The short version
Hush is a peer-to-peer, end-to-end encrypted messenger. Your messages, media, and contacts live only on your device and travel directly between you and the people you talk to. Our servers never see, store, or have the ability to read them. The only thing we keep is a small public directory so friends can find you by your ID.
Scope
This policy explains what data Hush and its supporting infrastructure handle, how, and why. It applies to the Hush mobile app and the connection services that make peer-to-peer messaging possible.
What we store on our servers Minimal
To let people add each other by a shareable ID, we keep a small public identity directory. For each account, that is:
๐
Account IDA random identifier generated on your device. It is also your shareable contact ID / QR code.
๐ค
UsernameThe display name you choose. You can change it at any time.
๐ผ๏ธ
Profile pictureOptional. Only stored if you set one.
That's the complete list. We do not store your messages, media, contacts, group members, reactions, presence, IP-based location, or any behavioral/advertising profile.
What never leaves your device Never uploaded
The following stay on your phone and are additionally encrypted at rest (AES-256-GCM, with a key derived from your on-device identity key):
- Messages and their content โ text, reactions, edits, replies.
- Photos, videos, files, and GIFs you send or receive.
- Your contacts and groups.
- Your private encryption key โ it is generated on your device and never transmitted.
- App settings.
Uninstalling the app, or deleting your account from within it, removes this local data from the device.
How your messages travel
Messages are sent directly, peer-to-peer, over an encrypted WebRTC channel โ not through our servers. They are end-to-end encrypted: keys are exchanged using X25519 and content is sealed with AES-256-GCM, so only you and the recipient can read them.
๐ก
Signaling serverIntroduces two devices so they can open a direct connection. It briefly sees which account IDs are connecting, but it cannot read message content and does not store conversations.
๐
STUN / TURN relayHelps devices reach each other across firewalls/NAT. If a direct link isn't possible, encrypted packets may be relayed through TURN โ but they remain end-to-end encrypted, so the relay cannot read them.
Self-destructing messages
Hush supports confidential, self-destructing messages that are wiped from the device after they're read. Because delivery is peer-to-peer and content is never stored on our servers, there is nothing on our side to expire โ it simply disappears locally.
Third-party services
- GIF search โ when you search for a GIF, your search terms are sent to your chosen third-party GIF provider (Klipy or Giphy) to return results. No message content or identity is shared.
Notifications are shown on your device by the app itself when a message arrives over your peer connection โ Hush uses no external push service (no Firebase / FCM).
Permissions the app may request
๐ท
CameraTo scan a contact's QR code, and to take photos/videos you choose to send.
๐ผ๏ธ
Photos & filesOnly to attach media you explicitly pick.
๐
NotificationsTo alert you to new messages โ shown locally by the app, with no external push service.
๐
Background / batteryTo keep the peer connection alive so messages arrive reliably.
Data retention & deletion
- Directory entry โ kept while your account exists. Deleting your account removes your ID, username and avatar from our directory.
- On-device data โ removed when you delete your account in-app or uninstall Hush.
- Deleting a conversation removes it from your device only. Your contact keeps their own copy unless they delete it too.
- Deleting an individual message you sent also removes it from your contact's device โ the deletion is delivered to them the next time they're online.
What we never do
- No ads and no advertising identifiers.
- No analytics or behavioral tracking.
- No selling or sharing of personal data.
- No read receipts, and no reading of your messages โ we technically can't.
Children
Hush is not directed to children under 13 (or the minimum age required in your country). We do not knowingly collect data from children.
Changes to this policy
If this policy changes, we'll update this page and revise the "last updated" date above. Material changes will be reflected here before they take effect.