Privacy Policy

Last Updated: March 21, 2026

Sanctia ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and web services (collectively, the "Service").

Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the Service.

1. Information We Collect

1.1 Personal Information You Provide

We collect information you voluntarily provide when using our Service:

• Account Information: Full name, email address, username, and password when you create an account
• Profile Information: Phone number (optional, used for SMS check-in notifications)
• Message Content: The messages you compose for your recipients, including text, photos, and voice recordings you attach
• Recipient Information: Names and contact details (email addresses, phone numbers) of people you designate as message recipients
• Trusted Contact Information: Names and contact details of people you designate as trusted contacts for vault access or delivery confirmation

1.2 Media & Device Permissions

With your permission, the mobile app may access your device camera and photo library to let you attach images to your messages. We only access these features when you explicitly initiate an attachment action. We do not access your camera, microphone, or photo library in the background.

1.3 Automatically Collected Information

When you use our Service, we automatically collect:

• Device Information: Device type, operating system, platform (iOS/Android), and push notification tokens (via Expo Push)
• Usage Data: Check-in timestamps, app interactions, and feature usage patterns
• Log & Security Data: IP address, browser type, access times, and device fingerprint (derived from user-agent) for login history and security monitoring

1.4 Website Analytics

On our marketing website (sanctia.app), we use PostHog, a product analytics platform, to understand how visitors interact with our landing pages. PostHog may collect page views, click events, and basic browser/device information on the website only. PostHog is not used within the mobile app.

1.5 Information We Do Not Collect

We do not collect biometric data (such as facial geometry or fingerprints), precise location data (GPS coordinates), or financial information (such as credit card numbers or bank account details). We do not use advertising identifiers (IDFA or GAID) or any advertising tracking frameworks.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our Service
• Send you check-in reminders via email, SMS, or push notification
• Deliver your messages to recipients when triggered
• Send you account-related communications (password resets, security alerts, email verification)
• Respond to your inquiries and provide customer support
• Monitor and analyze usage patterns to improve the Service
• Detect, prevent, and address technical issues, abuse, and security threats
• Maintain login history and security event logs to protect your account

3. Message Privacy & Encryption

We take the privacy of your messages seriously. Sanctia offers two levels of message protection:

• Standard Encryption: All messages are encrypted at rest using envelope encryption (AES-256-GCM) with keys managed through AWS Key Management Service (KMS). Messages are decrypted only when delivery is triggered.
• End-to-End (E2E) Encryption: For maximum privacy, you may enable end-to-end encryption on individual messages. With E2E encryption, your message content is encrypted on your device using a passphrase that is never sent to our servers. We store only the ciphertext and cannot decrypt E2E-encrypted messages under any circumstances.

Message attachments (photos and voice recordings) stored in our cloud storage are also encrypted. E2E-encrypted message attachments are encrypted client-side before upload.

Important: While we implement strong security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data.

4. Information Sharing & Disclosure

We may share your information in the following circumstances:

4.1 With Your Consent

We may share your information when you give us explicit consent to do so.

4.2 Message Delivery

When delivery is triggered (after missed check-ins), your messages are sent to your designated recipients via email or SMS. This is the core function of our Service.

4.3 Service Providers

We work with third-party service providers who help us operate our Service:

• Amazon Web Services (AWS): Cloud hosting, database (RDS), file storage (S3), and encryption key management (KMS)
• Resend: Email delivery service
• Twilio: SMS notification delivery
• Expo: Push notification delivery for mobile devices
• Sentry: Error monitoring and performance tracking for the mobile app and backend (may receive crash reports, performance data, and basic user identifiers such as user ID, email, and username to help us diagnose issues)
• PostHog: Product analytics for the marketing website only (not the mobile app)

These providers only have access to the information necessary to perform their functions and are obligated to maintain confidentiality.

4.4 Legal Requirements

We may disclose your information if required by law, court order, or governmental authority, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

5. Advertising & Tracking

We do not serve advertisements in the Service. We do not use any advertising tracking frameworks, advertising identifiers (such as Apple's IDFA or Google's GAID), or share your data with advertising networks. We do not participate in any cross-app or cross-site tracking for advertising purposes.

In accordance with Apple's App Tracking Transparency (ATT) framework, we confirm that we do not track you across apps or websites owned by other companies for advertising or advertising measurement purposes.

6. Data Retention

We retain your information for as long as your account is active or as needed to provide you with our Service. You may request deletion of your account and associated data at any time by contacting us.

After account deletion, we may retain certain information as required by law or for legitimate business purposes (such as resolving disputes or enforcing our agreements).

7. Your Rights & Choices

You have the right to:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate personal information
• Deletion: Request deletion of your account and personal information
• Portability: Request a copy of your data in a portable format
• Opt-out: Unsubscribe from marketing communications

To exercise these rights, please contact us at support@sanctia.app.

8. Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS/SSL)
• Encryption of sensitive data at rest (AES-256-GCM via AWS KMS)
• Optional end-to-end encryption for message content
• Passwords hashed using bcrypt
• Regular security assessments and updates
• Access controls and authentication requirements

9. Children's Privacy

Our Service is not intended for children under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws. By using our Service, you consent to such transfers.

11. Apple & Google Platform Disclosures

Our mobile app is available on Apple's App Store and Google Play. In connection with those platforms' data privacy requirements, we disclose the following:

• We do not sell your personal data to third parties.
• We do not use your data for third-party advertising or marketing.
• We do not use Apple's IDFA or Google's Advertising ID.
• We do not integrate any third-party advertising SDKs.
• We do not collect biometric data, precise location data, or financial information.
• The data we collect (account info, message content, device tokens, crash reports) is used solely to operate and improve the Service.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. Your continued use of the Service after such changes constitutes your acceptance of the updated policy.

13. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:

Email: support@sanctia.app