Privacy Policy

Tucked is operated by ACR Holding AS. In this policy, “we”, “us”, and “our” refer to ACR Holding AS, and “you” refers to you, the user of the Tucked app.

Account data. When you create an account, the app generates a cryptographic key pair on your device. Only the public keys are sent to our server. We store a randomly generated user ID, the timestamp your account was created, and when you last used the app. This random ID is the primary identifier we hold for you . We do not require or store your name, email address, or phone number.

Display name. You may optionally set a display name. This is stored in plaintext on our server.

Encrypted content. Photos and videos you share are encrypted on your device before upload. Our server holds the encrypted data only temporarily, until the recipient downloads it. Once acknowledged, the encrypted content is deleted from our server. We cannot decrypt or view your content at any point.

Sealed decryption keys. To enable recipients to decrypt content, we store the sealed decryption key (the CEK, sealed to the recipient's public key) on our server. Unlike the content itself, we retain this key until it is explicitly deleted (by revocation or ending the partnership). This key is not usable by us. Only the recipient's private key can unseal it, and the recipient never stores it; it is held only momentarily in memory during decryption.

Content metadata. For each item you share, we store unencrypted metadata: image dimensions, video duration, file type, capture date, and media source. This is needed to render content correctly on the recipient's device.

Messages. Messages between you and your partner are encrypted end-to-end. We store only the encrypted payload and delete it from our server as soon as the recipient acknowledges delivery.

Push notification token. If you enable notifications, your Apple Push Notification Service device token is stored on our server to deliver notifications. Notifications contain no message content or previews.

Subscription data. If you subscribe, your purchase is processed by Apple (App Store) and tracked by RevenueCat, our subscription management provider. RevenueCat receives your purchase transaction data from Apple and assigns you a subscriber ID. This subscriber ID is linked to your anonymous Tucked account on our servers. We do not receive or store your payment details.

• We never hold your private keys. They are generated and stored exclusively on your device in the iOS Keychain.
• We do not collect location data.
• We do not use cookies or advertising identifiers.
• We do not track you across apps or websites.

We use the data listed in Section 2 solely to provide the Tucked service:

• Authenticate your device and manage your session.
• Deliver encrypted content and messages to your partner.
• Send push notifications when new content or messages arrive.
• Enforce revocation when you choose to revoke shared content.
• Manage your subscription status via RevenueCat.

We do not use your data for advertising, profiling, or any purpose beyond operating the app.

All photos, videos, and messages are encrypted on your device before being transmitted. Encryption uses industry-standard algorithms (ChaChaPoly AEAD, Curve25519 key exchange, HPKE key encapsulation).

Here is how content encryption works in detail:

1. Your device generates a unique Content Encryption Key (CEK) for each item you share.
2. The content is encrypted with the CEK on your device before upload.
3. The CEK is then sealed to the recipient's public key using HPKE. Only the recipient's private key can unseal it.
4. The encrypted content is uploaded to our server, where it is held temporarily until the recipient downloads it. Once downloaded and acknowledged, the encrypted content is deleted from our server.
5. The sealed CEK is stored on our server until it is explicitly deleted (by revocation or ending the partnership).
6. When the recipient wants to view the content, their device retrieves the sealed CEK from our server and unseals it locally using their private key. The CEK is held only momentarily in memory and is never stored on disk.

We hold the sealed CEK but cannot unseal it. Only the recipient's private key can do that. Our architecture prevents us from viewing your content. In the event of a server breach, only encrypted data would be exposed.

We do not sell, rent, or share your personal data with third parties, except as described below:

• Legal requests. We will disclose data in response to valid legal process (such as a court order, subpoena, or legal obligation under applicable law). What we can provide is limited to what we hold: encrypted content, sealed decryption keys, content metadata, and account records. We do not hold private keys. Those exist only on users' devices.
• Apple Push Notification Service receives your device token to deliver push notifications. Apple's handling of push tokens is governed by Apple's Privacy Policy.
• RevenueCat receives your App Store purchase transaction data (provided by Apple) and your anonymous Tucked subscriber ID to manage your subscription. RevenueCat does not receive your name, email, or any content. RevenueCat's handling of data is governed by RevenueCat's Privacy Policy.

• Encrypted content and messages that have not been acknowledged by the recipient within 7 days are permanently deleted from our servers.
• Acknowledged encrypted content is deleted from our server as soon as the recipient acknowledges download.
• Encrypted messages are deleted from our server as soon as the recipient acknowledges delivery.
• Session tokens expire after 7 days.
• Revoked content. When you revoke a shared item, we permanently delete the sealed decryption key for that item from our server.
• Ending a partnership permanently deletes all in-transit encrypted content, all sealed decryption keys, messages, and associated records from our server. We also attempt to delete any encrypted content you shared that has already been downloaded to your partner's device.

Your private keys are stored in the iOS Keychain, protected by your device's biometric authentication (Face ID) or passcode. Decrypted content exists only in memory and is never written to disk. Decrypted content and cached decryption keys are purged from memory shortly after the app leaves the foreground.

You can:

• Revoke content you have shared at any time. This permanently deletes the sealed decryption key from our server.
• End your partnership at any time. This permanently deletes all in-transit encrypted content, all sealed decryption keys, and messages from our server. We also attempt to delete any encrypted content you shared that has already been downloaded to your partner's device.
• Request information about what data we hold about you by contacting us.
• Delete your account by contacting us. Account deletion removes all data we hold associated with your user ID.

Tucked is not intended for use by anyone under the age of 18. We do not knowingly collect data from children. If we have actual knowledge that you are under the age of 18, we will cease providing the Services to you and delete your account and your data.

We may update this policy from time to time. If we make material changes, we will notify you through the app. The effective date at the top of this page indicates when the policy was last revised.

If you have questions about this privacy policy or your data, contact us at [email protected].