Privacy Policy

Last updated: June 3, 2026

Quilly ("Quilly", "we", "us") is a privacy-first messaging app. This policy explains what information the app handles, how it's used, and the choices you have. We built Quilly so that we see as little of your data as possible — most importantly, we cannot read the contents of your messages.

The short version: No phone number or email is required. Your message text is end-to-end encrypted and stored on our servers only as ciphertext we cannot decrypt. We don't run ads, we don't sell your data, and we never upload your phone's address book.

1. Information we collect

Account information

A username you choose.
A password, which is stored only as a salted hash — we never store it in plain text.
An optional display name and avatar image.
Your public encryption keys, which other users need in order to send you encrypted messages. (Your private keys never leave your device.)

We do not collect your phone number or email address to create or use an account.

Messages and content

Message text is end-to-end encrypted on your device. Our servers store only the encrypted ciphertext and cannot read it.
To deliver and order messages, we necessarily process certain metadata: who is in a conversation, message timestamps, read/delivery status, and emoji reactions.
Attachments (photos, videos, voice notes, files) are transmitted over encrypted connections (TLS) and stored on access-controlled object storage, retrieved through short-lived signed links available only to conversation participants.

Contacts and invites

You add people using one-time invite tokens, not by uploading contacts. We do not access or store your device's address book.
We store the contact relationships you create within Quilly so your conversations work across sessions.

Device and technical information

A device identifier and optional device name, so you can manage which devices are signed in.
If you enable notifications, a push token from Apple (APNs), Google (FCM), or Expo, plus your platform (iOS or Android), so we can deliver notifications.
Basic presence data such as online status and last-seen time, and limited technical logs needed to operate and secure the service.

2. How we use information

To deliver your messages and keep conversations in sync.
To send notifications you've enabled.
To authenticate you and keep your account and the service secure.
To prevent abuse, spam, and fraud.

We do not use your information for advertising, and we do not sell it.

3. Encryption

Message contents are protected with hybrid, post-quantum end-to-end encryption — a classical X25519 key exchange combined with ML-KEM-768. Your private keys are generated and stored on your device and are never sent to us. A recovery phrase (and optional passphrase) lets you — and only you — restore access on a new device.

Because we never hold your private keys, we cannot read your messages and cannot recover them for you if you lose your recovery phrase. Please keep it somewhere safe.

4. How information is shared

We don't sell your personal information. We rely on a small number of infrastructure providers who process data on our behalf so the app can function:

Hosting and database — our application servers and PostgreSQL database (hosted on Railway).
Object storage — for attachments you send (Wasabi).
Push notifications — Apple, Google, and Expo, to deliver notifications to your device.

We may also disclose information if required by law, or to protect the rights, safety, and security of our users and the service.

5. Data retention and deletion

Messages and content remain available until deleted. You can delete messages for yourself, or delete them for everyone in a conversation.
You can delete your account at any time from within the app. When you do, we delete your account and associated data, including your messages, contacts, devices, and push tokens.
Some information may persist briefly in backups or logs before being removed in the ordinary course of operations.

6. Your rights and choices

Depending on where you live, you may have rights to access, correct, export, or delete your personal information (for example, under the GDPR or CCPA). You can exercise the core of these rights directly in the app (editing your profile, deleting messages, or deleting your account), or by contacting us using the details below.

7. Children

Quilly is not directed to children under 13 (or the minimum age required in your country), and we do not knowingly collect personal information from them.

8. Security

We use end-to-end encryption for message contents, encryption in transit (TLS), hashed passwords, and access controls to protect your information. No method of transmission or storage is completely secure, but we work to protect your data and improve our safeguards over time.

9. Changes to this policy

We may update this policy from time to time. When we make material changes, we'll update the "Last updated" date above and, where appropriate, notify you in the app.

10. Contact us

Questions about this policy or your data? Email us at [email protected].