Ndevar logoNdevar

Legal

Privacy Policy

Last updated:

Ndevar is built around a simple idea: you should not have to trade your identity to send a message. This document explains how that idea is implemented, what we do and do not store, and what your choices are. It is divided into two parts because Ndevar is two things — an app you install, and a website you read — and they have different privacy stories.

If anything below is unclear, email us at hello@ndevar.com.

Part 1 — Privacy in the Ndevar app

The starting point: no account, no server

You do not need to create an account to use Ndevar. When you install the app and use it for messaging over Bluetooth mesh, no account exists, no email is registered, and no server-side identifier is created. Your device generates its own keys locally, and the people you communicate with see only the identifiers you choose to share.

This is the default. Everything in the rest of this section either describes this default in more detail, or describes optional features you have to deliberately turn on.

What stays on your device

The following data lives on your device and never leaves it unless you explicitly take an action that sends it somewhere:

  • Your messages and message history.
  • Your contacts and any nicknames you have given them.
  • Your cryptographic keys (used to sign your messages and verify others').
  • Your profile information — your chosen display name, your avatar, your sharing preferences.
  • The 12-word recovery phrase shown to you when you first set up Ndevar.

If you uninstall the app, all of this data is deleted. Ndevar has no server-side copy.

The optional account

If you want backup, multi-device sync, or any of the paid features (Device Protect, Broadcast), you can create an account. Account creation is in the app, not on the website.

Your account is identified by your ShortAddress — the 8-character code derived from your profile's signing key (for example, 2HBLzsnA). This is the username you use to sign in to the account portal. We do not ask for an email address when you create an account.

What an account stores on our servers:

  • Your ShortAddress (the public identifier of your primary profile).
  • The list of profiles attached to your account, identified by their public keys.
  • Your subscription state (Free / Protect / Protect+ / Team for the device track; Free / Gather / Network / Public for broadcast).
  • A device identifier per profile — a hash, used to group related dev logs and detect which devices are active.
  • If you have backups enabled: encrypted backup blobs that we cannot read.

What an account does not store:

  • Your messages or message contents.
  • Your contacts.
  • Your AddressID or your peers' AddressIDs.
  • Your location.
  • Your email address — unless you have signed up for a paid subscription. See Payment processing below.
  • Anything that would let us correlate your account with your behaviour in the mesh network.

You can delete your account at any time from the in-app settings. Deletion is immediate and cascades — all account data, backups, and subscription records are removed. If you have an active paid subscription, it is cancelled.

Backups

Backups are off by default. If you turn them on, your profile data is encrypted on your device with a key derived from your recovery phrase, then uploaded to our servers. We hold the encrypted blob; we have no way to read it. Restoring a backup requires the recovery phrase. If you lose the phrase, the backup is permanently unreadable — including by us.

Mesh-health telemetry (opt-in)

The mesh works better when we can see how it's performing in aggregate. Telemetry is off by default. You can turn it on under My Profile → Include My Network Activity in Statistics.

If you turn telemetry on, we receive:

  • Anonymous, aggregate metrics about message delivery (hop counts, byte sizes, round-trip times, peer connection events).
  • Your subscription tier (so we can understand how the mesh performs across the customer base).

We do not receive:

  • Your identifiers (no AddressID, no PeerID, no device ID).
  • Your message content.
  • Your contacts.
  • Your location — unless you also separately opt in to including location data via My Profile → Include My Location in Network Data. The location toggle is opt-in independently of telemetry. When sent, location is rounded to four decimal places (~11 metres precision) before transmission.

Telemetry data is held under a separate database from your account data, with no cross-database identifier that would let us link telemetry events back to your account.

Beta diagnostics (TestFlight only)

If you are running a TestFlight build, the app may upload diagnostic logs to help us debug pre-release issues. The level of detail captured depends on the TestFlight build's configured level (visible to you in the app's data privacy screen). Diagnostic logs:

  • Are only captured on TestFlight builds, never on App Store builds.
  • Never include your message content.
  • Never include your contacts' identities.
  • Are retained for 300 days, then deleted.

If you do not want to participate in beta diagnostics, the way to opt out is to use the App Store version of Ndevar instead of TestFlight.

Broadcast

Broadcast messages are public by design. If you publish a broadcast, the message body is plaintext and signed with your channel's signing key. Recipients can verify you sent it. Anyone receiving the broadcast can read it.

Broadcast messages you author are stored against your account for 90 days so you can see your own publishing history in the portal. We do not store broadcast messages received by other users — only the ones you authored as the broadcaster.

We also store delivery analytics for broadcasts you publish (how many recipients confirmed receipt, mesh delivery patterns) — these are aggregate counts only, with no per-recipient identification.

What the relay sees

If both endpoints of a conversation are using the optional internet relay (when out of Bluetooth range), encrypted message frames pass through our relay servers. The relay:

  • Sees an encrypted blob, the destination address it should route to, and timing metadata.
  • Cannot read the message content (the payload is encrypted end-to-end before it reaches the relay).
  • Does not log the encrypted content.
  • Does not retain frames after delivery.

The relay never communicates with the account portal — it has no knowledge of which AddressIDs belong to which accounts.

Payment processing

Paid subscriptions are processed by Stripe.

When you start a paid subscription, you provide an email address as part of the Stripe checkout flow. We use this email address for two purposes only:

  • Sending you payment receipts, payment-failure notifications, and subscription updates.
  • Notifying you of material changes to this privacy policy or to our terms of service.

Card details are entered directly into Stripe's UI; Ndevar never sees or stores card numbers. Your email is stored against your account on our servers (linked to your ShortAddress) and on Stripe's infrastructure under their privacy policy.

If you cancel your subscription and downgrade to the free tier, your email address is retained against your account so that we can re-associate any future paid subscription with the same Ndevar account. If you delete your account entirely, the email is deleted along with the rest of your account data.

If you have a free Ndevar account (no Stripe subscription), we have no email address for you.

Part 2 — Privacy on this website

This section is about ndevar.com only. It describes what happens when you read these pages in your browser. It is separate from the app's privacy posture above.

What this website does

ndevar.com is a marketing site. It has no accounts, no forms, no logins, and no data submissions. There is no way to send personal information to us through this website. Email links on the site (such as the one in the footer) open your own mail application — when you send us an email, that email goes from your mail provider to ours; it is not captured by ndevar.com.

Google Analytics — only with your consent

We use Google Analytics 4 to understand how visitors use ndevar.com — which pages people read, where visitors come from, which devices they use. We use this to make the site more useful.

Analytics is opt-in. The first time you visit, a banner asks for your choice:

  • If you accept: Google Analytics is loaded and a cookie is set on your browser to recognise you across pages. We see aggregate traffic statistics. We do not see your name, email, or identity. We have configured the property for the privacy-tightest options available — Google Signals is off, Enhanced Conversions and similar identity-correlating features are off, no Google Ads account is linked, and visitor data is retained for 2 months before automatic deletion.
  • If you decline: no Google Analytics library is loaded. No requests are sent to Google's servers. No cookies are set. We do not know you visited the site beyond the standard server-side request logs that any website receives.
  • If you change your mind: there are two ways to revisit your choice. The footer of every page has a “Cookie preferences” link, and the privacy page (this page) has a “Manage cookie preferences” widget. Both re-open the consent banner. If you previously accepted and now decline, the cookies set during the accepted period are deleted from your browser, and the page reloads to flush any remaining state.

You can verify all of this in your browser's developer tools — the requests, or absence of requests, to Google's servers are observable.

What ndevar.com itself stores about you

The website is statically generated and served from a content-delivery network. The CDN keeps standard request logs (timestamp, IP address, requested URL, user agent) for operational purposes — these are used for debugging, security, and infrastructure monitoring, not for analytics. They are not joined to anything else and are retained according to AWS's standard CloudFront log retention.

The website does not load any third-party scripts other than (with your consent) Google Analytics. There are no social-media pixels, advertising trackers, session-recording tools, heatmap libraries, A/B testing tools, or chat widgets on this site.

Cookies on this website

Two cookies may be set on ndevar.com:

  • Consent preference (always set): a small entry in your browser's local storage recording whether you accepted or declined analytics, and when you made that choice. This is a first-party local-storage entry — never sent to any server, including ours. If you've never made a choice, no consent storage exists.
  • Google Analytics (only if you accepted): _ga and _ga_<id> cookies, set by the Google Analytics library, expire after 13 months unless you decline first (which deletes them immediately).

That is the complete cookie inventory.

Manage cookie preferences

Your rights

Regardless of where you live, you have the right to:

  • Ask us what personal information we hold about you.
  • Ask us to correct it.
  • Ask us to delete it. (For account holders, the in-app account-deletion control does this immediately. For other queries, email us.)
  • Ask us to provide a copy of your information in a portable format.

When you contact us about these rights, you will need to identify yourself by your ShortAddress (paid subscribers can also identify by their billing email) so we can locate the right account. We cannot honour requests where we are unable to verify which account they relate to — this protects you from someone else asking us to delete or release your data.

If you live in the European Economic Area, the United Kingdom, or California, you have additional rights under GDPR, the UK GDPR, and the CCPA respectively — including the right to lodge a complaint with your local supervisory authority. We will honour any of those rights.

To exercise any of these rights, email hello@ndevar.com and include your ShortAddress so we can locate your account.

Jurisdiction

Ndevar is operated by Stoneworks Australia Pty Limited, an Australian company. The Australian Privacy Act applies to our handling of personal information. Where users in other jurisdictions interact with us, we honour applicable local privacy law (notably GDPR for the EEA/UK and CCPA for California).

Our infrastructure runs in AWS Asia Pacific (Sydney). Data does not leave that region except where Stripe (for payments), SendGrid (for transactional email), or Google (for the website's optional analytics) handle data on our behalf — these processors operate under their own privacy policies and have their own jurisdictional commitments.

Changes to this policy

If we change this policy in a way that affects how we handle your data, we will update the “Last updated” date at the top.

For paid subscribers, where we have an email address, we will also send a notification email to that address for changes that materially affect how your data is handled. For free-tier users, where no email is on file, the only way we can notify you is via in-app messaging or by updating this page — please check this page periodically if continuity matters to you.

Contact

Questions, requests, or concerns about privacy: hello@ndevar.com.