We built Qlavis to know as little about you as technically possible.
What limited data Qlavis processes, what it deliberately never collects, and why end-to-end encryption means we cannot read your content even if we wanted to.
- End-to-end encrypted. Messages, calls, files, and in-chat payments are encrypted on your device with post-quantum cryptography. No one but you and the people you talk to can read them.
- No sign-up data. No phone number, no email, no real name. Your identity is created on your device and secured by a 12-word recovery phrase that never leaves it.
- No tracking, no ads, no analytics SDKs. We do not use advertising, third-party analytics, or the device advertising identifier. We do not sell or share your data.
- We store as little as possible. Encrypted message content is deleted from our servers once it has been delivered.
- Your wallet is yours. The built-in wallet is non-custodial. Your keys and funds live only on your device — we never hold, see, or store them.
Controller
Qlavis is a post-quantum, end-to-end encrypted messenger with an integrated non-custodial wallet, published for iOS. This policy describes how Qlavis, Inc. (“Qlavis,” “we,” “us”), a United States corporation, handles information in connection with the Qlavis app and the qlavis.app website. Contact: hello@qlavis.app.
Data minimization by design
Qlavis is built so there is little about you to collect in the first place. We do not:
- require or collect your phone number, email address, or legal name to create an account;
- read, scan, or retain the plaintext of your messages, calls, files, or payments — everything is end-to-end encrypted;
- upload, store, or scan your device address book on our servers;
- use advertising, ad networks, or the device advertising identifier (IDFA) — and we do not track you across other apps or websites;
- embed third-party analytics, telemetry, or crash-reporting SDKs; or
- sell, rent, or share your personal information, or use it for advertising of any kind.
The minimum needed to deliver messages and calls
Because your content is end-to-end encrypted, most of what our servers hold is either a public key, an opaque identifier, or ciphertext we cannot decrypt.
| Data | What it is / why | Legal basis (GDPR) |
|---|---|---|
| Qlavis ID | A username you choose (@handle) so others can reach you. Not linked by us to your real identity. | Contract |
| Public keys | Your public encryption and signing keys and public prekeys, so others can establish encryption with you. Your private keys never leave your device. | Contract |
| Device fingerprint hash | A one-way hash binding your account to your device, to resist account takeover. We store the hash, not the device data. | Legitimate interest — security |
| Encrypted push token | An encrypted reference used to route Apple push notifications to your device. | Contract |
| Encrypted message content | Ciphertext we cannot read. Deleted on delivery to all recipients; only a content-less stub remains so delivery status works. | Contract |
| Delivery & read status | Whether a message was delivered/read, to show status ticks. You can disable read receipts. | Contract / consent |
| Presence signals | Coarse “last seen” and online/typing indicators. Last-seen is rounded for privacy; every signal is individually switchable off. | Consent |
| Avatars | Encrypted per-recipient key-wraps and encrypted image blobs. We cannot view your avatar. | Contract |
| Safety data | Users you block and reports you submit, so we can keep the service safe and act on abuse. | Legitimate interest — safety |
Contacts stay on your device. Your contact list and Zero-Knowledge Lookup data are stored locally in an encrypted database. Our servers hold none of it.
The qlavis.app website collects nothing. It is a static site: no cookies, no analytics, no third-party code. Our web server keeps only anonymized technical logs (time, request, status) that contain no IP addresses.
We hold no key that can read your content
All conversation content — text, voice and video calls, photos, videos, files, voice messages, and in-chat payments — is encrypted on your device before it is sent, and can only be decrypted on the recipient’s device. Qlavis uses a post-quantum, CNSA 2.0-aligned stack (ML-KEM-1024 / FIPS 203 key encapsulation, ML-DSA-87 / FIPS 204 signatures, AES-256-GCM authenticated encryption) over a ratchet protocol with forward secrecy and post-compromise security.
This means we — and our hosting providers, and anyone who compromised our servers, now or after a future quantum computer exists — cannot read your content. The trade-off: we cannot recover your content or your account if you lose your 12-word recovery phrase. Keep it safe; it is the only key.
Non-custodial — we store nothing about your funds
The built-in wallet supports the Stellar and XRP Ledger networks and is fully non-custodial. Your wallet keys are derived on your device from your recovery phrase and stored only on your device. Our servers hold no wallet balances, keys, addresses, or transaction history.
- On-chain data is public. A blockchain transaction is recorded on a public ledger we do not control and cannot alter or delete. Anything in a public memo field is permanent and public.
- Privacy relay. When your wallet reads the blockchain, requests go through our relay, which strips identity-revealing headers and forwards a fresh request — the network operators see our relay, not your device.
Generic alerts; your content is never in the push
To alert you when the app is closed, we send push notifications through Apple’s Push Notification service (APNs). The alert shown on your lock screen is generic — “New message” or “Incoming encrypted call,” never the message content. So your device can label the notification, the push payload carries the sender’s Qlavis @handle (never a phone number, and never any message content); your messages are fetched and decrypted only on your device. You can hide the sender on the lock screen in Settings.
Who processes data on our behalf
| Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services | Server hosting and encrypted storage | United States |
| Apple | App distribution and push delivery (APNs) | United States |
| Stellar / XRP Ledger | Public blockchains your wallet transacts on (only if you use the wallet) | Decentralized |
| Call relay (TURN) | Relays call media when a direct connection isn’t possible; media stays end-to-end encrypted | United States |
We do not use these providers for advertising or profiling. We may disclose data if required by valid legal process — but because of end-to-end encryption and data minimization, what we can produce is limited to the account data described above — never message content.
We keep it briefly, then delete it
- Message content: deleted from our servers once it has been delivered. Undelivered ciphertext is kept no longer than 14 days, then deleted.
- Delivery / read status: up to 14 days.
- Call records (time and duration only — call audio and video are end-to-end encrypted and never touch our servers): removed once the call ends or, for a missed call, once your device has been notified of it. Backstop: no longer than 14 days.
- Account data (Qlavis ID, public keys, device fingerprint hash): kept while your account exists, deleted when you delete it.
You are in charge
- Delete your account in-app, any time. Settings → Account → Delete Account removes your identity and associated data from our servers and wipes local data. Blockchain transactions already recorded on public ledgers cannot be deleted.
- Privacy toggles. Read receipts, online status, typing indicators, last-seen, profile-photo visibility, and lock-screen sender hiding — each independently in Settings.
- App lock. Manage your recovery phrase and biometric/PIN app-lock in Settings.
GDPR, CCPA, and more
Depending on where you live, you may have legal rights to access, correct, delete, or restrict the personal data we hold about you. Because Qlavis is built on data minimization and end-to-end encryption, that data is limited — and you can already see and delete most of it yourself in-app. We do not sell your data, so there is nothing to opt out of. To make a request, email hello@qlavis.app; we verify requests through your control of your Qlavis account, and we will never ask for more data to fulfil one.
Processed in the United States
Our servers are in the United States. If you use Qlavis from outside the U.S., the limited data described above is processed in the U.S. Where personal data is transferred from the EEA or the UK, we rely on appropriate legal safeguards for such transfers, as required by applicable law.
Security is the product
Beyond end-to-end encryption: your on-device database is encrypted at rest; secret keys are protected by the iOS Keychain and Secure Enclave; the app supports biometric and PIN app-lock; and your account is bound to your device to resist takeover. No method is 100% secure, but we design to minimize what could ever be exposed. To report a security issue, email hello@qlavis.app or see security.txt.
Not directed to children
Qlavis is not directed to children under 13, and we do not knowingly collect personal data from them. If you believe a child has provided us data, contact hello@qlavis.app and we will delete it.
Updates to this policy
We may update this policy. We will change the “Last updated” date and, for material changes, give notice in the app or on qlavis.app. Continued use after an update means you accept the revised policy.
Reach us
Questions about privacy: hello@qlavis.app.