Privacy Policy

Last updated: April 2026

Overview

This Privacy Policy describes how data is collected, used, and shared when you use Senden and its related services, including all subdomains of senden.chat (the "Service").

  • Senden is a pro-privacy service built on Swiss values
  • All data is stored exclusively on servers located in Switzerland. No personal data, messages, or files ever permanently reside outside of Switzerland.
  • Servers in other countries (such as edge nodes used for lower latency or voice/video relay) act as pure transit proxies. They do not retain any data, messages, files, or logs. All data is flushed immediately to Swiss storage upon delivery.
  • We do not sell, rent, or share your data with any third parties
  • We enforce secure protocols, strong firewalls, and 2FA without SMS recovery on all internal systems and operator accounts that supply Senden.
  • Senden is independently operated and has never accepted venture capital, investor funding, or any outside equity stake. We will never sell the company or your data to a third party.

Swiss Privacy Protections

Senden is governed by Swiss federal law, including the Swiss Federal Act on Data Protection (nFADP / revDSG). Switzerland is not a member of the EU or NATO and does not participate in mass surveillance programs such as PRISM, XKeyscore, or similar frameworks. Under Swiss law:

  • We cannot be required to undermine end-to-end encryption or install backdoors into our encryption architecture. Swiss law does not compel providers to break encryption they do not hold the keys to.
  • Any cooperation with law enforcement is lawful, targeted, and requires a formal Swiss court order. We do not voluntarily hand over data. When legally compelled, the scope is limited to what we actually hold, we cannot provide what we do not have.
  • Foreign governments cannot directly demand user data. All foreign law enforcement requests must go through official Swiss mutual legal assistance treaty (MLAT) channels and be approved by Swiss courts.
  • Switzerland has no equivalent to US National Security Letters or similar instruments that carry secret gag orders. We can and do legally notify users of requests and update our warrant canary.
  • We do not profile users, build behavioral models, or use your data for advertising
  • We do not use your data to train AI or machine learning models
  • We do not share data with data brokers or analytics platforms
  • We do not disclose any data except when legally obligated

Warrant Canary

As of the date of this privacy policy, no warrants have been served, no searches or seizures have taken place, no backdoors have been implemented or requested, and no data has been disclosed.

Independence & Ownership

Senden has never accepted venture capital, investor funding, or any outside equity stake, and we have no intention of ever doing so. There are no investors, no board seats, and no stakeholders with financial interest in the company other than its founders. Your data is not an asset that can be acquired, sold, or transferred as part of a business transaction.

In the (very) unlikely event that Senden were to cease operations, user data would be securely deleted rather than transferred to a third party.

What Is Personal Information?

Personal information is any information that can be used to identify you as an individual. This includes your username, email address, IP address, and any other information that can be used to contact you.

We generally do not save any unnecessary personal information.

Information We Collect

We collect only what is strictly required to operate the Service. The following is a complete list of data we store:

Account & Profile:

  • Username (unique handle)
  • Display name
  • Email address
  • Password, stored exclusively as an Argon2id hash with high cost parameters. Your plaintext password is never stored or logged anywhere.
  • Profile bio (optional)
  • Profile avatar, stored as a file identified by its SHA-256 hash. No metadata beyond the hash is retained.
  • Status override (Online / Do Not Disturb / Invisible)
  • Profile settings
  • Terms of Service acceptance version and timestamp
  • Account creation and last-updated timestamps

Messages & Content:

  • Direct messages (content, timestamps, reply references)
  • Group messages (content, timestamps, reply references)
  • Server channel messages (content, timestamps, reply references)
  • Original message content is retained after an edit solely for moderation purposes.
  • Support messages sent to us through the platform
  • Message reactions (emoji, author, timestamp)

Files & Attachments:

  • Uploaded files, stored by SHA-256 hash. Metadata includes original filename, MIME type, and file size. This is required for normal operation.

Social Graph:

  • Friend relationships (sent/received requests, accepted status, timestamps)
  • Direct message conversation records (which two users have a conversation)

Servers & Groups:

  • Servers you own or are a member of (name, description, icon, your role, join timestamp)
  • Groups you are in (name, description, icon, your role, join timestamp)
  • Server channels (name, description, type, position)
  • Server invite links you created (code, usage count, expiry)
  • System event messages for group actions (member added, left, group renamed, etc.)

Calls:

  • Call records: context (DM, group, or server channel), status, initiator, start and end times
  • Call participation records: join and leave times only

Sessions:

  • Refresh tokens, stored as a secure hash only, never as the raw token. Used to maintain login sessions and detect session reuse.

Logs & Transient Data:

  • IP addresses appear in access logs for abuse detection. These are automatically purged within 7 days. Logs associated with suspicious traffic may be retained for up to 90 days for investigation.

Password Security

All passwords are hashed using Argon2id, the winner of the Password Hashing Competition and the current industry standard for password storage. We use intentionally heavy cost parameters (high memory cost, multiple passes, and parallel lanes) to make brute-force and dictionary attacks computationally infeasible even in the event of a database compromise.

Your plaintext password is never written to disk, logged, or transmitted to us after initial hashing. We have no ability to recover or reveal your password.

How We Use Your Information

We only store your data to operate the Service and in case of abuse.

IP addresses in normal access logs are automatically removed within 7 days. Logs associated with suspicious traffic may be retained for up to 90 days. This does not include required data such as sessions, which persist until you delete them yourself.

We use IP geolocation to restrict access from certain jurisdictions as described in our Terms of Service. IP addresses processed for this purpose are not retained beyond the duration of the connection check and are not written to persistent storage.

Sharing Your Information

We never share or sell your personal information with third parties, except:

  • When required by Swiss law as evidence following a formal legal order
  • When we have your explicit permission for user support
  • When reporting confirmed abuse or illegal content to law enforcement or relevant authorities.

Your Rights & Data Export

You have the right to access, correct, update, or delete any personal information we hold about you, regardless of your location. Contact us at mydata@senden.chat for such requests or use the data export in your profile settings.

A data export contains everything Senden holds about you, including:

  • Your full account profile (username, display name, bio, email, avatar, settings, creation date)
  • All direct messages you have sent or received, including edits and timestamps
  • All group messages you have sent, including edits and timestamps
  • All server channel messages you have sent, including edits and timestamps
  • All reactions you have placed
  • All files and attachments you have uploaded (metadata and download links)
  • Your friend list and pending friend requests
  • All servers you own or are a member of, including your role and join date
  • All groups you are in, including your role and join date
  • All server invite links you have created
  • Call history (context, duration)
  • Active session list (hashed token identifiers and creation timestamps only)

Data Retention

Unnecessary data such as logs are only stored for 7 days. Logs associated with suspicious traffic may be retained for up to 90 days. Required data such as your account and messages are retained until you delete your account, except when required by law enforcement to retain the data longer.

When an account is deleted or banned, associated content is marked as deleted and hidden from other users as quickly as reasonably possible. Due to propagation delays and locally cached data on client devices, some content may remain briefly visible during this period. Data is permanently and irreversibly deleted from our systems after 90 days. The same applies to individually deleted messages and content.

Breach Notification

In the event of a confirmed data breach affecting your personal information, we will notify you through the following channels:

  • In-app notification: An alert will be displayed within the Senden application at your next login or as a push notification if you have the app open.
  • Email: A notification will be sent to the email address associated with your account describing the nature of the breach, what data was affected, and the steps we are taking.
  • Status page: A public notice will be published to our status page.

Email is only sent once a breach is confirmed. In-app notifications and status page updates are sent as soon as an incident is detected, including while it is still under investigation.

We will make every effort to notify affected users as soon as possible and within 72 hours of confirming a breach, in line with Swiss data protection requirements.

Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or for operational, legal, or regulatory reasons. The date at the top of this page will always reflect the latest revision.

We will announce any changes to this policy at least 30 days before they take effect. You will receive an in-app notification when an update is pending, giving you time to review the changes before they apply to your account.

Once a policy change takes effect, you must accept the updated terms to continue using the Service. Until you accept, your account will be read-only. You may still export your data at any time during this period. You may instead choose to delete your account. If you do not act, your account remains read-only indefinitely until you either accept or delete it.

Governing Law

This service is operated from Switzerland and governed by Swiss federal law, including the Swiss Federal Act on Data Protection (nFADP). Any disputes arising from this policy shall be subject to the exclusive jurisdiction of the courts of Switzerland.