Skip to main content
Effective Date: March 21, 2026 Last Updated: March 21, 2026

1. Introduction

Offline Protocol, Inc. (“Company”, “we”, “us”, “our”) operates the Fernweh mobile application (“App”, “Service”). This Privacy Policy describes how we collect, use, store, share, and protect your personal information when you use our Service. We are committed to protecting your privacy and being transparent about our data practices. This policy is designed to comply with applicable data protection laws including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other relevant privacy legislation.

2. Information We Collect

2.1 Information You Provide Directly

Data TypePurposeStorage Location
Email addressAccount creation, authentication (OTP delivery), account recovery, deletion verificationServer-side (PostgreSQL)
Phone number (optional)Alternative authentication method, SMS-based OTP deliveryServer-side (PostgreSQL)
UsernameUnique public identifier for your profileServer-side (PostgreSQL)
Display nameShown to other users in conversationsServer-side (PostgreSQL)
Profile biographyOptional self-description visible to connectionsServer-side (PostgreSQL)
Profile pictureOptional avatar imageCloud object storage (Hetzner, EU)
Social links (optional)Links to X/Twitter, Telegram, Discord, websiteServer-side (PostgreSQL, JSON)
Location (optional)User-provided location coordinates for profileServer-side (PostgreSQL)

2.2 Information Collected Automatically

Data TypePurposeStorage Location
Device identifierUnique persistent device ID for push notification routing and session managementServer-side and on-device
Device model and OS versionNotification compatibility, debuggingServer-side (PostgreSQL)
App versionFeature compatibility, update promptsServer-side (PostgreSQL)
Push notification tokensDelivering push notifications via FCM/APNsServer-side (PostgreSQL)
VoIP tokens (iOS)Delivering incoming call notificationsServer-side (PostgreSQL)
IP addressFraud prevention (waitlist), rate limitingServer-side (PostgreSQL, limited contexts)
Platform (iOS/Android)Platform-specific service deliveryServer-side (PostgreSQL)

2.3 Information Generated Through Use

Data TypePurposeStorage Location
Messages (text, media metadata)Core messaging functionalityOn-device (encrypted SQLite). Relayed through server when mesh unavailable, not permanently stored server-side.
Call metadataCall routing, missed call notificationsRelay server (transient)
Connection graphManaging your approved contactsServer-side (PostgreSQL)
Bluetooth advertisementsMesh peer discovery (device ID, connection slots, battery level)Broadcast locally, not stored server-side
Message delivery statusRead receipts, delivery confirmationOn-device and relay server (transient)

2.4 Information from Third-Party Authentication

If you choose to sign in using Google, we receive:
  • Your Google account email address
  • Your Google account display name (if available)
  • A unique Google account identifier
We do not receive or store your Google password.

3. How We Use Your Information

We use collected information for the following purposes:

3.1 Service Operation

  • Creating and managing your account
  • Authenticating your identity via OTP codes
  • Delivering messages between users through relay infrastructure when mesh networking is unavailable
  • Routing push notifications to your device
  • Facilitating audio and video calls
  • Enabling peer discovery via Bluetooth mesh networking

3.2 Service Improvement

  • Analyzing aggregate usage patterns to improve features
  • Diagnosing technical issues and bugs
  • Monitoring service performance and reliability

3.3 Safety and Security

  • Detecting and preventing fraud, abuse, and unauthorized access
  • Rate limiting authentication attempts (maximum 10 OTP requests per email per 24 hours; maximum 1,000 API requests per IP per 15 minutes)
  • Enforcing our Terms of Service

3.4 Communication

  • Sending authentication codes (OTP) via email or SMS
  • Sending account deletion verification codes
  • Service announcements (rare, essential communications only)
We do not use your information for:
  • Selling to third parties
  • Targeted advertising
  • Profiling for marketing purposes
  • Training artificial intelligence or machine learning models

4. Data Storage and Encryption

4.1 On-Device Storage

  • Messages: Stored in an encrypted SQLite database (SQLCipher) on your device. Each user has a separate encrypted database file.
  • Authentication tokens: Stored in encrypted MMKV storage, with the encryption key held in platform-native secure storage (iOS Keychain with AFTER_FIRST_UNLOCK_THIS_DEVICE_ONLY protection class; Android Keystore).
  • Media encryption keys: Generated per-file (AES-256-GCM with 12-byte IV and authentication tag), stored alongside cached media.
  • Preferences and settings: Stored in encrypted MMKV storage on-device.

4.2 Server-Side Storage

  • User account data: Stored in PostgreSQL databases hosted on secured infrastructure.
  • Profile pictures: Stored in Hetzner Cloud object storage (EU region) accessible only via time-limited presigned URLs.
  • Authentication state: OTP codes stored temporarily in Redis with automatic expiry (10 minutes for login OTP, 15 minutes for deletion verification OTP).

4.3 Encryption in Transit

  • All communication between the App and our servers occurs over HTTPS/TLS.
  • WebSocket connections to relay servers use WSS (WebSocket Secure).
  • Mesh networking communications use MLS (Messaging Layer Security) for session-based encryption between peers.
  • Audio and video calls use end-to-end encryption through WebRTC with shared E2EE keys.
  • Media files are encrypted client-side using AES-256-GCM before upload.

4.4 What We Cannot Access

  • The content of messages stored on your device (encrypted with keys we do not hold)
  • The audio or video content of your calls (end-to-end encrypted)
  • Media files in their decrypted form (encrypted client-side before upload)
  • Your MMKV storage encryption key (held only in your device’s secure enclave)

5. Data Sharing and Third-Party Services

5.1 Third-Party Service Providers

We use the following third-party services to operate Fernweh:
ServiceProviderPurposeData Shared
Firebase Cloud MessagingGoogle LLCPush notification delivery (Android)Device token, notification payload
Apple Push Notification serviceApple Inc.Push notification delivery (iOS)Device token, notification payload
LiveKitLiveKit Inc.Audio/video call infrastructureCall session tokens, encrypted media streams
Google Sign-InGoogle LLCOAuth authenticationEmail, name (user-initiated)
PostHogPostHog Inc.Product analyticsAnonymized usage events, masked session data (text inputs and images are masked)
SentryFunctional Software Inc.Error tracking and monitoringError reports, device info, user ID (numeric only)
Hetzner CloudHetzner Online GmbHObject storage (profile pictures)Encrypted media files
SendGridTwilio Inc.Email delivery (OTP codes)Email address, OTP code
TwilioTwilio Inc.SMS delivery (OTP codes)Phone number, OTP code
CourierCourier Inc.Fallback email deliveryEmail address, email content

5.2 Analytics Practices

We use PostHog for product analytics with the following privacy safeguards:
  • Session replay: All text input fields are masked. All images are masked. We cannot read what you type or see your photos in session replays.
  • Events tracked: High-level actions only (e.g., “message sent”, “call initiated”, “profile updated”). We do not track message content, recipient identities, or call content.
  • Analytics is disabled in development builds and only active in production.
  • Identifiers: Users are identified by numeric ID only, not by email or username.

5.3 Error Tracking

We use Sentry for crash and error reporting. Error reports may include:
  • Device model, OS version, app version
  • Numeric user ID (not email or username)
  • Stack traces and error messages
  • Network request metadata (URLs, status codes, not request/response bodies)

5.4 We Do Not Share Data With

  • Advertisers or ad networks
  • Data brokers
  • Social media platforms (beyond user-initiated Google Sign-In)
  • Government agencies (unless compelled by valid legal process)
We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court order or government agency). We will notify you of such requests unless legally prohibited from doing so.

6. Data Retention

Data TypeRetention PeriodDeletion Trigger
Account data (email, username, profile)Duration of account + 30-day deletion grace periodAccount deletion request
Messages (on-device)Until you delete them or uninstall the AppUser action
Messages (relay server)Transient — held only until delivery, not permanently storedDelivery or expiry
Push notification tokensDuration of accountAccount deletion or token refresh
OTP codes10 minutes (login) / 15 minutes (deletion)Automatic expiry or single use
Authentication tokensConfigurable (currently set to extended duration)Logout or account deletion
Analytics eventsSubject to PostHog’s retention policyPostHog data lifecycle
Error reportsSubject to Sentry’s retention policySentry data lifecycle
Profile picturesDuration of accountAccount deletion or replacement
IP addresses (waitlist)Indefinite (fraud prevention)Manual purge

7. Account Deletion

7.1 How to Delete Your Account

  1. Navigate to Settings within the App
  2. Select “Delete Account”
  3. A verification code will be sent to your registered email address
  4. Enter the verification code to confirm deletion

7.2 Deletion Process

  • Upon verified request, your account is immediately deactivated (your profile is hidden from other users)
  • A 30-day grace period begins, during which you may cancel the deletion by logging back in
  • After 30 days, a scheduled process permanently deletes:
    • Your account record (email, phone number)
    • Your profile (username, display name, bio, social links, location)
    • Your connections to other users
    • Your device tokens
    • Your profile picture from cloud storage
    • All associated database records (cascading deletion)

7.3 Data Not Deleted by Account Deletion

  • Messages stored locally on other users’ devices (we have no access to these)
  • Anonymized analytics data that has already been aggregated
  • Data required to be retained by applicable law
  • Backup copies that are automatically purged within 90 days of deletion

8. Your Rights

8.1 For All Users

You have the right to:
  • Access your personal data through the App
  • Correct inaccurate information through your profile settings
  • Delete your account and associated data (see Section 7)
  • Withdraw consent for optional permissions (Bluetooth, camera, microphone, location, notifications) through your device settings

8.2 For European Economic Area (EEA) Residents — GDPR Rights

Under the General Data Protection Regulation, you additionally have the right to:
  • Data portability: Request a copy of your personal data in a structured, machine-readable format
  • Restriction of processing: Request that we limit how we use your data
  • Object to processing: Object to our processing of your data based on legitimate interests
  • Lodge a complaint: File a complaint with your local data protection authority
Legal basis for processing:
  • Contract performance: Processing necessary to provide the Service (account management, messaging, calls)
  • Legitimate interests: Analytics for service improvement, fraud prevention, security
  • Consent: Optional features (location sharing, Bluetooth, analytics)

8.3 For California Residents — CCPA Rights

Under the California Consumer Privacy Act, you have the right to:
  • Know what personal information we collect, use, and disclose
  • Delete your personal information (subject to exceptions)
  • Non-discrimination for exercising your privacy rights
We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

8.4 Exercising Your Rights

To exercise any of these rights, contact us at privacy@offlineprotocol.com. We will respond to verified requests within 30 days (or as required by applicable law). We may request additional information to verify your identity before processing your request.

9. Children’s Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete such information promptly. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@offlineprotocol.com.

10. Bluetooth and Mesh Networking Privacy

10.1 How Mesh Networking Works

When Bluetooth is enabled and mesh networking is active, your device:
  • Advertises its presence to nearby devices using BLE (Bluetooth Low Energy) with a non-personal device identifier
  • Scans for nearby devices running the same mesh protocol
  • Relays encrypted messages between peers to extend network range

10.2 What Is Broadcast

BLE advertisements contain:
  • An application identifier (“fernweh”)
  • Connection capacity (number of available slots)
  • Battery level (percentage)
  • Uptime (minutes since app launch)
  • A device identifier (not linked to your name, email, or username)

10.3 What Is Not Broadcast

BLE advertisements do not contain:
  • Your name, email, phone number, or username
  • Your location coordinates
  • Message content
  • Your contact list or connection graph

10.4 Controlling Mesh Networking

You can disable mesh networking at any time by:
  • Turning off Bluetooth in your device settings
  • Disabling mesh networking within the App settings

11. Media and File Handling

11.1 Upload Process

When you share media (images, videos, voice messages, documents):
  1. The file is encrypted client-side using AES-256-GCM with a unique per-file key
  2. The encrypted file is uploaded to our cloud storage via a time-limited presigned URL
  3. The encryption key is shared with the recipient through the message channel
  4. Only the intended recipient can decrypt the file

11.2 File Size Limits

  • Images: 20 MB maximum
  • Videos: 100 MB maximum
  • Voice messages: 16 MB maximum
  • Documents: 100 MB maximum

11.3 Storage

Encrypted media files are stored in Hetzner Cloud object storage (EU region). Files are accessible only through time-limited presigned URLs generated on authenticated request.

12. International Data Transfers

Your information may be transferred to and processed in countries other than the country in which you reside. Our infrastructure spans:
  • Servers: Hosted on Railway (United States)
  • Object storage: Hetzner Cloud (European Union)
  • Call infrastructure: LiveKit servers in EU, US, and Asia regions
  • Analytics: PostHog (United States)
  • Error tracking: Sentry (United States)
  • Push notifications: Google/Apple (United States)
Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where required.

13. Security Measures

We implement the following security measures:
  • Encryption at rest: All on-device data encrypted (AES-256 via MMKV and SQLCipher)
  • Encryption in transit: All network communications over TLS/HTTPS/WSS
  • End-to-end encryption: Media files, mesh messages (MLS), and calls (WebRTC E2EE)
  • Secure key storage: Encryption keys in platform secure enclaves (iOS Keychain, Android Keystore)
  • Rate limiting: API requests (1,000/15min per IP), authentication (10 OTP/24hr per email), media uploads (90/hr per user)
  • JWT authentication: RS256 asymmetric signing for stateless authentication
  • One-time codes: OTP codes are single-use and expire automatically
  • Private object storage: Media accessible only via authenticated presigned URLs

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:
  • Posting the updated policy within the App
  • Sending a notification to your registered email address (for significant changes)
  • Displaying an in-app notification
The “Last Updated” date at the top of this policy indicates when it was last revised. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

15. Data Protection Officer

For privacy-related inquiries, data access requests, or complaints: Offline Protocol, Inc. Email: privacy@offlineprotocol.com Website: https://offlineprotocol.com For EEA residents, you may also contact your local Data Protection Authority.
The Fernweh mobile application does not use cookies. Our authentication is entirely token-based (JWT Bearer tokens) with no server-side sessions or browser cookies. If you access any of our web properties, a separate cookie notice will apply.
By using Fernweh, you acknowledge that you have read and understood this Privacy Policy.