Privacy Policy

Last Updated: May 2, 2026

Overview

• No personally identifying information (email address, phone number, Apple ID, etc.) is collected at all. A random number generated inside your device is the only thing that represents you.
• The contents of your messages, photos, videos, and calls are encrypted and decrypted inside your and your friend's devices. No member of the FRIENDS operations team can view any of them.
• Deleting your account erases all of your data from our servers.

Fuller details follow.

FRIENDS (the "App") is committed to respecting your privacy. This Privacy Policy explains what information we collect, how we use it, how we store it, and whether we share it with third parties.

1. Operator

Operator details are listed on the App Store page. Please direct inquiries through the in-app Settings → Write to us feature or the Support URL on the App Store listing.

2. No Account, No Login

The App requires no account and no login. We do not use Apple ID, email address, phone number, or any other identifier to create or access an account.

• On first launch, a random number (called a UUID — a universally unique identifier) is generated inside your device.
• This number is used only internally to identify messages and friendships, and is never linked to any external service or personal identifier.
• Multi-device sync (if desired) uses iOS iCloud Key-Value Store, which is controlled by your iOS settings. If you choose not to use iCloud, each device holds an independent identifier.

3. Information We Collect

We collect only the minimum information needed to provide the service.

3.1 Identifiers

• Internal UID: a random unique identifier (cuid format) used only within the App. It has no link to any other service.
• Device Token: an identifier used to recognize multiple devices belonging to the same user, stored in a one-way transformed form so the original device info cannot be recovered.

3.2 Message Data

• 1:1 message contents: sender/recipient UIDs, the end-to-end encrypted body (E2E = end-to-end encryption; encrypted inside the sender's device and only decryptable on the recipient's device), and timestamps. Stored in the server-side database on encrypted disks.
• Group chat messages: same structure, scoped to group IDs.
• Media (photos, videos, voice, files): stored as end-to-end encrypted bundles (blobs — encrypted binary payloads) on Cloudflare R2 cloud storage. Deleted from the server the moment delivery to the recipient completes; only undelivered items are retained for up to 72 hours and then auto-deleted (see 3.7 / 5 for details). The server only receives already-encrypted data and cannot decrypt the contents.
• Read and delivery status: recorded to support multi-device sync.

3.3 Friendships

• Which users you are currently friends with (friendships are bidirectional — both sides must confirm).
• QR-code invites you have issued and their status (not yet used, accepted, or expired).

3.4 Push Notification Tokens

Expo Push Tokens are stored so we can deliver notifications while you are offline. You can disable notifications at any time in your device settings.

3.5 Subscription Information

In-App Purchase details from the App Store (product identifier (product id), plan tier, expiration date, cancellation date). Retrieved via Apple's receipt validation API. Payment information (credit card numbers, etc.) is never passed to the App.

3.6 Reports & Blocks

• Reports: reporter UID, target UID, target type (user / message), reason, optional details, status. Our team reviews each report; if it confirms a Terms-of-Service violation, we may suspend (BAN) the target user's account or delete the offending message.
• Blocks: blocker UID, blocked UID, optional reason. Blocking is reversible — the underlying friendship is preserved while blocked, and you can unblock at any time from settings.

3.7 Location (only when you explicitly share)

The App provides an optional "Share current location" button (the map-pin icon) in the chat-screen menu. Location is never collected in the background; it is only obtained at the exact moment you tap the button and explicitly confirm sharing.

• What is collected: GPS latitude / longitude (accuracy ~10 m) and a reverse-geocoded human-readable address, generated locally on your device via iOS Core Location.
• How it is transmitted: the coordinates and address text are packaged into an ordinary end-to-end encrypted message (same as any other message), so the server only relays already-encrypted data and cannot read the location.
• How long it is stored: deleted from the server the moment delivery to the recipient completes; only undelivered messages are retained for up to 72 hours and then auto-deleted (same mechanism as other messages and media). On your device it remains in the local chat history until you delete the conversation.
• Permissions: iOS prompts for NSLocationWhenInUseUsageDescription. You can revoke the permission at any time in iOS Settings > Privacy & Security > Location Services. The App does not request or use *Always*-mode location access.
• IP-based location: we do not perform any IP-based geolocation lookups.

3.8 Consent Records

To record the fact that you accepted the Terms of Service and Privacy Policy, we store the version strings of each document and your affirmation that you are 13 years of age or older. We also record the IP address at the moment of acceptance solely for audit purposes. No other data is captured at this step.

3.9 No Personally Identifying Information Is Collected

The App does not obtain any information that could personally identify you. The following are concrete examples of such information (none of which is ever collected):

[Core personal identifiers]

• Real names, email addresses, phone numbers
• Apple ID or any other account credentials
• Credit card or bank account information

[Location & behavioral tracking]

• Background or continuous location tracking (see 3.7 for the only on-demand, explicit use of location)
• Browser history or browsing data
• Advertising identifiers (IDFA, AAID)

[Other on-device app data]

• iOS Contacts app (contact list)
• Calendars, entire photo library

4. Purposes of Use

Collected information is used only for:

1. Providing the App's functionality: message delivery, friend management, group chat, subscription features. 2. Security: preventing unauthorized access, rate limiting. 3. Moderation: responding to reports, investigating policy violations. 4. Support: responding to inquiries. 5. Service improvement: troubleshooting based on server logs (anonymized error information).

We do not use your information for advertising, profiling, or sale to third parties.

5. Storage and Protection

• Servers: hosted on Amazon Web Services (AWS) in region-partitioned deployments. Japanese users' data is stored in the Tokyo region (ap-northeast-1) and US users' data is stored in the US East region (us-east-1).
• Media storage: end-to-end encrypted data (created on-device) is stored on Cloudflare R2 cloud storage. Items are deleted from the server the moment delivery to the recipient completes; only undelivered items are retained for up to 72 hours and then auto-deleted.
• Database: PostgreSQL with disk-level encryption.
• Communication: all traffic between your device and our servers is protected by the standard web-transport encryption (TLS / HTTPS / WSS).
• Passwords: the App does not handle passwords at all (there is no login concept).
• Access control: only the operator can access the servers. No direct access is provided to any third party.

6. Third-Party Disclosure

We do not sell or otherwise share your information with third parties. The following limited exceptions exist only where strictly necessary to deliver functionality.

6.1 Push Notifications (Expo)

To deliver push notifications, your Expo Push Token and the notification title/body are passed through Expo's servers (United States). The notification body may contain up to the first 80 characters of the message as a preview. See https://expo.dev/privacy for Expo's privacy policy.

6.2 Apple Services

For In-App Purchase and Push Notifications, we exchange data with Apple via their official APIs. See https://www.apple.com/legal/privacy/ for Apple's privacy policy.

6.3 Error Monitoring (Sentry)

If the App crashes or encounters a severe error, diagnostic information may be sent to Sentry (United States). The information sent is limited to stack traces and internal UIDs. Message contents and personally identifying information are never sent.

6.4 Legal Compliance

We may disclose the minimum necessary information in response to court orders, lawful police requests, and other valid legal demands.

7. Data Retention

• Account-related information: retained until the user deletes their account.
• Messages: retained until the user deletes the conversation (deleted messages cannot be recovered).
• Media (photos, videos, files, etc.): deleted from the server immediately upon delivery; undelivered media is retained for up to 72 hours and then auto-deleted.
• Auth sessions: tokens expire automatically after their TTL (currently 7 days).
• Report records: retained for reference when responding to violations. May be retained longer if legally required.
• Block records: kept until the user explicitly unblocks.

8. User Rights

You may exercise the following rights at any time.

8.1 Right of Access

You may request to view information linked to your account. Core information — your profile, friend list, subscription status, and similar — can be viewed directly from the in-app Settings screen. For anything beyond that, please contact us through the inquiry form. Please note that the contents of your messages, photos, and videos are encrypted on-device and cannot be decrypted on the operator side, so they are not subject to disclosure.

8.2 Right to Deletion (Account Removal)

You can delete your account completely at any time through the in-app Settings → Account → Delete Account flow. All of the following are erased immediately:

• User record
• Auth sessions (all devices automatically disconnected)
• Friendships (both directions)
• 1:1 messages you sent or received
• Groups you own and group messages you sent
• Invites you sent or received
• Push notification tokens
• Reports and blocks

#### Difference from deleting the app from the Home Screen

Deleting the app via the Home Screen (long-press → × → Delete) is not the same as the in-app account deletion above.

• Local on-device data: Removed by Apple's standard mechanism (in-app message history, favorites, drafts, etc.).
• iCloud-synced data: Apple will automatically prompt you whether to keep the subscription and whether to delete the iCloud copy.
• Active subscription: Apple will likewise ask you whether to keep or cancel it (the app does not manage this dialog).
• Server-side data: Your internal UID, friendships, and any encrypted messages still in transit remain on the server. To remove them as well, please reinstall the app, sign in again, and use Settings → Account → Delete Account.

If you want a complete deletion, please always use the in-app Delete Account flow rather than removing the app from the Home Screen.

8.3 Right to Rectification

You can edit your display name, birthday, and similar details directly in the settings screen.

8.4 Right to Restrict Processing

You can stop push notifications at any time in your device settings.

8.5 Data Export

The App does not offer a data export feature.

9. Users Under 18

The App is not intended for users under 13 years of age (COPPA compliance). Users between 13 and 18 should only use the App with parental consent. If we learn that we have inadvertently collected information from a child under 13, we will promptly delete it.

10. Cookies and Similar Technologies

The App does not use browser cookies. For server communication we use session information (JWT tokens) that lives only inside your device, stored in the iPhone's secure keystore (iOS Keychain / SecureStore).

11. Data Storage Location and International Transfer

11.1 Region-Partitioned Data Storage

The App uses a region-partitioned server architecture based on user location:

• Japanese users' data → stored in AWS Tokyo region (ap-northeast-1)
• US users' data → stored in AWS US East region (us-east-1)
• Media files (= images, videos, audio) are stored on Cloudflare R2's global delivery network (= deleted upon delivery / kept for up to 72 hours if undelivered)

This means a Japanese user's personal data (profile, friend list, message envelopes, etc.) is stored only on Japan-based servers (Tokyo region).

11.2 International Friendships

When users from different regions become friends, the friendship relationship (= a pair of UUIDs) is stored in both regions to keep both users' friend lists working correctly.

Specifically:

• When a Japanese user adds a US friend, the pair "your UUID + friend's UUID" is stored in both the Tokyo region AND the US East region.
• Only anonymous UUIDs are stored (= no name, email address, phone number, profile picture, or any other personal information is stored).
• Message bodies are end-to-end encrypted on your device and cannot be decrypted on our servers.

11.3 Third-Party Services

Certain features (push notifications, Apple services, error monitoring) involve third-party services such as Expo (US), Apple, and Sentry (US). All such transfers are limited to what is strictly necessary to deliver the service.

12. Changes to This Policy

This policy may be updated from time to time in response to service changes or legal developments. We will notify users in-app of significant changes. The latest version is always available on this page.

13. Contact

For questions about this policy or how we handle personal information, please contact us via:

• In-app Settings → Write to us
• The Support URL listed on the App Store page