Privacy First

NOCTURNAL WHISPERS

Effective January 29, 2026 — We designed Nocturnal Whispers so you can express yourself anonymously and safely. This document explains exactly how we protect that freedom.

1. Overview

Nocturnal Whispers ("we," "us," or "our") is built on the principle of anonymous expression. We do not require names, email addresses, or phone numbers to use our service. This page explains how we handle the minimal data we collect so Apple reviewers and our community can see the safeguards in place.

2. Data We Collect

Apple Guideline 5.1.1 mandates "Minimum Viable Data." We limit collection to what is required for a 17+ location-based experience:

Device Identifiers: We generate a unique UUID and store it in your device’s Keychain. It persists even after deleting the app so Nocturnal Whispers can enforce permanent bans on abusive hardware.
Precise Location: GPS coordinates are accessed only at the moment you post or refresh whispers. We blur/round the coordinates before showing distance to others and never track you in the background.
User-Generated Content: We store the images and text you post so they can appear in nearby feeds and be reviewed if reported.
Age Verification: We use a zero-knowledge proof (ZKP) system to confirm you are 18+ for After Hours mode. Your age bracket is verified cryptographically on-device — we never learn your actual age or birthdate, only that you passed the 18+ threshold.
Diagnostics: OS version, device model, and crash logs help us troubleshoot without using advertising identifiers.

For added clarity, here is the per-category breakdown reviewers typically ask for:

Category	Details	Retention	Purpose
Device UUID (PII surrogate)	Random identifier stored in the iOS Keychain so it can persist after deletion.	Kept until you trigger Delete All My Data.	Enforce device-level bans and link whispers to a device without knowing your identity.
Age Bracket	A zero-knowledge proof verifies you are 18+ on-device—we receive only a "Verified Adult" flag, never your exact birthdate.	Stored as a boolean flag alongside your device UUID.	Lock access to After Hours mode and satisfy regional laws.
Precise Geolocation	Requested only while posting/refreshing to calculate miles-away labels. Coordinates are blurred before sharing.	Held in volatile memory for <60 seconds, then discarded.	Serve nearby whispers and prevent location spam.
User-Generated Content	Text whispers, image overlays, and optional attachments.	Standard whispers auto-expire in 24h; After Hours content may persist up to 7 days.	Power the experience and give moderators context when something is reported.
Device Diagnostics	OS version, device model, crash logs. No ad identifiers.	Rolling 30 days.	Keep the app stable and debug crashes.

3. Data Sharing & AI Moderation

We do not sell your data. To keep Nocturnal Whispers safe, we share image and text data with third-party AI moderation services (e.g., Sightengine or AWS Rekognition). These providers scan for nudity, violence, and hate speech. Only the content blob/string is transmitted—no UUIDs, locations, or age signals leave our systems. You will see an in-app consent prompt before scans run.

4. Your Rights

You may delete all data associated with your device at any time via Settings → Data Management → Delete All My Data. The request wipes your Device UUID, age flag, and whispers from active databases immediately and from backups within 30 days. You can also block/report users, toggle precise vs. approximate location, and email info@nocturnalwhispers.app for confirmation.

5. Age Verification & After Hours Shield

After Hours mode is disabled by default and only unlocks after passing zero-knowledge proof age verification (18+).
Mature content tiles are blurred until you affirm you want to view them.
Regions that disallow mature content will see After Hours disabled entirely.
We do not sell, share, or repurpose age verification data for advertising.

6. Location Discipline

Location is fetched on demand, never in the background. Latitude/longitude are rounded to neighborhood-sized cells before any whisper sees the data, and the snapshot is deleted immediately after distance tags are calculated.

7. Retention & Right to be Forgotten

Standard whispers delete after 24h unless a report is open. After Hours whispers may stay up to 7 days to satisfy local regulations.
Reports and moderation logs are removed once the case closes (max 30 days).
Diagnostics roll off after 30 days.
Settings → Data Management → Delete All My Data instantly wipes your device UUID, adult flag, and whispers from active systems; backups are overwritten within 30 days.

8. Safety & Moderation

Device-level bans stop bad actors from reinstalling after suspension.
Reporting freezes the flagged whisper for moderators only until it’s resolved, then purged.
Blocking permanently severs the link between two device UUIDs so neither can view the other.

9. Privacy Nutrition Label

These are the exact settings we declare in App Store Connect:

Data Type	Linked to You?	Used for Tracking?	Purpose
Location (Precise)	No	No	App functionality (proximity feed)
Identifiers (Device ID)	No	No	Security & fraud prevention (device-level bans)
User Content (Photos/Text)	No	No	App functionality (whisper posting + moderation)
Diagnostics	No	No	App functionality (crash logs, performance)

10. Data Security

All traffic uses HTTPS/TLS 1.3. Whisper text is encrypted at rest using XChaCha20-Poly1305 (libsodium). Storage lives on encrypted volumes, and production access requires hardware security keys. All uploaded images are stripped of EXIF metadata (GPS, device info, timestamps) both client-side and server-side. Location coordinates are rounded to ~110 meters on storage.

11. End-to-End Encrypted Messaging

All direct messages are encrypted using the Signal Protocol (X3DH key agreement + Double Ratchet forward secrecy). Images in DMs are encrypted client-side with AES-256-GCM before upload. Our server stores only opaque encrypted blobs — we have zero access to plaintext message content. Identity keys are stored in the iOS Keychain with hardware-backed protection.

12. Push Notifications

We store APNs device tokens to deliver push notifications for new messages, reactions, and replies. Tokens are linked to your device UUID and deleted when you trigger "Delete All My Data." Push payloads for DMs contain no message content (only "Someone sent you a message") because Apple's servers can see push payloads. You can disable push categories in Settings.

13. Screenshot Detection

Nocturnal detects when you take a screenshot while viewing a whisper detail or DM conversation. Screenshot events are logged server-side (user ID, content type, target ID, timestamp) with rate-limiting. This data is used solely to notify affected content authors and is retained for 30 days.

14. Gamification Data

We track XP points, levels, streaks, badges, and activity statistics (whispers posted, replies given, likes received) tied to your device UUID. This data powers the in-app gamification experience and is deleted when you trigger "Delete All My Data."

15. Children's Privacy

Nocturnal Whispers is intended for users aged 18 and older. We do not knowingly collect personal information from anyone under 18. If we learn that data has been collected from a minor, we will delete it immediately and ban the associated device.

16. California Privacy Rights (CCPA)

California residents have the right to: know what personal information we collect; delete it via Settings → Data Management → Delete All My Data; and opt out of sale — we do not sell personal information. We will not discriminate against you for exercising these rights.

17. Data Breach Notification

In the event of a data breach affecting your personal information, we will notify affected users within 72 hours via in-app notice and, where required by law, by other means.

18. Contact

Questions or data requests? Email info@nocturnalwhispers.app — we respond within 30 days (faster for urgent safety issues).