Pully Privacy Policy

Effective June 4, 2026

Pully is a private messenger built so that there is as little to collect as possible. You don't give us a phone number, an email address, or your real name. Your messages are end-to-end encrypted, and the keys that read them never leave your device. This policy explains, plainly, what does and does not happen with your data.

The short version: We can't read your messages, your profile card, or your photos — they're encrypted on your device with keys we never receive. We don't collect your phone number, email, or name, and we use no analytics, ads, or tracking. Our servers do see some metadata needed to deliver the service (who you're connected to, group names, who reacted, timestamps). You can delete your account and its data at any time, from inside the app.

No account identifiers

Pully has no phone numbers, emails, or passwords. When you start the app, your device generates a cryptographic identity from a 12-word recovery phrase. That phrase and the private keys derived from it are stored only in your device's secure storage (the iOS Keychain / Android Keystore) and are never sent to our servers. We see only the corresponding public keys, which are random-looking identifiers not tied to your real-world identity.

What is end-to-end encrypted (we cannot read it)

Message content — encrypted on your device for each recipient; our servers store only ciphertext.
Your profile card — your name, birthday, payment handles, and links are encrypted under a key only you and the contacts you've shared with can derive.
Photos and attachments — encrypted on your device before upload; stored as opaque ciphertext.
Your private device data — settings and contact notes are encrypted under keys derived from your recovery phrase.

What our servers can see (metadata)

To deliver messages and run the service, our servers necessarily process some information in a readable form. We keep this list honest rather than claim we see nothing:

Public keys and your Pully ID — your pseudonymous identifiers.
Your connections — which accounts you've mutually added, and which conversations or groups you belong to (the "social graph").
Group names and group profile links you set.
Reactions — which emoji you place on a message, and on which message (so the right reactions appear for everyone).
Delivery metadata — timestamps, message sizes, and your notification (push) token.
Cosmetic and delivery settings — e.g. your color theme, mute and disappearing-message preferences.
IP address — seen transiently to route your requests and to prevent spam and abuse. It appears in short-lived server logs and is not stored as part of your account.

Notifications

If you enable notifications, we send your device's push token to Expo's push service, which relays a notification to your device. Push notifications carry a generic message (e.g. "New message") — never your message content.

No analytics, ads, or tracking

Pully contains no third-party analytics, advertising, or tracking SDKs. We do not collect an advertising identifier and we do not track you across apps or websites.

Crash reports

If the app encounters an error, it may send us a diagnostic report containing the error message, a stack trace, your platform (iOS/Android), and the app version. These reports are anonymous — they carry no identity, account, or message content — and are sent only to our own servers, not a third party.

Data retention

Messages are retained on our servers for up to 30 days on the free plan; on a paid plan, messages are retained for as long as your subscription is active. Disappearing messages are deleted sooner, per the timer you set. Undelivered data is removed once delivered. Some metadata (such as your connections) persists until you remove the connection or delete your account.

Deleting your account

You can permanently delete your account from inside the app (Settings → Delete account). This removes your account and its associated data from our servers — your card, messages, connections, reactions, device tokens, and settings. Groups you created are handed to another member so they aren't destroyed for others. Because encryption keys live only on your device, any residual encrypted blobs are unreadable once your account is gone.

Infrastructure providers

We use third-party infrastructure to run the service. These providers process only the encrypted and pseudonymous data described above on our behalf — they are not given the keys to read your content:

Fly.io — application hosting and database.
Object storage — stores encrypted attachment and photo blobs.
Expo — delivers push notifications.

Children

Pully is not directed to children, and we do not knowingly collect data from children under the age required by your local law.

Security

Your private keys never leave your device. Messages and profile content are end-to-end encrypted using standard, published cryptography. Requests to our servers are cryptographically signed, so only the holder of your private key can act as you. No system is perfectly secure, but we designed Pully to minimize what could be exposed even in the worst case.

Changes to this policy

If we change this policy, we'll update the effective date above and, for material changes, surface a notice in the app.

Contact

Questions about privacy? Reach us at privacy@pully.talk.