Privacy Policy

Effective: April 30, 2026 · Last updated: April 30, 2026

MUTE collects no personal data. No name, no email, no phone number, no analytics, no tracking. Messages are end-to-end encrypted; we cannot read them, and we do not want to.

1. Who we are

MUTE Protocol ("MUTE", "we", "us") is an end-to-end encrypted messaging application developed and maintained by Oraldo Nova. We are based in Switzerland. The app is distributed through the Apple App Store and Google Play Store under bundle identifier com.muteprotocol.mute.

2. What we do not collect

We want to be unambiguous about what MUTE does not collect, store, or process:

No name, real or pseudonymous
No email address
No phone number
No address book or contact list
No location data
No device fingerprint, advertising identifier, or persistent device ID
No analytics events, usage statistics, or behavioral data
No crash reports containing user content
No cookies, no tracking pixels, no third-party trackers

3. What MUTE technically requires

For MUTE to function as an encrypted relay, the following minimal data passes through our infrastructure:

3.1 Public keys

When you first open MUTE, the app generates a cryptographic key pair (X25519 for key agreement, Ed25519 for signatures) entirely on your device. Your public key is registered on our relay servers so that other users can establish encrypted sessions with you. Your private key never leaves your device.

3.2 Encrypted message payloads

Messages, voice notes, photos, videos, and call signaling data are encrypted on your device using XSalsa20-Poly1305 authenticated encryption with per-session keys derived via X25519. Our relay servers forward these payloads but cannot decrypt them. We do not log message content, and we technically could not read it even if compelled.

3.3 Push notification tokens

To deliver notifications when MUTE is closed, your device provides us with a push token issued by Apple Push Notification service (APNs) or Firebase Cloud Messaging (FCM). This token is mapped to your public key on our relay. The notification payload itself contains no message content — only an opaque trigger that wakes the app to fetch the encrypted message.

3.4 Offline queue

If a recipient is offline, encrypted messages are temporarily stored on our relay for up to 7 days. After 7 days, they are securely deleted. We never have access to the plaintext.

4. Third-party services we rely on

MUTE uses the following third-party infrastructure for transport only:

Apple Push Notification service (APNs) — for iOS notifications
Firebase Cloud Messaging (FCM) — for Android notifications
Hetzner Online GmbH — hosting provider for our relay servers, distributed across Helsinki (Finland), Nuremberg (Germany), and Singapore
coturn — open source TURN server for voice/video call signaling fallback

None of these services receive plaintext message content. Apple and Google receive only the opaque push token and a wake-up trigger; Hetzner hosts the encrypted relay payloads as ciphertext across three independent data centers in three countries.

5. Encryption details

For users with technical interest:

Key exchange: X25519 (Curve25519, 256-bit)
Symmetric encryption: XSalsa20-Poly1305 (256-bit, authenticated)
Digital signatures: Ed25519
Library: tweetnacl, an open-source, public-domain cryptographic library audited by independent researchers
Forward secrecy: per-session keys are rotated and forensically wiped from device memory after use

6. Data retention

Messages in transit: deleted from the relay immediately upon successful delivery
Offline queue: maximum 7 days, then permanent deletion
Public key registration: retained as long as your account is active; removed when you uninstall and clear the app
Push tokens: retained as long as your device is registered; invalidated automatically by Apple/Google when you uninstall

7. Your rights

Because we do not collect personally identifiable information, most data subject rights under GDPR (EU), CCPA (California), and similar regulations are technically already satisfied — there is no personal record to access, correct, or delete.

If you wish to remove your public key and any associated push token from our relay, you can do so by:

Using the in-app "Wipe everything" function (settings → security)
Or simply uninstalling the application

For any other request, contact us at the address below.

8. Children's privacy

MUTE is not directed at children under 13. We do not knowingly collect any data from children under 13. If we learn that a user is under 13, no action is necessary on our part because we do not collect personal data from any user — but we encourage parents and guardians to ensure their minors do not use messaging applications without supervision.

9. International users

MUTE is available worldwide. Our relay servers are distributed across three countries on two continents: Finland, Germany, and Singapore. By using the app, you consent to encrypted message routing through this distributed infrastructure regardless of your location. Cross-region message delivery is handled by an authenticated cluster bus; messages remain end-to-end encrypted at all times.

10. Security

We implement defense-in-depth security on our infrastructure: TLS 1.3 transport, Ed25519-authenticated WebSocket connections, HMAC-SHA1 TURN credentials, rate-limited HTTP endpoints, and forensic memory wipes. Nevertheless, no system is perfectly secure. Users handling extremely sensitive information should evaluate their threat model independently.

11. Changes to this policy

If we change this policy, we will update the "Last updated" date at the top of this page. Material changes will be communicated through an in-app notice on next launch.

12. Contact

Questions about this policy or about MUTE in general:

Email: muteprotocol.team@gmail.com

Website: muteprotocol.com