AnchorKey Privacy

Summary

AnchorKey is a phone-as-trust-anchor credential broker. The phone is the only place secrets live; nothing leaves it without biometric consent. We don't operate a server, don't collect telemetry by default, and don't have access to your credentials.

What stays on your phone

• The encrypted credential vault.
• Secure Enclave keys used for pairing and authorization. These are non-extractable hardware-bound keys; we cannot read them, copy them, or move them off the device.
• Audit log entries for every consent decision you make. Signed by the Secure Enclave.
• Recovery material. Multi-tier recovery is purely on-device or paired-device.

What we do not collect

• Credentials, vault contents, or any decrypted secret material.
• Usage analytics, behavioral telemetry, crash payloads beyond Apple's standard TestFlight/App Store reports (you control these in iOS Settings → Privacy → Analytics).
• Location data. Pattern 6 (device-as-signal) reads location only on-device for your own policy rules; we never receive that data.
• Contacts, photos, microphone, or camera contents. The camera is used only to scan QR pairing codes, locally; the image is never transmitted.
• Identifiers for advertising, tracking, or attribution. We don't have an SDK that does any of this.

Where the relay fits in

AnchorKey ships a small Go binary, anchorkey-relay, that you deploy on infrastructure you own (Fly.io free tier, a $5 VPS, a Mac mini, a Raspberry Pi). The relay handles outbound API proxying, webhook ingress, schedulers, and integration runtime.

The relay holds only short-lived (under one hour) capability tokens minted by your phone. It does not hold long-lived secrets, master keys, or vault contents. Compromising the relay yields the current connection state; the vault is unaffected.

We do not host or operate relays for you. The relay is software you run, not a service we provide. We have no access to relay logs, relay SQLite databases, or anything the relay processes.

What goes through Apple

• App Store / TestFlight installation flows are governed by Apple's privacy policy.
• AnchorKey uses Apple Push Notification service (APNs) as a wakeup trigger only. APNs payloads carry no app data, no credentials, and no personally identifiable information — they are silent triggers that ask the app to fetch fresh state over your tailnet.
• iCloud is not used for vault storage or any secret material.

Data subject rights

If you operate AnchorKey purely with your own phone and your own relay, Indiagram LLC cannot honor a deletion request because we don't have your data. You delete the app, the vault is gone with the device keychain. You decommission the relay, the operational audit log is gone with the disk.

For inquiries that involve App Store metadata or future hosted services (deferred to v2+), email jp@indiagram.com.

Changes to this policy

We will post substantive changes here with a new "last updated" date. Material changes that broaden data collection will be announced in the App Store release notes for the version that introduces them.