Privacy Policy

Effective date: 21 April 2026. Last updated: 21 April 2026.

This Privacy Policy explains how Signa (the “App”), an iOS application developed and operated by BlueCouchWorks (“we”, “us”, “our”), handles information when you use it. Signa is an end-to-end encrypted, peer-to-peer messenger. We have designed it so that we do not see, collect, or store the content of your messages or calls.

By installing or using the App, you acknowledge that you have read and understood this Policy. If you do not agree, please do not install or use the App.

Short version

We do not collect your messages, media, or call content. Messages are end-to-end encrypted on your device and sent directly to other participants.
We operate no server that holds your data. Signa uses Apple’s CloudKit as an untrusted relay for encrypted rendezvous information only.
We run no analytics, tracking, advertising, or behavioral profiling. There are no third-party SDKs for those purposes in the App.
Your cryptographic keys stay on your device, in the iOS Keychain, and never leave the phone that generated them.
We cannot recover your account, messages, or groups if you lose access to your device. That is a consequence of not storing your data.

Who we are

Signa is an independent application made by BlueCouchWorks. For privacy or data questions, contact privacy@bluecouchworks.com.

Information the App does not collect

The App does not collect, and we do not receive, any of the following:

The plaintext content of your messages, attachments, voice notes, or calls.
Your contact list or address book.
Your precise or coarse geolocation.
Behavioral analytics, usage metrics, or tracking identifiers used to follow you across apps or websites.
Advertising identifiers (IDFA).
Your identity from any sign-in provider beyond what Apple chooses to share when you use Sign in with Apple.

The App’s privacy manifest declares NSPrivacyTracking = false; Signa does not perform tracking as defined by Apple’s App Tracking Transparency framework.

Information handled locally on your device

The following information is stored on your device and processed only on your device. It is not transmitted to us. It may be transmitted, in encrypted form, to other devices you authorize through an invite:

Messages you send and receive (stored in an encrypted SQLite database, protected by iOS data protection).
Your chosen display name and the hue you pick for your avatar.
Your group memberships, roles, and epoch (group-key) state.
Public keys of peers you communicate with, cached for up to 24 hours.
A per-device identifier generated on first launch, used so your peers can recognize you across sessions.
Message-retention settings you choose.

Information transmitted through Apple CloudKit

To let two devices find each other without a dedicated server, Signa uses the public database of the Apple CloudKit container tied to your Apple ID as a rendezvous mechanism. CloudKit is operated by Apple under Apple’s Privacy Policy. We treat this channel as untrusted: everything Signa places on it is either a public cryptographic key, or is encrypted with a key held only by the group members.

Specifically, Signa may write to CloudKit:

Your device’s public keys (Curve25519 agreement key and Ed25519 signing key), so peers can encrypt to you and verify messages from you. No private keys are ever uploaded.
Encrypted signaling records containing WebRTC connection offers, answers, and ICE candidates, each encrypted for a specific recipient.
Encrypted presence records, so peers in the same group can locate each other by exchanging a signed, encrypted network endpoint.
Encrypted invite records, whose payload is derived from a passphrase you share out-of-band; without the passphrase the invite cannot be redeemed.
Encrypted epoch-key distribution records used to rotate group keys when membership changes.
Signed membership and revocation records so each group member has a verifiable view of who currently belongs to the group.

We do not operate or administer the CloudKit infrastructure. We cannot decrypt records whose keys we never held; we also cannot prevent Apple, as the operator, from retaining or disclosing ciphertext and associated metadata in accordance with its own policies and with lawful process addressed to Apple.

Information exchanged peer-to-peer

Once two devices discover each other through CloudKit, message content flows directly between them over a WebRTC data channel (or, when devices are on the same local network, over Apple’s Multipeer Connectivity framework). This direct channel is end-to-end encrypted with the group’s current epoch key using AES-256-GCM with authenticated associated data that binds the sender, the group, the epoch, and the message identifier. We do not see this traffic.

Third-party services

Apple Inc. — CloudKit (rendezvous), Apple Push Notification service (silent wake), and Sign in with Apple (if you choose to use it). Governed by Apple’s Privacy Policy.
Public STUN servers operated by Google (stun.l.google.com) and Cloudflare (stun.cloudflare.com), used only to discover your device’s public IP:port for WebRTC connection establishment. No message content passes through them. Their operators may log the IP addresses that contact them.

Signa embeds no advertising, attribution, analytics, or crash-reporting SDKs from any third party. Diagnostic signals we do receive come from Apple’s on-device MetricKit framework and consist of aggregated, non-identifying crash and performance headers; they contain no message content, no stack frames, no binary UUIDs, and no user content.

Data retention

Messages are retained on your device according to your retention settings. Default retention is 180 days; you can change it per group or for your account.
When you delete a message, a group, or the App itself, the corresponding local database rows and key material are deleted from your device.
Encrypted rendezvous records in CloudKit are short-lived and are deleted by the authoring device, by its peers, or by CloudKit’s own housekeeping after they are no longer needed.
Because we operate no server, we cannot retain what we never received, and we cannot produce it in response to any request.

Security

Signa uses Apple’s CryptoKit to perform cryptographic operations: AES-256-GCM for message encryption, Curve25519 for key agreement, Ed25519 for signatures, HKDF-SHA256 for key derivation, and PBKDF2-SHA256 for passphrase-based invite keys. Private keys are stored in the iOS Keychain with device-only access attributes and, where available, are protected by the Secure Enclave. Group keys rotate automatically when a member is removed, so revoked members cannot read messages sent after their removal.

No security is absolute. No system of electronic storage or transmission can be guaranteed to be 100% secure, and we cannot warrant the security of information that leaves your device. You are responsible for keeping your device, your Apple ID, and any invite passphrases you share safe from unauthorized access.

Children

Signa is not directed to children under the age of 13, and we do not knowingly handle personal information from any such user. Users in the European Economic Area and the United Kingdom must be at least 16 years old (or the minimum age at which consent to online services is valid under local law) to use the App without parental consent. If you believe a child has used the App improperly, please contact us and we will take appropriate action with respect to any information we can identify.

Your rights

Depending on where you live, you may have rights under the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended (CCPA/CPRA), or similar laws, including the right to access, correct, delete, or port your personal information, and the right to object to certain processing.

Because Signa’s design means that we do not hold your personal information, most such rights are exercised locally on your device:

Access & portability — everything Signa stores on your behalf is on your device; you can inspect your messages, groups, and profile directly in the App.
Correction — you can change your display name, avatar hue, group information, and retention settings from within the App.
Deletion — you can delete individual messages, leave or delete groups, clear all messages in a group, or delete the App (which removes all local data and, over time, the associated CloudKit rendezvous records).
Objection / restriction — you can stop using the App at any time. We do not profile you.

If you would like confirmation of the above, or if you believe we have information about you and would like it deleted, contact us at privacy@bluecouchworks.com and we will respond within the timeframes required by applicable law. For data held by Apple as part of CloudKit, please contact Apple directly.

If you are in the EU/UK/EEA, you have the right to lodge a complaint with your local data protection authority.

Do-not-sell / do-not-share (CCPA). We do not sell or share personal information, as those terms are defined by the CCPA/CPRA. There is therefore nothing to opt out of.

International users and cross-border transfers

Signa is offered from the United States. If you are located outside the United States, you understand that your use of the App may involve transfer of encrypted records through infrastructure operated by Apple in jurisdictions that may offer different levels of legal protection than your country. By using the App, you consent to such transfers to the extent permitted by applicable law.

Changes to this Policy

We may update this Policy from time to time. Material changes will be reflected in a new “Last updated” date at the top of this page and, where appropriate, announced inside the App. Continued use after the effective date of a revised Policy means you accept it.

Contact

Questions about this Policy: privacy@bluecouchworks.com.