Privacy Policy

Your keys stay with you

Your private key (your "nsec") is generated on your device and stored in the iOS Keychain, marked so it does not sync to iCloud or other devices. Siner never transmits or stores your private key in readable form — every post, message, and signature is signed on your device.

Email & account recovery

Email is optional and only used if you turn on encrypted backup. When you do, we use your email address to send a one-time verification code through our email provider (Resend). The code is single-use and expires after about 15 minutes; we don't keep your email address after that. Your backup itself is stored under a one-way hash of your email, so the stored backup is not linked to a readable address.

Encrypted key backup

If you enable backup, your key is encrypted on your device with your chosen password (PBKDF2 with 600,000 iterations, then AES-256-GCM) before anything is uploaded. Our server stores only the resulting ciphertext and the parameters needed to decrypt it on your device — it has no ability to decrypt your key. This also means that if you lose your backup password, no one (including us) can recover your key. Save it somewhere safe.

What's public by design

Nostr is a public network. When you post, update your profile, react, repost, zap, or file a report, that event is published to relays as signed, public data and is effectively permanent — relays and other people can keep copies indefinitely, including copies on relays we don't operate.

This includes: your profile (display name, bio, picture, lightning address), your posts and the media in them, your reactions and reposts, your zaps (which publicly link who tipped whom and how much), and abuse reports (which publicly link your key to the content you reported).

Media you upload

Images and videos you publish are uploaded to our content delivery network and served at public HTTPS URLs. Anyone with the URL can view them, and other servers may cache them. Publishing is public by design — don't upload anything you wouldn't want to be public and persistent.

Location & device details

Siner can attach proof-of-authenticity context to autographs — capture time, and optionally your GPS location and device model. Location and device sharing are controlled by toggles in Privacy settings. When a toggle is off, that detail is left out of both the public event and the image you upload. When it is on, your location and/or device can appear in the public post, its proof metadata, and the image's embedded EXIF data. Turn these off before capturing if you don't want that information shared.

Direct messages

Direct messages are end-to-end encrypted (NIP-17 gift wrapping). The decrypted text is cached only on your device; only ciphertext, addressed to your recipient, is sent to relays. We cannot read your messages. Metadata minimization is applied (timing is jittered and delivery defaults to our relay), but as with all messaging, your recipient and the relays involved can observe that an encrypted message was sent.

Handles (NIP-05)

If you claim a username@siner.me handle, we store a mapping from that name to your public key so others can verify you. That mapping is served publicly so any Nostr client can resolve it.

Proofs & the Siner Seal

A Siner Seal is a proof bundle for autographs and similar content. It contains content hashes, signing metadata, optional location/device context (per your toggles above), timestamps, and a cryptographic signature, and it can be anchored to the Bitcoin blockchain via OpenTimestamps (only a hash is sent to public timestamp servers — never your content). Seal bundles are stored under their content hash and are publicly retrievable so anyone can re-verify them. Don't put anything in a proof you don't want public.

No tracking, no advertising

Siner contains no advertising and no third-party tracking SDKs. The app does not use an advertising identifier and does not ask to track you across apps or websites. Our privacy manifest declares no tracking, and the only third-party code in the app is an open-source cryptography library. We do not sell your data. The one exception to "no data leaves the device" is the optional diagnostics described next.

Diagnostics (crash & performance)

To find and fix bugs, the app may send crash and performance reports using Apple's MetricKit. These are diagnostics — not behavioral or usage analytics — and they are not linked to your identity and contain no message content. Apple delivers them roughly once a day. This is the only telemetry Siner collects, and it's reflected in the app's privacy manifest (Crash Data and Performance Data, used for app functionality).

Content moderation

To keep Siner safe, content you publish to our relay and media on our CDN may be reviewed when reported and, where enabled, automatically screened for prohibited material (such as illegal content). This applies only to public content on the infrastructure we operate. Your direct messages are end-to-end encrypted and are never scanned or readable by us. See our Community Guidelines for what's enforced and how to appeal.

Network basics (IP addresses)

Like any internet app, connecting reveals your IP address to the servers you contact. That includes our relay and CDN, and also third parties you reach directly — the hosts of other users' images, lightning-address providers when you zap, and public timestamp servers. We don't use IP addresses to build profiles of you; our relay keeps standard short-lived web-server logs for security and reliability.

Service providers

We rely on a small set of providers, each handling only what its function needs: DigitalOcean (hosts our Nostr relay and the media CDN), Resend (sends recovery emails), Cloudflare (DNS, and depending on configuration may route traffic to our domain), Apple (an optional, currently-inactive device-integrity check for Seals), and the public OpenTimestamps calendars (receive only a hash to anchor a proof).

Your choices & rights

You control what you share: location and device toggles, whether to enable backup, whether to claim a handle, and whom to mute or block. You can delete your account at any time in Settings → Account Security → Delete Account.

For access, correction, or deletion requests under laws like the GDPR or CCPA, email support@siner.me with the subject "Data Subject Request." Most of your data lives on your own device and on the public network rather than on our servers; we'll help with what we hold.

The limits of deletion

Deleting your account removes your local data and keys from your device, broadcasts a deletion request to relays, and deletes the media we host for you. But because Nostr is decentralized, content you already published may persist on relays and caches we don't control, and a deletion request is a request other relays may not honor. If you created an encrypted backup, note that the (unreadable) backup may persist on our servers after account deletion; email support@siner.me to have it removed.

Children

Siner is not directed to children. You must meet the minimum age required in your jurisdiction and by the App Store rating to use it. We don't knowingly collect data from children; contact us if you believe a child has used the app and we'll help.

Changes

We'll update this policy as Siner evolves and revise the date above. If we add anything that changes what we collect — for example, optional diagnostics — we'll describe it here and surface material changes in the app before it takes effect.

Contact

Questions about this policy: support@siner.me. The data controller is [ENTITY], [JURISDICTION].