In order to send messages to the right people, Signalboost needs to store a list of the phone numbers of admins and subscribers for each channel. The maintainers of Signalboost retain and delete that information on our servers according to the policies described below. We work hard to protect your data as much as possible, but ultimately you are your own best privacy defender.
The purpose of this policy is to provide as much transparency as we can to empower you to make a well-informed decision on your own digital safety needs.
Data we do not store
Signalboost does *not* store the following data about our users:
- Contents of messages sent by users 
- Individual usage statistics
- Names of users
- IP Addresses
- Financial information about users
- Data tying users to other services or accounts
 In order to relay encrypted messages from senders to recipients, Signalboost momentarily decrypts the contents of messages from senders then re-encrypts them to their intended recipients. This means the contents of messages exist unencrypted or "cleartext" for a matter of milliseconds on our servers, and then are deleted.
Data we do store
Signalboost *does* store (and tries to delete as often as possible) the following data:
We store lists of which phone numbers are subscribed to each Signalboost channel so that when an admin sends a message to the channel, Signalboost knows which subscribers to which it is supposed broadcast the message. We also temporarily store the phone numbers of subscribers who send "hotline messages" to the channel so that admins can respond to them without seeing the sender's phone number. In detail, our database stores:
- Lists of which phone numbers are admins or subscribers of which channel (DELETED when user unsubscribes from the channel or when channel is destroyed by admin, or when the channel is automatically destroyed due to inactivity)
- Lists of which phone numbers have invited which other phone numbers to join a channel (deleted once invite is accepted, declined, or 2 weeks have passed -- whichever is shorter)
- Lists of which phone numbers have sent an incoming "hotline message" to which channels (used to route anonymous replies to hotline messages, deleted 1 week after last hotline message from a given number is sent)
- Lists of which phone numbers have mistakenly sent SMS numbers to a channel instead of using signal. We do this to prevent users from sending us thousands of SMS messages, which cost money to receive. (DELETED after 4 weeks)
- Lists of the hashed/salted phone numbers of any users who have been banned from a channel for abusive behavior. (Never deleted.)
We regularly delete as much data as we can as often as possible and afford users the ability to delete their own data whenever they want without any assistance from us.
- Every hour, Signalboost automatically deletes all channels that have not been used in the last week. Channel admins receive a notification giving them 24 hours to redeem the channel. If they do not respond, they system deletes all data associated with the channel -- including admin and subscriber phone numbers, records of memberhip on the channel, lists of invites, hotline messages, and the phone number registration.
- At any time, channel admins can completely and immediately destroy all data associated with their channel by issuing a "DESTROY" command to their channel. As with the automatic deletion script, all data associated with the channel is deleted.
- Every hour, we delete:
- All hotline message sender records older than 3 days
- All invite records older than 1 week
- All incoming sms sender records older than 4 weeks
 For more details on our deletion protocol, please contact us.
We pledge never to share any of the above metadata with any private third party for any purpose. We will never voluntarily give user data to law enforcement officers, and will follow rigorous transparent protocols (documented in our "Legal Inquiry Policy") when responding to valid legal inquiries to ensure that our users receive every protection we are legally capable of giving them.
The phone number used to broadcast out messages and act as a hotline is registered by us via Twilio.
We use that phone number one time only: to receive an authentication code via SMS to register an channel's phone number as a valid account with the Signal messaging service. Once the number has been registered, we pay a monthly fee to maintain the sole users of that phone number, so that nobody can hijack the Signal account. However, that is the sole extent of the application's interaction with the service. Twilio does not log or have acccess to message contents routed through Signalboost, nor any metadata about when that phone number is used when as an id for routing messages within Signalboost.
Signalboost hosts data on servers maintained by movement-friendly, GDPR-compliant service providers based in Iceland and the Netherlands.
We use Stripe, Venmo, and BTC to process credit card payments. The Signalboost maintainers have access to these accounts and can view their payment history. We respect the privacy of our donors and will use the minimum necessary information from these accounts to use donations to fund costs (servers, etc) associated with the project.
Responding to Government Requests for Information
In the case of a law enforcement inquiry, we will insist on a valid, well-scoped warrant, court order, or subpeona before surrendering any data about our users. We reserve right to review and mount a legal challenge to the scope and validity of any request.
If we receive a request to surrender information that is found to be valid and well-scoped, we will attempt to give direct notice to our users to give them a chance to defend themselves before surrendering such information.
Unless we are constrained from doing so by a court-issued gag order, we will inform the affected user of the legal request via Signal message, provide a reasonable waiting period to allow users to challenge the request, and refrain from surrendering any data until a user-mounted legal challenge concludes. In all cases, we will publish a redacted version of the legal proceedings on our website.
Responding to Gag Orders
We might be legally constrained from immediately informing our users and the public of a legal inquiry by a court-issued gag order.
If we receive a gag order accompanying any government request for information, we will attempt where possible to challenge the gag order in court and provide direct notice to our affected users as decribed above. If we are compelled to comply with the gag order, we will seek to both directly notify our users and publish the legal proceedings as soon as legally permitted.
Pledge to not sell out our users
We pledge to never actively "sell out" our users. To us that means that we will:
- Never knowingly allow any of our users to use Signalboost to conduct surveillance of other users.
- Never willingly modify our software to enable it to conduct surveillance of our users.
- Never transmit user data to any private third party -- unless it is at the direction of or with the explicitly-granted consent of the user whose data is being shared.
- Never voluntarily surrender any data to law enforcement agencies without first attempting to take the steps outlined above.
This website does not log or store the IP addresses of people who visit it.
- Hotline: +1-947-800-5717
- Email: firstname.lastname@example.org (or, if you prefer old-school: email@example.com + PGP).
We consulted the following guides in drafting our legal inquiry policy: