Confide

Privacy Policy

Last updated: February 22, 2026

Your privacy is the reason Confide exists. We built a zero-knowledge messaging platform where your conversations are encrypted before they leave your device. This Privacy Policy explains what data we collect, how we use it, how we protect it, and what rights you have. It applies to all Confide services, including confide.gg, our desktop and mobile applications, and any related services.

Data Controller

The data controller responsible for processing your personal data is:

Kevin Peil
c/o MDC Management#848
Welserstraße 3
87463 Dietmannsried
Germany

For all privacy-related inquiries, data subject requests, or complaints, contact: privacy@confide.gg

Our Privacy Principles

Confide is designed around a simple principle: we should not have access to your private communications. Every technical and architectural decision we make is guided by this goal. We use post-quantum end-to-end encryption so that only the intended recipients can read messages, hear calls, or view files. We collect the absolute minimum data required to operate the Service, and we never monetize your data through advertising, profiling, or data sales.

What We Collect

We collect only what is strictly necessary to provide and maintain the Service:

  • Account data: username, email address, and hashed password. Your password is hashed using industry-standard algorithms and cannot be reversed or read by us.
  • Profile data: optional display name, status, about text, and avatar. This data is only collected if you choose to provide it.
  • Membership metadata: account creation timestamp, guild memberships, and role assignments. This is necessary for the Service to function.
  • Server logs: IP addresses, request timestamps, and basic request metadata. These logs are used exclusively for security monitoring and abuse prevention, and are automatically and permanently deleted after 14 days.
  • Encrypted content: the server stores encrypted ciphertext (messages, files, call signaling data) that it cannot decrypt. This data is stored solely to deliver it to intended recipients and is not accessible to Confide in any readable form.

What We Do Not Collect

Confide is a zero-knowledge service by design. We do not collect, store, or have access to:

  • Plaintext message content, voice or video call audio/video, or decrypted file contents
  • Biometric data of any kind
  • Analytics, behavioral tracking, or usage profiling data
  • Advertising identifiers or marketing pixels
  • Location data (beyond what is inherent in IP addresses in server logs)
  • Contact lists or address books from your device
  • Any form of content scanning, fingerprinting, or profiling

How We Use Your Data

The data we collect is used for the following purposes and no others:

  • Providing the Service: authenticating your account, delivering encrypted messages, managing guild memberships, and displaying your profile to other users
  • Security and abuse prevention: detecting and preventing unauthorized access, denial-of-service attacks, spam, and other forms of abuse through server log analysis
  • Service communications: sending you critical account notifications such as password reset emails, security alerts, and legally required notices about changes to these terms

We do not use your data for advertising, profiling, automated decision-making, or any purpose other than those listed above.

Cookies

We use a single, strictly necessary authentication cookie to keep you signed in to the Service. This cookie contains only a session identifier and does not track your activity across websites.

We do not use tracking cookies, analytics cookies, advertising cookies, or any third-party cookies. No cookie consent banner is required because we exclusively use strictly necessary cookies as defined under Art. 5(3) of the ePrivacy Directive (2002/58/EC).

Legal Basis for Processing (Art. 6 GDPR)

We process your personal data under the following legal bases:

  • Contract performance (Art. 6(1)(b) GDPR): processing your account data, profile data, and membership metadata is necessary to provide the Service you signed up for
  • Legitimate interest (Art. 6(1)(f) GDPR): server logs are processed for security monitoring, abuse prevention, and maintaining the integrity of our infrastructure. These logs are retained for a maximum of 14 days, which we consider proportionate to the security interest pursued
  • Legal obligation (Art. 6(1)(c) GDPR): we may process data when required to comply with applicable law or valid legal process

Third-Party Processors

We share data only with the following processors, each bound by data processing agreements:

  • Hetzner Online GmbH (Germany): server infrastructure and data storage. All data remains within the European Union. Hetzner is subject to German data protection law.
  • Cloudflare, Inc. (USA): DDoS protection, DNS, and content delivery. Certified under the EU-U.S. Data Privacy Framework with Standard Contractual Clauses in place. Only transient network metadata (IP addresses, request headers) is processed.
  • Klipy (USA): GIF search and delivery. When you use the GIF feature, your IP address and search queries are processed by Klipy under the EU-U.S. Data Privacy Framework. GIF searches are optional and only triggered by your explicit action.

We do not sell, rent, or share your personal data with advertisers, data brokers, or any parties not listed above. We will update this list if we add new processors and notify users accordingly.

International Data Transfers

Your data is primarily stored within the European Union on Hetzner infrastructure in Germany. Where data is transferred to processors in the United States (Cloudflare, Klipy), it is safeguarded by:

  • The EU-U.S. Data Privacy Framework (adequacy decision by the European Commission)
  • Standard Contractual Clauses under Art. 46(2)(c) GDPR as an additional safeguard

We regularly assess whether the legal frameworks in recipient countries provide adequate protection for your data.

Data Retention

We retain your data only for as long as necessary:

  • Account and profile data: retained for as long as your account is active
  • Server logs: automatically and permanently deleted after 14 days
  • Encrypted content: retained until deleted by users or until account deletion
  • Account deletion: when you delete your account, all associated personal data is permanently erased within 30 days. This includes your account data, profile data, membership metadata, and any encrypted content stored on our servers

Your Rights

Under the General Data Protection Regulation (GDPR) and regardless of where you are located, you have the following rights regarding your personal data:

  • Right of access (Art. 15): request a copy of the personal data we hold about you
  • Right to rectification (Art. 16): request correction of inaccurate or incomplete data
  • Right to erasure (Art. 17): request deletion of your personal data ("right to be forgotten")
  • Right to restriction (Art. 18): request that we limit the processing of your data
  • Right to data portability (Art. 20): receive your data in a structured, commonly used, and machine-readable format
  • Right to object (Art. 21): object to processing based on legitimate interest at any time
  • Right to withdraw consent (Art. 7(3)): withdraw consent at any time where processing is consent-based, without affecting the lawfulness of prior processing

To exercise any of these rights, email privacy@confide.gg. We will respond to your request within 30 days. If we need more time due to the complexity of your request, we will inform you of the extension and the reasons for it.

You also have the right to lodge a complaint with your local data protection authority. The competent supervisory authority in Germany can be identified at bfdi.bund.de.

Law Enforcement and Disclosure

We may disclose limited metadata (account registration information, IP addresses from server logs, guild membership data) when required by valid legal process issued by a court of competent jurisdiction, or when necessary to prevent an imminent threat to life.

We are technically unable to disclose message content, voice call data, or shared files because they are end-to-end encrypted and we do not hold the decryption keys. Any legal request for encrypted content will be responded to with a statement of technical inability.

Where permitted by law, we will make reasonable efforts to notify affected users of legal requests concerning their data before disclosure.

Security Measures

We implement multiple layers of security to protect your data:

  • Post-quantum end-to-end encryption: all messages, calls, and files are encrypted on your device before transmission using cryptographic algorithms designed to resist both classical and quantum computing attacks
  • Transport encryption: all connections to Confide servers are secured via TLS
  • Password security: passwords are hashed using industry-standard algorithms and are never stored in plaintext
  • EU infrastructure: primary data storage is hosted within the European Union
  • Data minimization: we collect and store only the minimum data required to operate the Service

While no system can guarantee absolute security, our zero-knowledge architecture means that even in the event of a server breach, your message content remains protected by encryption that we cannot break.

Children

Confide is not intended for users under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that a user is under 16, we will promptly delete their account and all associated data. If you believe a child under 16 has created an account, please contact us immediately at privacy@confide.gg.

Self-Hosted Instances

This Privacy Policy applies only to the official Confide service operated at confide.gg. If you connect to a self-hosted Confide instance operated by a third party, that operator is the data controller for that instance. We have no access to, control over, or responsibility for data processed by self-hosted instances. Review the operator's own privacy policy before using their instance.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated to you via the application or your registered email address at least 30 days before they take effect. The "Last updated" date at the top of this page will be revised accordingly.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy. If you do not agree with the changes, you may delete your account before the effective date.

Contact

For any questions, concerns, or requests related to this Privacy Policy or your personal data, contact us at privacy@confide.gg.

← Back to home