Welcome to Smoke ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, store, and protect your data when you use the Smoke mobile application (the "App").
Key Privacy Principles
- We collect minimal personal information
- Your messages are end-to-end encrypted
- We never sell your data to third parties
- You control your data and can delete your account at any time
Information We Collect
1. Account Information
When you create an account, we collect:
- Username: A unique identifier you choose (required)
- Display Name: An optional name that your friends see
- Public Encryption Key: Automatically generated cryptographic key used for encrypting messages sent to you
We DO NOT Collect
- Email addresses
- Phone numbers
- Real names (unless you choose to use one as your display name)
- Payment information
- Social media accounts
2. Messages and Content
- Text Messages: All text messages are end-to-end encrypted using industry-standard encryption (Curve25519-XSalsa20-Poly1305). We store encrypted message data on our servers, but we cannot read or decrypt your messages.
- Message Metadata: We store information about when messages were sent, who sent them, and who received them. This metadata is necessary for delivering messages but is not encrypted.
3. Friend Connections
- Friend Requests: We store information about friend requests you send and receive
- Friend List: We maintain a list of users you've connected with to enable messaging
- QR Codes: When you scan a friend's QR code, we process the encoded user ID but do not store the QR code image
4. Device Information
- Push Notification Token: We collect your device's push notification token (FCM/APNs token) to send you notifications when you receive messages, friend requests, or other important events
- Device Activity: We detect when screenshots or screen recordings occur while viewing messages, and notify the sender. We do not store these detections beyond sending the notification.
5. Technical Information
We automatically collect certain technical information:
- App Version: To ensure compatibility and provide support
- Crash Reports: Anonymous crash logs to help us fix bugs
- Performance Data: Anonymous metrics about app performance
How We Use Your Information
Primary Services
- Account Creation & Authentication: To create and authenticate your account
- Message Delivery: To deliver encrypted messages between you and your friends
- Push Notifications: To notify you of new messages, friend requests, and other app events
- Friend Management: To enable you to add, accept, and manage friend connections
- Screenshot Alerts: To notify senders when recipients take screenshots or screen recordings
Security & Improvements
- Fraud Prevention: To detect and prevent abuse, spam, and malicious activity
- Bug Fixes: To identify and fix technical issues
- App Improvements: To understand how the app is used and improve features
Data Storage and Security
Encryption
- End-to-End Encryption: All text messages are encrypted on your device before being sent and can only be decrypted by the recipient. We use Curve25519-XSalsa20-Poly1305, the same encryption used by Signal and other secure messaging apps.
- Private Keys: Your private encryption key is stored ONLY on your device in the iOS Keychain. We never have access to your private key.
- Public Keys: Your public encryption key is stored on our servers to allow others to send you encrypted messages.
Data Storage
We use Google Firebase to store and process your data:
- Firestore Database: Stores user profiles, encrypted messages, friend connections, and app data
- Firebase Storage: Stores photos and videos temporarily (max 48 hours)
- Firebase Authentication: Manages anonymous user authentication
- Firebase Cloud Messaging: Delivers push notifications to your device
Security Measures: All data is stored in secure Google Cloud data centers with industry-standard security measures including encryption at rest, encrypted data transmission (HTTPS/TLS), regular security audits, and access controls.
Data Retention
- Messages: Encrypted messages are automatically deleted 48 hours after being sent, regardless of whether they've been viewed
- Media Files: Photos and videos are automatically deleted 48 hours after being sent if not viewed
- Account Data: Your username, display name, and public key are stored as long as your account is active
- Friend Connections: Stored until you or your friend removes the connection
Data Sharing and Third Parties
We DO NOT
- Sell your personal information to advertisers or data brokers
- Share your messages with third parties (we can't - they're encrypted!)
- Use your data for advertising purposes
- Share your data with social media companies
- Provide your data to government agencies except when required by law
Third-Party Services We Use
Google Firebase (Google LLC)
Purpose: Cloud infrastructure, database, storage, authentication, push notifications
Data Shared: User profiles, encrypted messages, friend connections, device tokens
Privacy Policy: firebase.google.com/support/privacy
Apple Push Notification Service (Apple Inc.)
Purpose: Delivering push notifications on iOS devices
Data Shared: Device push token, notification content
Privacy Policy: apple.com/legal/privacy
Your Privacy Rights
Access Your Data
You can view all your account information within the app:
Profile → Settings → View your username, display name, and account details
Delete Your Account
You can permanently delete your account and all associated data:
- Go to Profile → Settings
- Tap "Delete Account"
- Confirm deletion
What Gets Deleted
- Your username and display name
- Your public encryption key
- All your encrypted messages
- All your friend connections
- Your push notification tokens
- Your account recovery codes
What Happens After Deletion
- Your friends will no longer see you in their friend list
- All messages you sent will become unreadable (encryption keys are destroyed)
- This action is permanent and cannot be undone
Account Recovery
- You can create account recovery codes to backup your account
- Recovery codes are encrypted and stored on our servers
- You can delete your recovery codes at any time
Data Portability
Currently, we do not offer a data export feature. If you would like a copy of your data, please contact us at support@chiseltheory.com.
Children's Privacy
The Smoke app is not intended for children under the age of 13 (or the minimum age in your jurisdiction). We do not knowingly collect personal information from children under 13.
If we discover that we have inadvertently collected information from a child under 13, we will delete that information immediately.
If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@chiseltheory.com.
International Data Transfers
Your data may be transferred to and stored in countries other than your country of residence, including the United States, where Google Firebase servers are located.
These countries may have different data protection laws than your country. However, we take steps to ensure your data receives an adequate level of protection in accordance with this Privacy Policy and applicable laws.
By using Smoke, you consent to the transfer of your information to the United States and other countries where we or our service providers operate.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
How we notify you:
- We will update the "Last Updated" date at the top of this policy
- For material changes, we will notify you via in-app notification or push notification
- Continued use of the app after changes constitutes acceptance of the updated policy
We encourage you to review this Privacy Policy periodically.
Security Measures
We implement industry-standard security measures to protect your data:
Technical Measures
- End-to-end encryption for text messages
- Secure key storage using iOS Keychain
- HTTPS/TLS encryption for all data transmission
- Encrypted data storage at rest
- Regular security updates and patches
Operational Measures
- Access controls and authentication
- Regular security audits
- Incident response procedures
- Employee training on data protection
Your Security Responsibilities
- Keep your device secure with a passcode/biometric lock
- Do not share your recovery codes with anyone
- Keep your app updated to the latest version
- Report security concerns to us immediately
Please note: No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.
California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to Know: You can request information about the personal data we collect, use, and share
- Right to Delete: You can request deletion of your personal data (with certain exceptions)
- Right to Opt-Out: We do not sell personal information, so there is nothing to opt-out of
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
To exercise these rights, contact us at support@chiseltheory.com.
European Privacy Rights (GDPR)
If you are in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR):
Legal Basis for Processing
We process your data based on:
- Contract: To provide the services you requested (account creation, messaging)
- Legitimate Interest: To improve our services, prevent fraud, and ensure security
- Consent: For optional features like push notifications
Your GDPR Rights
- Right of Access: Request a copy of your personal data
- Right to Rectification: Request correction of inaccurate data
- Right to Erasure: Request deletion of your data ("right to be forgotten")
- Right to Restrict Processing: Request limitation on how we use your data
- Right to Data Portability: Request transfer of your data to another service
- Right to Object: Object to our processing of your data
- Right to Withdraw Consent: Withdraw consent at any time
To exercise these rights, contact us at support@chiseltheory.com.
You also have the right to lodge a complaint with your local data protection authority.
Data Breach Notification
In the event of a data breach that affects your personal information, we will:
- Notify affected users within 72 hours of discovering the breach
- Describe the nature of the breach and data affected
- Provide guidance on steps you can take to protect yourself
- Notify relevant regulatory authorities as required by law
We continuously monitor our systems for potential security incidents.
Technical Details for Transparency
For technically-minded users, here are the specific details of our encryption and security implementation:
Encryption Specification
- Algorithm:
X25519 key exchange + XSalsa20 stream cipher + Poly1305 MAC (libsodium)
- Key Size: 256-bit keys
- Key Generation: Cryptographically secure random number generator (
SecRandomCopyBytes)
- Key Storage: iOS Keychain with
kSecAttrAccessibleWhenUnlockedThisDeviceOnly
Authentication
- Method: Firebase Anonymous Authentication
- Session Management: Firebase Auth tokens with automatic refresh
- No Password: Your account is tied to your device's encryption keys
Message Lifecycle
- Message encrypted on sender's device using recipient's public key
- Encrypted message sent to Firebase Cloud Firestore
- Push notification sent to recipient via Firebase Cloud Messaging
- Recipient decrypts message using their private key (stored in Keychain)
- Message automatically deleted after 48 hours
Consent
By creating an account and using the Smoke app, you acknowledge that you have read and understood this Privacy Policy and agree to its terms.
If you do not agree with this Privacy Policy, please do not use the Smoke app.