Privacy Policy

Effective date: 2026-04-24 · Last updated: 2026-04-24

SoliloQ (“we”, “us”, “the app”) is an anonymous text-posting application. We designed it so that your identity is never exposed through the product. This policy explains what we collect, why, how long we keep it, and how you can request it be deleted.

If anything here changes, we will update the “Last updated” date above and — when the change is material — surface a one-time notice inside the app.

TL;DR

No username, display name, avatar, or profile page exists. Other users cannot see who authored a post or sent a message.
We store the minimum data required to run the service: an opaque user ID, your posts and inbox messages, which tags you blocked, your push token (if you enable push), and anonymized crash diagnostics.
We do not sell data. We do not run third-party advertising SDKs.
You can delete your account in Settings → Delete Account. That wipes your posts, messages, resonances, and settings.

1. Who we are

The app is operated by the SoliloQ maintainers. For privacy questions or deletion requests, email support@soliloq.app.

2. What we collect

We split collection into three buckets:

2a. Identity (required for sign-in)

When you sign in with Sign in with Apple or Sign in with Google, the provider returns an opaque account identifier. We store that identifier so we can recognize you on subsequent logins.

We do not store your real name.
We do not store your email address unless Apple or Google returns one we need for account recovery; when we do, it is used only for that purpose.
The opaque identifier is never shown to other users and never attached to your posts or messages.

2b. Service content (the things you type)

Posts — the text body, tags (1–3), and visibility (public / private). Created_at and updated_at timestamps.
Messages — anonymous one-way messages you send to other users’ public posts, and those sent to you. The sender identity is never exposed through our API.
Resonances — the posts you “resonate” with.
Blocked tags and senders — your personal filters.
Reports — posts or messages you flagged for moderation review.

2c. Technical data (required to operate)

Device push token (FCM) — only if you opt in to push notifications. Used to deliver a push when you receive a new message or when a post you authored receives a resonance. Removed when you sign out or disable push.
Crash diagnostics (Firebase Crashlytics) — stack traces and anonymized device info (model, OS version). Contains no content from your posts or messages.
IP address — visible to our API for rate limiting and abuse prevention. Not stored with your posts or messages. Proxied through Cloudflare; see section 6.

3. What we do NOT collect

Location, contacts, photos, microphone, camera, or calendar data.
Advertising identifiers (IDFA, GAID) — we have no ad SDKs.
Cross-site trackers. The mobile app has no embedded web views that load third-party scripts.
Health data. Financial data.

4. How we use the data

Deliver posts, messages, resonances, and the feed.
Run the anonymous-messaging content filter (a server-side toxicity classifier) so authors don’t receive harmful messages.
Rate-limit abusive clients.
Send push notifications when you opt in.
Debug crashes you (or other users) encounter.

We do not use your content to train models. We do not sell data to any third party.

5. Anonymity and the messaging model

Messages are one-way by design. When someone messages your post, the API does not expose who sent it. If the sender’s message is flagged by our content filter, the sender sees a normal “sent” confirmation and the message is silently dropped — so neither reporting nor filter-evasion reveals the author’s identity.

Reports are processed by the moderation system without ever linking back to a sender in a user-visible way.

6. Third-party processors

The app uses a small number of subprocessors. All are bound by their own privacy policies:

Vendor	Purpose
Apple	Sign in with Apple (iOS + cross-platform)
Google Firebase	Cloud Messaging (push), Crashlytics (crash reports)
Google Identity	Sign in with Google
Hetzner Cloud (EU / Finland)	Hosting for the API, database, and search
Cloudflare	DNS, CDN, DDoS / WAF, static hosting for this site

Analytics SDKs, advertising SDKs, and cross-device tracking services are not used.

7. Where data is stored

Primary database (Postgres), cache (Redis), and search index (Meilisearch) run on a single Hetzner Cloud VPS. Encrypted backups are retained on the same VPS for up to seven days.

Push tokens are synced to Firebase Cloud Messaging. Crash diagnostics go to Firebase Crashlytics.

8. How long we keep it

Data	Retention
Posts, messages, resonances	Until you delete them or the account
Messages soft-deleted by recipient	30 days, then hard-deleted
Push token	While push is enabled; deleted on sign-out
Crash reports	90 days (Crashlytics default)
Rate-limit counters	In-memory only; cleared on restart
Database backups	7 days rolling

When you delete your account, we immediately remove your posts, messages you authored, resonances, settings, and blocked-tag lists. Backups rotate off within 7 days.

9. Your rights

You can, at any time:

Access your data: the app exposes your posts, messages, and settings through the UI.
Correct your data: edit posts and settings from within the app.
Delete your data: Settings → Delete Account removes your account and associated content.
Withdraw consent to push: disable notifications in Settings or OS settings.
Ask a human: email support@soliloq.app for anything the app doesn’t let you do directly.

If you live in the EU / UK, you also have the right to lodge a complaint with your local data protection authority.

10. Children

SoliloQ is rated 17+ on the App Store and follows Google Play’s equivalent category. The app is not intended for children under 13 (or under 16 where required by local law). If we learn we have collected data from a child below that age without parental consent, we will delete it.

11. Security

We use TLS (via Cloudflare) for transport, signed authentication tokens, bcrypt for any password-based secrets, server-side content filtering, and strict rate limiting. No system is perfectly secure; if we become aware of a breach affecting you, we will notify you promptly through the app and via the email you authenticated with (if any).

12. Changes to this policy

If we make a material change, we will update the “Last updated” date at the top and show a one-time in-app notice before the new version takes effect.

13. Contact

Privacy questions, access requests, deletion requests:

support@soliloq.app