blue_ghost logo

blue_ghost

privacy policy

Zero‑Data Philosophy

blue_ghost collects, stores, transmits, and retains no personal data whatsoever. This is not a policy promise — it is a technical constraint enforced by the Android permission sandbox. The app has no INTERNET permission, cannot open network sockets, and transmits only encrypted message payloads and handshake data over Bluetooth. No plaintext, identifiers, or auxiliary metadata ever leave the device.

What We Collect

Nothing. blue_ghost does not collect:

What Is Stored

Session cryptographic material — root key, chain keys, message keys, ratchet state, and message history — is held in memory only and destroyed during the Seal Ceremony when a session ends.

A small amount of non-sensitive preference data is stored locally in SharedPreferences: peer display names, avatar seeds, peer descriptions, and UI settings (theme, notification level). This data never leaves the device and contains no message content or cryptographic secrets.

Permissions

blue_ghost requests only the minimum permissions required:

BLUETOOTH_SCAN Device discovery. Uses neverForLocation flag on Android 12+ — no location permission needed.
BLUETOOTH_ADVERTISE Makes the device visible to other blue_ghost users nearby.
BLUETOOTH_CONNECT Establishes encrypted GATT connections for messaging.
ACCESS_FINE_LOCATION Required by Android 11 and below for BLE scanning only. GPS is never accessed.
FOREGROUND_SERVICE Keeps the active chat session alive when the app is minimised.
POST_NOTIFICATIONS Delivers silent or stealth-mode new-message alerts. Message content is never shown.

The app does not request: INTERNET, storage read/write, camera, microphone, contacts, or background network access.

Third‑Party Services

blue_ghost uses no third‑party services of any kind — no analytics SDKs, no crash reporting, no advertising frameworks, no cloud messaging, no remote configuration, no telemetry.