Home / Privacy Policy

Privacy Policy

Last updated: 1 January 2026

Note: This document is a good-faith template that reflects how Bylock is designed. It is not legal advice. Before launching publicly you should have it reviewed by a qualified lawyer in your jurisdiction. If you run your own Bylock server, you are the operator and data controller for that instance.

Bylock is an independent, end-to-end encrypted messaging application. Privacy is the core of how it is built, not an afterthought. This policy explains what information Bylock can and cannot access, and how the limited data it does process is handled.

1. What we cannot see

Bylock uses end-to-end encryption. Your messages are encrypted on your device before they are sent, and only you and the people in your conversation hold the keys to read them.

Message content â text you send is stored only as encrypted ciphertext. The server, its operator, and the Bylock project cannot read it.
Your private key â it is derived from your password inside your browser and never transmitted to the server.
Your password â it never leaves your device; the server only ever sees a one-way value derived from it.

2. Information that is processed

To deliver messages, the server stores a minimal amount of data:

Account data: your chosen username, a salt, a one-way authentication hash, your public key, and your encrypted private-key blob.
Profile data: your display name, optional avatar image, optional "about" text, and a color. This information is visible to other users you interact with.
Conversation metadata: which conversations exist, their members, message timestamps, and emoji reactions.
Technical data: a connection (such as an IP address) is necessarily handled while delivering messages in real time. Bylock does not build advertising or tracking profiles from it.

3. How information is used

The limited data above is used only to operate the service: to authenticate you, deliver your encrypted messages, show profiles and online status, and keep conversations in sync. It is not used for advertising or profiling.

4. What we do not do

We do not sell or rent your data.
We do not show ads or use third-party advertising trackers.
We do not read, scan, or analyze your message content â we cannot.
We do not require a phone number to sign up.

5. Data retention

Encrypted messages and account data remain stored until they are deleted by you or by the operator of the server, or until your account is removed. Because messages are encrypted, deleting your keys (for example by losing your password) makes related content permanently unreadable.

6. Security

Bylock relies on widely reviewed cryptography (ECDH P-256 key agreement and AES-256-GCM encryption). No system is perfectly secure, but the design ensures that even a full server compromise does not expose the plaintext of your messages.

7. Children

Bylock is not directed to children. You must be at least 13 years old (or the minimum age of digital consent in your country, if higher) to use it.

8. Your choices

You can edit your profile at any time, remove your avatar, and request deletion of your account by contacting the operator of the server you use. Self-hosted operators control retention and deletion for their own instance.

9. Self-hosting

Bylock can be run by anyone on their own server. If you connect to a server you do not operate, that server's operator is responsible for it as an independent data controller, and their practices â not this template â govern your data on that instance.

10. Changes

We may update this policy as Bylock evolves. Material changes will be reflected by updating the date above.

11. Contact

Questions about privacy can be sent to privacy@example.com (replace with your real contact address before launch).