Privacy Policy
Effective date: 9 July 2026
This Privacy Policy explains how data is processed when you use the Setfeed iOS app, Android app, website and associated services, including setfeed.app.
Setfeed is designed around data minimisation, local-first storage and client-side encryption for cloud-delivered messages wherever the relevant feature supports it.
Who we are
“Setfeed”, “we”, “us” and “our” refer to the Setfeed apps, website and services operated by Setfeed.
For privacy enquiries, data requests or account-deletion requests, contact: hello@setfeed.app.
What Setfeed is designed to do
- Allow users to schedule messages for themselves.
- Allow users to send scheduled messages to another person using a Setfeed receive code.
- Store local messages, memories, preferences and delivery state on the user’s device.
- Deliver supported messages and attachments through encrypted cloud envelopes.
- Protect the service against spam, automated abuse and unauthorised access.
Message content and encryption
Messages and supported attachments sent through Setfeed’s encrypted cloud-delivery features are encrypted on the sender’s device or in the sender’s browser before being uploaded.
Encryption keys are derived from the recipient’s Setfeed receive code. The plaintext receive code is not intentionally uploaded as part of the encrypted envelope. A cryptographic hash or lookup reference may be sent so that the service can route the encrypted envelope to the intended recipient.
For these encrypted delivery flows, Setfeed’s servers receive ciphertext and the technical metadata required to store, route and deliver it. Setfeed is not designed to have plaintext access to the standard encrypted message body or encrypted attachment.
A recipient must possess the appropriate receive code to derive the key needed to decrypt an encrypted message.
Messages scheduled only for yourself may remain stored locally on your device and may not be uploaded to Setfeed’s servers.
Data we process
The data processed depends on which Setfeed features you use. We may process the following categories.
1) Messages and user-provided content
- Message text: text you write for yourself or send to another recipient.
- Attachments: images or other supported files you deliberately select for a message or memory.
- Session content: text, images, summaries or other content created when using a Setfeed session feature.
- Support communications: information you provide when contacting us for help.
Cloud-delivered message bodies and supported attachments are encrypted before upload where the encrypted-delivery feature is used.
2) Encrypted envelope and delivery metadata
Setfeed may process metadata needed to deliver encrypted content, including:
- Encrypted ciphertext.
- Cryptographic parameters such as an initialisation vector, salt and authentication tag.
- A hashed receive-code reference.
- A message, attachment or request identifier.
- The scheduled delivery date and time.
- The user’s selected time zone.
- The message source or delivery mode.
- Attachment type, encrypted size and storage reference.
- Delivery, consumption, retry and expiry state.
- Session or participant identifiers where a session feature is used.
This metadata is used for message routing, scheduling, delivery, deduplication, expiry, retry handling and replay protection.
3) Anonymous authentication information
The mobile apps may create an anonymous Firebase authentication identity so that cloud features can operate without requiring you to provide an email address, username or password.
This may include:
- A randomly generated anonymous user identifier.
- Authentication and session tokens.
- IP address and user-agent information processed for security.
- Authentication timestamps and account status.
An anonymous identifier is still a persistent technical identifier and may be associated with cloud records created by that installation.
4) App and device integrity information
Setfeed uses Firebase App Check and platform integrity services to reduce automated abuse and unauthorised requests.
Depending on the platform, these services may include:
- iOS: Apple App Attest or another supported Apple integrity provider.
- Android: Google Play Integrity or another supported Android integrity provider.
- Web: reCAPTCHA or another supported browser integrity provider.
These services may process device or app attestation material, integrity results, short-lived App Check tokens and basic technical signals needed to verify that a request comes from an authentic app or browser environment.
5) Operational and security information
Setfeed and its infrastructure providers may generate limited operational records to provide and protect the service. These may include:
- IP address.
- Request date and time.
- Request or transaction identifier.
- App version, platform and basic device information.
- Response status, error information and rate-limit information.
- Security and abuse-prevention events.
These records are used for reliability, debugging, fraud prevention, rate limiting and security investigations.
6) Data stored locally on your device
Setfeed stores information locally so the app can function. Depending on the platform and features used, this may include:
- Scheduled and released messages.
- Inbox, Future, Awaiting, Feed and message-lifecycle state.
- Memories and locally retained attachments.
- Receive codes and related metadata.
- Saved Setfeed contacts and aliases.
- Pending encrypted-send jobs.
- Notification and delivery-time preferences.
- Theme and other app settings.
Sensitive local values, including receive codes and protected media, may be stored using platform security facilities such as the iOS Keychain or protected application files.
Setfeed contacts are contacts created inside Setfeed. The app does not need to upload your device’s system address book to provide this feature.
7) Optional permissions
Setfeed may request permission to use selected device features, including:
- Photos: to let you choose an image to attach to a message or save as a memory.
- Notifications: to notify you when an eligible message is ready.
These permissions are optional and can be changed through your device settings. Setfeed does not require notification permission for its basic scheduling features.
8) Website storage and browser technologies
The Setfeed website may use browser storage such as localStorage to remember settings, authentication state and theme preferences.
Security services such as reCAPTCHA may use cookies, browser storage or similar technologies according to the provider’s own terms and privacy practices.
How we use data
We process data to:
- Provide local and encrypted message-scheduling features.
- Store, route and deliver encrypted envelopes.
- Manage receive codes and delivery state.
- Upload and retrieve encrypted attachments.
- Prevent duplicate or replayed deliveries.
- Provide optional notifications.
- Maintain security and prevent abuse.
- Diagnose errors and maintain service reliability.
- Respond to support, privacy and legal requests.
Legal bases where applicable
Where data-protection law requires a legal basis, we generally rely on one or more of the following:
- Performance of a service: processing needed to provide the Setfeed features you request.
- Legitimate interests: maintaining security, preventing abuse, diagnosing failures and operating the service efficiently.
- Consent: for optional device permissions or where consent is otherwise required.
- Legal obligations: processing needed to comply with applicable law or valid legal requests.
What we do not do
- No third-party advertising: Setfeed does not serve third-party advertisements in the app.
- No sale of personal data: Setfeed does not sell personal information.
- No cross-app advertising tracking: Setfeed does not use message content for behavioural advertising or track users across unrelated apps and websites for advertising.
- No plaintext receive-code upload: plaintext receive codes are not intentionally uploaded as part of encrypted message delivery.
- No server-side reading of standard encrypted messages: Setfeed is not designed to read the plaintext body or attachment of standard encrypted cloud-delivery envelopes.
Service providers and sharing
Setfeed uses service providers to operate and protect the service. These providers may process data on our behalf according to their contracts and privacy terms.
Current providers may include:
- Google Firebase and Google Cloud: for anonymous authentication, database storage, cloud functions, encrypted-file storage, hosting, integrity checks and operational security.
- Apple: for iOS platform services, App Attest, App Store distribution and device permissions.
- Google: for Android platform services, Play Integrity and Google Play distribution.
Setfeed does not share personal data with advertisers. We may disclose information when reasonably necessary to:
- Comply with applicable law or a valid legal request.
- Protect users, Setfeed or the public from harm or abuse.
- Investigate fraud, security incidents or misuse.
- Complete a business reorganisation, subject to appropriate privacy protections.
International processing
Setfeed’s infrastructure providers operate internationally. Data may therefore be processed in countries other than the country where you live, including locations where Google, Apple or their service providers operate facilities.
Where required, such processing is subject to the contractual and legal safeguards provided by the relevant service provider and applicable law.
Retention
We retain data only for as long as reasonably necessary for the purposes described in this policy, including delivery, security, dispute resolution and legal compliance.
- Local data generally remains on your device until you delete it, clear the app’s data or uninstall the app.
- Encrypted envelopes and attachments are retained for the time needed to schedule, deliver, retrieve, expire or protect the relevant message.
- Anonymous authentication records may remain until the associated anonymous account is deleted.
- Operational and security logs are retained for limited periods according to operational, security and provider requirements.
- Legal records may be retained longer where required by law or needed to establish, exercise or defend legal claims.
Security
We use technical and organisational measures intended to protect data, including:
- Client-side authenticated encryption for supported messages.
- Encrypted transport using HTTPS.
- Cloud access controls and security rules.
- Platform app-integrity verification.
- Protected local application storage.
- Rate limiting and abuse-prevention controls.
No service can guarantee absolute security. Users should keep receive codes private and share them only with intended senders.
Your choices and privacy rights
Depending on your location, you may have rights relating to your personal data, including rights to request access, correction, deletion, restriction, objection or portability.
You can also:
- Remove local app data by deleting messages, clearing application storage or uninstalling the app.
- Change photo and notification permissions through your device settings.
- Regenerate or stop sharing a receive code where supported.
- Contact us to request deletion of an anonymous cloud identity and associated data that we are able to identify.
- Contact your local data-protection authority if you believe your rights have been infringed.
Because Setfeed does not require a conventional named account, we may need technical information from you to locate an anonymous identity or associated cloud record. We may also need to verify that the request relates to you before fulfilling it.
To make a privacy request, email hello@setfeed.app.
Children
Setfeed is not designed for children and is not directed to children under 13.
If you believe a child has provided personal information to Setfeed, contact hello@setfeed.app and we will take appropriate steps.
Third-party privacy information
Additional information about our principal technology providers is available from:
Changes to this policy
We may update this Privacy Policy when Setfeed’s features, service providers or legal obligations change.
When we make changes, we will publish the updated policy on this page and revise the effective date above. Material changes may also be communicated through the app or website where appropriate.
Contact
For privacy questions, data requests or complaints, contact: