Service

6.1 Acceptance

By downloading, installing, or using SecureChats Keyboard, you agree to these Terms of Service. If you do not agree, do not use the App.

6.2 License

The App is released under the GNU General Public License v3.0 (GPL-3.0). You are free to use, modify, and distribute the source code in accordance with the terms of that license. The source code is publicly available.

6.3 Intended Use

The App is intended to provide users with a tool for private, encrypted communication. You are solely responsible for how you use the App and the content of your communications. You agree to use the App only for lawful purposes and in compliance with all applicable local, national, and international laws and regulations.

6.4 Prohibited Uses

You agree not to use the App for any purpose that is illegal, harmful, or violates the rights of others. The developer does not condone and is not responsible for any illegal use of the App.

6.5 No Warranty

The App is provided "AS IS" and "AS AVAILABLE" without warranty of any kind, express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. The developer does not warrant that the App will be uninterrupted, error-free, or free of vulnerabilities.

6.6 Availability

The developer reserves the right to modify, suspend, or discontinue the App at any time without notice or liability.

7. Disclaimer of Liability

No Liability for Communications. The developer is not responsible for any messages, content, or communications created, sent, or received using the App. Users bear full responsibility for their communications.

No Liability for Data Loss. The developer is not responsible for any loss of cryptographic keys, messages, contacts, or other data resulting from device loss, App uninstallation, software updates, hardware failure, or any other cause. There is no backup or recovery service.

No Liability for Security Breaches. While the App implements industry-standard cryptographic protocols, the developer does not guarantee absolute security. The developer is not liable for any security breach, unauthorized access, or data compromise arising from vulnerabilities in the underlying operating system, hardware, third-party messaging platforms used to transport encrypted messages, or any other factor outside the developer's control.

No Liability for Misuse. The developer is not responsible for any damages, legal consequences, or harm resulting from the use or misuse of the App by any party.

To the maximum extent permitted by applicable law, in no event shall the developer be liable for any indirect, incidental, special, consequential, or punitive damages, or any loss of profits or revenues, whether incurred directly or indirectly, or any loss of data, use, goodwill, or other intangible losses, resulting from your use of the App.

8. Children's Privacy

The App is not directed at children under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect any personal information from children. Since the App collects no data from any user, no special provisions for children's data are necessary.

9. Changes to This Policy

We may update this Privacy Policy and Terms of Service from time to time. Any changes will be reflected on this page with an updated revision date. Your continued use of the App after any changes constitutes acceptance of the updated terms. Since the App makes no network requests, it cannot notify you of policy changes — we recommend periodically reviewing this page.

10. Contact

If you have any questions or concerns about this Privacy Policy, Terms of Service, or the App, you may contact the developer:

Developer: R00tedbrain
GitHub: github.com/r00tedbrain