top of page

Cord

Cord Privacy Policy

 

Last Updated: June 2026

 

Summary

 

Cord is a private-by-design messenger. You can use core messaging features without creating a phone-number, email, or username account, and without uploading your contacts. Messages and media are end-to-end encrypted, and any profile details you choose to share in a cord (alias, avatar) are encrypted too. Cord is designed so server-side systems do not have access to plaintext message content or to your shared profile details.

 

To operate the service, Cord processes limited technical metadata such as app-generated device identifiers and push notification tokens.

 

1. Information Cord Collects

 

Cord collects and processes only the information needed to deliver, secure, and maintain the service:

 

- Encrypted message/media envelopes**: ciphertext and delivery-envelope data required for routing and synchronization.

- Delivery metadata:

- App-generated random device identifiers

- Cord identifiers used for join/routing, processed in hashed form (Cord's servers do not store the plaintext Cord ID for routing)

- Envelope/message identifiers and delivery-state metadata

- Push notification tokens**: APNs/FCM tokens required to deliver notifications.

- Optional profile metadata you choose to share in a cord** (alias/display name and avatar): end-to-end encrypted with a per-cord key and stored only as ciphertext, readable only by other members of that cord.

- Operational and security telemetry**: limited technical events needed for reliability, abuse prevention, debugging, and service integrity.

 

Cord does **not** require:

 

- Phone numbers

- Contact-list/address-book uploads

- Email/username registration for core messaging use

- Location data

- Hardware identifiers such as IMEI, MAC address, or advertising ID

 

Cord does not use third-party advertising SDKs or cross-app behavioral profiling SDKs.

 

2. Permissions and Device Access

 

Cord may request permissions only when you use related features:

 

- Camera: QR scanning and capturing media you choose to send

- Microphone: recording voice/video messages

- Photo library/gallery: selecting media to send or saving media you choose to store

 

These permissions are optional and user-initiated. You can deny or revoke them in device settings.

 

3. How Cord Uses Data

 

Cord uses collected data to:

 

- Deliver encrypted messages/media to intended recipient devices

- Maintain device registrations and routing for cord participation

- Register and use push tokens to deliver content-minimized notifications

- Operate, secure, troubleshoot, and improve service reliability

 

Cord does not sell personal data and does not use message content for advertising.

 

4. End-to-End Encryption

 

- Messages are encrypted on sender devices before transmission and decrypted on recipient devices, using the Signal Protocol.

- Sessions provide forward secrecy (one-time prekeys are consumed per session and signed prekeys rotate), so earlier messages remain protected even if a key is later compromised.

- Media is encrypted client-side before upload/storage.

- Profile details you share in a cord (alias, avatar) are end-to-end encrypted with a per-cord key derived from a high-entropy secret carried in the cord invite — not from the shareable Cord ID — so Cord's servers store only ciphertext.

- You can verify a participant's safety number in-app to confirm your encrypted session has no man-in-the-middle.

- Cryptographic keys and sessions are generated and stored on-device using OS-backed secure storage.

- Cord is designed so server-side systems do not hold users' private message keys.

 

5. Metadata Minimization

 

Cord minimizes metadata, but some metadata is necessary for delivery and security:

 

- Encrypted envelopes and routing metadata are processed to deliver messages.

- Cord identifiers are processed in hashed form rather than as plaintext Cord IDs.

- Push providers process token/delivery metadata to route notifications.

- Cord does not require phone-number or email identity to function.

 

Cord routes messages using app-generated device identifiers rather than personal identity. Routing information remains visible to the service so that messages can be delivered.

 

6. Third Parties / Infrastructure

 

Cord uses a small number of service providers that process data under Cord's instructions to provide infrastructure, delivery, and security operations:

 

- Supabase: database, file storage, realtime, serverless (edge) functions, and anonymous authentication. Supabase stores only end-to-end-encrypted message/media envelopes and minimized routing metadata; it cannot access plaintext message content, shared profile details, or your private keys.

- Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM): notification transport only. Pushes act as delivery signals and do not carry plaintext message content.

 

Cord does not require phone-number or email signup for core messaging use.

​

 

7. Data Retention

 

Cord applies data-minimization and limited-retention principles:

 

- Encrypted server-side delivery data/media: retained for delivery/synchronization and removed according to backend retention schedules.

- Delivery metadata**: retained only as needed for routing, device management, abuse prevention, and reliability/security operations.

- Operational/security telemetry**: retained for limited periods appropriate to service protection and troubleshooting.

- On-device history: controlled by in-app retention settings and local deletion tools (including optional auto-expiration behavior).

 

When you delete local data or uninstall the app, local app data is removed according to platform behavior. Some provider backups/logs may persist for limited periods under provider backup/retention cycles.

 

8. Your Controls

 

You can:

 

- Manage cord participation in-app (join or leave a cord)

- Delete your own messages for everyone in a cord

- Configure local message-retention behavior in-app

- Remove local app data in-app and/or by uninstalling the app

 

Because Cord does not require a personal-account identity, Cord may not be able to identify you unless you voluntarily provide contact details (for example, through support email).

 

9. Children's Privacy

 

Cord is not intended for children under 13, and we do not knowingly collect personal information from children under 13.

 

10. Changes to This Policy

 

We may update this policy as features and infrastructure evolve. We will update the "Last Updated" date and provide additional notice for material changes where appropriate.

 

11. Contact

 

For privacy inquiries: cordmessaging[a]protonmail.com

 

If you contact us by email, we process the information you provide to respond to your request and administer privacy/support communications.

​

​

​

Last Updated: June 2026

bottom of page