Privacy Policy
1. What CIRCE is (and is not)
CIRCE — Cryptographic IRC Environment — is an open-source, decentralized, peer-to-peer chat platform with end-to-end OpenPGP/GPG encryption. The "Crypto" in the name refers to cryptography. CIRCE is not a cryptocurrency, token, wallet, exchange, or any kind of financial product.
You may use CIRCE through:
- The hosted web client at circe.sp5.io
- An open-source CIRCE relay you or someone else self-hosts
- Native iOS / Android apps built from the same source
- The Tor onion service (when configured by your relay operator)
2. Data we do not collect
The CIRCE project (the maintainers of the source code and operators of the reference relay at
circe.sp5.io) does not:
- Require an email address, phone number, real name, or any personally identifying information.
- Run analytics, fingerprinting, or behavioural tracking of any kind. There are no third-party analytics SDKs, no advertising networks, no Google Analytics, no Cloudflare Web Analytics, no Sentry, no LogRocket, no Mixpanel.
- Store the contents of your messages on any server, in any form, encrypted or otherwise, beyond the brief in-memory buffering required to deliver them to recipients who are currently offline.
- Share, sell, license, broker, monetize, or otherwise transfer any user information to any third party. We do not have any user information to share.
- Use cookies for tracking. The web client uses
localStoragefor your own device-local settings and key material; nothing is sent to any server.
3. Data stored on your device
The following items are stored only on your device, in your browser's
localStorage / IndexedDB or in the native app's secure storage:
| Item | Stored where | Purpose |
|---|---|---|
| Your OpenPGP key pair | Device only | End-to-end encryption |
| Nickname & display preferences | Device only | UI personalization |
| Channel/contact list | Device only | Reconnect to your channels |
| Message history (decrypted) | Device only, optional | Local scrollback |
| Theme, audio levels, voice settings | Device only | UI personalization |
You can wipe everything at any time by clearing site data in your browser, or uninstalling the native app. Doing so will also delete your private key — you can no longer decrypt past messages without it. Export your key first if you want to retain history.
4. Data in transit
All connections to a CIRCE relay use TLS (HTTPS / WSS). All messages, file transfers, and media inside a channel or DM are additionally encrypted end-to-end with OpenPGP — the relay cannot read them. The relay sees only:
- The IP address you connect from (this is unavoidable for any internet service; if this concerns you, use the Tor onion entrypoint or connect through a VPN).
- Approximate message timing and size, and which channels you are joined to (necessary to route encrypted messages).
- Your chosen public nickname and your OpenPGP public key (these are by design public to everyone in your channels).
The relay never sees: message contents, file contents, voice audio, your private key, your contacts outside the channels you have joined, your real name, or your email.
5. Relay operators
CIRCE is federated. When you connect to a relay you do not operate yourself, that relay
operator is the data controller for the metadata listed in §4. Different relays may have
different operational logging policies. The reference relay at circe.sp5.io:
- Logs only operational error/security events (failed authentication, malformed packets, rate-limit hits) for short-term abuse prevention. These logs do not include message contents or the contents of your traffic.
- Does not retain message history server-side beyond the in-memory offline buffer (configurable, currently capped at 10,000 envelopes total across all users).
- Does not share logs with any third party except where compelled by valid legal process, and would publish a transparency report if such a request were ever received.
If you self-host a relay, you control its policy.
6. Native app permissions
The CIRCE iOS and Android apps may request the following system permissions. Each is used only for the stated purpose and only when you explicitly invoke a feature that needs it:
| Permission | Used for |
|---|---|
| Microphone | Voice channels (WebRTC peer-to-peer audio). Audio is encrypted with DTLS-SRTP and never sent to the relay. |
| Camera (optional) | QR-code scanning for nickname/key exchange. Frames are not stored or transmitted. |
| Photos / Files | Choosing files to send. Files are encrypted on your device before upload. |
| Notifications (local only) | Local in-app notifications for incoming messages while CIRCE is open. CIRCE does not register your device with Apple Push Notification service or Firebase Cloud Messaging. |
| Background audio | Keep voice channels alive when the app is backgrounded during a call. |
7. Third-party services
The hosted web client uses the following third-party services for delivery only:
- Cloudflare — TLS termination and DDoS protection in front of the relay. Cloudflare receives your IP address and standard HTTP request metadata. See Cloudflare's privacy policy. Self-hosted relays do not need to use Cloudflare.
- Google Fonts — the Inter and JetBrains Mono fonts are loaded from
fonts.googleapis.com. We are migrating to self-hosted fonts in a future release. Until then, font requests reach Google. See Google's privacy policy.
Native app builds bundle the fonts locally and do not contact Google. The native app contacts only the relay you are connected to and (if voice is in use) the WebRTC peers in your call.
8. Children
CIRCE is not directed at children under 13. The hosted relay imposes no age verification because it has no information about its users — but you should not use CIRCE if you are under 13, or under the digital-consent age of your jurisdiction (16 in much of the EU).
9. Changes to this policy
If this policy changes substantively we will update the "Last updated" date at the top, note the change in the project CHANGELOG, and announce it on the homepage. The full edit history is public in the git history of this file.
10. Contact
Questions about this policy or about CIRCE's privacy posture: open an issue at github.com/subinacls/CIRCE/issues. For private security disclosures, see SECURITY.md.