Privacy Policy

GhostCode
Moonsail Software LLC
Last updated: June 4, 2026

This Privacy Policy explains how GhostCode ("the App", "we", "us") collects, uses, and protects your information.

1. No Account Required

GhostCode does not require an account, login, email address, or registration of any kind. Our own backend identifies an app install only through a random app-instance identifier generated on-device, not through a name, email address, or account profile.

2. Information We Collect

Message Content and Encryption Keys
Your message plaintext and saved encryption keys never leave your device. All encryption and decryption happens locally. We never receive, store, or have access to your plaintext or your keys.

Verification Backend Data for Protected QR
Creating, finalizing, opening, revoking, or claiming rewarded grants for a Protected QR requires a network request to our Verification Backend. Your message plaintext and your final encryption key are not sent to the backend. The backend does process and store a limited set of server-side records needed to enforce quotas, verify attestation, prevent abuse, and support protected-message behavior.

• App-instance identifier (`appInstanceId`) — a random identifier generated on-device and used to bind message creation, quotas, rewarded grants, and Ghost Mode entitlement state to the current app install.
• Challenge state — operation type, issue time, expiry time, consumed time, and environment for short-lived single-use challenges.
• Protected message state — message ID, creator app-instance ID, creator revocation public key, encrypted server-side message component (`fMsg`), one-time server key contribution, canonical payload digest, payload byte count, variant flags, timestamps, message status, and optional expiry/revocation state.
• Attestation data — Google Play Integrity or Apple App Attest tokens submitted by the app for verification, short-lived token-hash replay records, and for iOS App Attest: key ID, app-instance ID, team ID, bundle ID, public key, sign counter, receipt, and verification timestamps.
• Decrypt authorization and anti-abuse state — single-use decrypt authorization records, payload digest checks, rate-limit / throttle counters, cooldown windows, and short-retention audit events recording reason codes and outcomes.
• Ghost Mode entitlement state — app-instance ID, entitlement tier (`free` or `premium`), last update time, and expiration time when applicable.
• Cloud Run request and diagnostic logs — request ID, route path, status, timing, event names, reason codes, and when relevant the associated app-instance ID or message ID. For abuse detection and coarse network throttling, we may also log source IP address or a coarse network-derived signal.

These backend records exist to operate Protected QR features, enforce per-device quotas, prevent replay and fraud, verify app authenticity, and support creator-controlled revocation. They do not include your plaintext message or your final decryption key.

Pixel Ghosting (Photo Carrier)
Pixel Ghosting is GhostCode's photo carrier — an alternative to a QR code that hides your encrypted Secret inside a JPEG image. Whenever you create a message using Pixel Ghosting, the following additional data is sent to and stored on our Verification Backend:

• Retained encrypted payload (`retainedProtectedPayload`) — the encrypted Secret data (ciphertext only; your readable Secret and Key remain on your device and are never transmitted). This is stored by the backend for the duration of the message lifetime, which ends at expiry, revocation, or data deletion.
• Embedded image identifier — a token-derived numeric identifier encoded in the JPEG image. This identifier is openly detectable by compatible software and can be removed from or copied to another image. It is not a secret steganographic carrier. We log only a one-way SHA-256 digest of this identifier for correlation; the raw identifier is never placed in request URLs or server logs.

Pixel Ghosting does not prove that the cover image is original, authentic, or unmodified. Expiry, revocation, and data deletion remove the retained encrypted payload immediately when invoked — they are not subject to TTL delay. Data submitted via Delete My Data in Settings deletes Pixel Ghosting retained payloads along with all other backend records for your app instance.

Analytics and Crash Reporting
The App uses Google Firebase Analytics to collect app usage events such as screen views, feature interactions, and other product-interaction telemetry, and Firebase Crashlytics to collect crash reports, performance diagnostics, device state, and technical error context. Firebase may also collect identifiers such as Firebase Installation identifiers, device information, and IP address. This data is used to understand how the App is used and to improve reliability and performance. This collection is governed by Google's privacy policy.

Subscriptions and In-App Purchases
Ghost Mode subscriptions and other in-app purchases are processed by Google Play (Android) or the App Store (iOS). We do not receive your full payment card details. The App also uses RevenueCat to manage subscription status and restoration across platforms. RevenueCat receives and processes subscription lifecycle events and app user identifiers; in GhostCode, the RevenueCat app user ID is the on-device app-instance identifier. Our Verification Backend may also receive purchase tokens, App Store transaction JWS payloads, RevenueCat webhook events, entitlement identifiers, expiration timestamps, and the resulting entitlement state needed to confirm whether the current app instance has Ghost Mode access.

3. Permissions

The App requests only the permissions necessary to function:

• Camera — required to scan QR codes.
• Storage / Photo Library — required to read and save images for steganography.
• Biometric / Device Credentials — optional, used only if you enable the app lock feature. Biometric data is processed entirely by the operating system and never leaves your device.
• Internet — required for Protected QR creation and opening (Verification Backend).

4. App Lock

App lock is a local, device-at-rest protection feature. Your PIN or biometric unlock is processed entirely on-device by the operating system. No unlock material, password verifier, or wrapped secret is ever transmitted to our servers or any third party. App lock does not provide account recovery — if you forget your PIN and have no biometric fallback, local protected data cannot be recovered.

5. Third-Party Services

Google Play Integrity API / Apple App Attest — used to verify the authenticity of the App and device before allowing Protected QR operations. Privacy policy: policies.google.com/privacy / apple.com/legal/privacy

Google Firebase Analytics & Crashlytics — collects usage, diagnostics, and crash data to help us improve the App. Privacy policy: policies.google.com/privacy

RevenueCat — manages subscription / entitlement state and receives subscription lifecycle events and app user identifiers used for purchase restoration and Ghost Mode access management. Privacy policy: revenuecat.com/privacy

Google Play Billing / Apple App Store — processes in-app purchases. Privacy policy: policies.google.com/privacy / apple.com/legal/privacy

6. Data Retention and Deletion

Message content and encryption keys are stored locally on your device only. Uninstalling the App removes all locally stored data. We have no copy of this data and cannot delete or recover it on your behalf.

Many Verification Backend records are short-lived by design. Challenge records expire after minutes. Replay-prevention, rewarded-grant, and similar anti-abuse records expire after hours to days. Some protected-message records, revocation state, and entitlement records may persist longer because they are required for the feature to continue working. Cloud Run logs, Firebase records, store purchase records, and RevenueCat records are retained according to those providers' own retention settings and policies.

For Pixel Ghosting messages, the retained encrypted payload is stored for the message lifetime and removed immediately upon expiry (Self-Destruct), creator revocation, or a Data Deletion request — whichever occurs first. It is not subject to a background TTL delay: these events trigger immediate deletion. If you use the in-app Delete My Data action, all Pixel Ghosting retained payloads associated with your app instance are deleted along with all other backend records.

7. Children's Privacy

The App is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided personal information through the App, please contact us and we will take appropriate action.

8. Your Rights

Because GhostCode does not require an account, we usually cannot verify identity through a traditional user profile. However, we and our service providers may still hold pseudonymous records tied to an app-instance ID, device identifier, purchase token, or provider-managed installation ID. For data collected by third-party services such as Firebase, app stores, or RevenueCat, you may need to use those providers' own controls or your device settings.

If you are located in the European Economic Area or California, you may have additional rights under GDPR or CCPA. Contact us at the address below to exercise those rights.

9. Changes to This Policy

We may update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the App after any changes constitutes acceptance of the updated policy.

10. Contact

If you have questions about this Privacy Policy, please contact us at:
[email protected]