No Rush
EN DE
Get early access

Draft · will be reviewed by counsel before public launch

Privacy

A short and honest version of this document is: we keep almost nothing, and what we keep, we cannot read. The longer version is below. It exists because the law requires it and because we want you to be able to verify the short version.

Who is responsible

The controller for personal data processing on No Rush is the operator of the service:

[Your Name / Company name]
[Street and number]
[Postcode City]
Germany
Email: privacy@norush.eu

For the full company details and our data protection contact, see the Imprint.

What we collect, when we collect it, why

1. Phone number, at registration

To register on No Rush we collect your phone number, send a one-time code, and verify you control the number. Legal basis: Art. 6(1)(b) GDPR (performance of contract). The number is stored as a salted hash, not in clear, so we can match incoming OTP requests but cannot enumerate users from our database.

2. A device public key, at registration

Your device generates a Curve25519 key pair locally; we receive only the public half, which lets other users encrypt messages to you. Your private key never leaves your device.

3. Sealed ciphertext envelopes, transiently

When someone sends you a message, we receive a ciphertext envelope addressed to your mailbox. We cannot read it. We do not record who sent it (sealed sender). We hold it only until your device fetches it, then we delete it. Undelivered envelopes are deleted after 30 days. Legal basis: Art. 6(1)(b) GDPR.

4. Encrypted media blobs, transiently

Photos, voice notes, and files are encrypted on your device before being uploaded. We store the encrypted blob and a TTL; we cannot decrypt it. The decryption key travels inside the recipient's E2EE message envelope. Blobs are deleted on download confirmation or at TTL, whichever is sooner.

5. Technical logs, for the minimum operational period

Standard request logs (IP address, user agent, response code, timestamp) are retained briefly for security and abuse-prevention purposes (typically fewer than 14 days) and are not joined to your identity. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating a safe service).

What we do not collect

  • The content of your messages or media.
  • Read receipts, "online" or "last seen" status, typing indicators.
  • A readable social graph (who you talk to). Sealed sender means our relay sees envelopes addressed to a mailbox, not pairings.
  • Your address book in clear (contact discovery is privacy-preserving).
  • Tracking pixels, third-party analytics, advertising identifiers.

Who processes the data on our behalf

We use the following processors, under a Data Processing Agreement (Art. 28 GDPR):

  • Supabase (EU region) — Postgres database hosting the blind relay (sealed ciphertext envelopes, your public key, hashed phone number). Hosted in Frankfurt, Germany.
  • Cloudflare R2 / object storage (EU region) — short-lived encrypted media blobs.
  • SMS provider (e.g. Twilio or MessageBird) — for the one-time registration code only. The provider sees your number; it does not see your messages or your contacts.

None of these processors can decrypt your messages or media; the keys live only on your device.

Retention

  • Sealed envelopes: deleted on fetch, or after 30 days if undelivered.
  • Encrypted media blobs: deleted on download confirmation, or at TTL.
  • Public key: retained while your account exists.
  • Hashed phone number: retained while your account exists.
  • Account deletion is final and removes all of the above. We keep no shadow copy.

Your rights under GDPR

You have the right to:

  • Access the personal data we hold about you (Art. 15).
  • Have inaccurate data corrected (Art. 16).
  • Have your account and data deleted (Art. 17). Because we hold so little, this is fast.
  • Restrict processing (Art. 18).
  • Export your data in a portable format (Art. 20). The bulk of your history lives on your device, not on our servers.
  • Object to processing (Art. 21).
  • Lodge a complaint with a supervisory authority. The competent authority for our company is the [Berlin Commissioner for Data Protection and Freedom of Information, Berliner Beauftragte für Datenschutz und Informationsfreiheit].

To exercise these rights, email privacy@norush.eu. We will respond within one month (Art. 12(3) GDPR).

Lawful process

We respond to lawful legal requests from competent authorities with the minimum data we hold. In practice this means: confirmation that an account exists, the registration timestamp, hashed phone number, and request metadata. We cannot produce message content, media content, or a readable social graph because we do not have them. Where the law allows, we publish a transparency report describing the volume and nature of requests.

International transfers

All processing for No Rush takes place within the European Union. We do not transfer personal data outside the EU/EEA in the normal operation of the service.

Changes to this policy

If we change this policy, we'll publish the new version here and note the date at the bottom. Material changes will be announced in the app.

← Back to home · Datenschutz auf Deutsch · Imprint

Last updated: 2026-05-25 · Draft.