Snikket App Privacy Policy

Who this document applies to

This privacy policy applies to users of the official Snikket mobile apps. This document details the data arising from your use of the Snikket apps, and in particular does not represent the policies of any network services that you may register with and/or interact with while using the apps - please review the relevant policies of those services separately, e.g. before registering an account or interacting with a service.

The services you use with the app may be provided by us, or by a third-party. We have no control over third-party services, even if they are utilizing our software, so please ensure you trust operator and agree with their own privacy policies before using any service with the Snikket app.

Our approach to privacy

As you probably hear many organizations say - we take your privacy seriously. In the case of Snikket, privacy is actually the primary reason the project exists. We want to ensure that people have usable alternatives to communication platforms that sustain themselves by collecting and processing personal data for commercial gain.

Transparency, and giving you a choice of service operator, are important ways we work to implement this mission.

1. Data shared with the Snikket developers

As a general rule, we minimize the information that the Snikket app will share with us as developers.

There are two cases where the app may send data to us:

  • So we may relay push notifications to your device, on behalf of your Snikket service, and
  • In the event that the app crashes, and you approve the submission of a crash report to help us fix the problem.

The data described in this section is processed on a lawful basis of legitimate interest. The data is necessary for us to provide you with a working and reliable app.

1.1 Push notification service

The Snikket developers operate a push service that is used by your Snikket service to notify your Snikket app using your mobile OS vendor’s push notification infrastructure when you receive incoming messages. This is used to overcome battery optimisations implemented by most mobile operating systems and is a common feature of modern messaging apps.

1.1.1 Android: Google Play Store version

Note: Some versions of the Snikket app, such as the version distributed through F-Droid do not have push notification support, and this section does not apply to them.

The Snikket Android app will register with the Snikket push service, which stores three identifiers:

  • Google Push ID (FCM token): Generated by Google Play Services on your device. Google require this token so they know which device to deliver the notification to.
  • Snikket App ID (Android ID): Generated by Android when you install the Snikket app (older Android versions may share the same token across all installed apps). We use it to identify your push service registration because the Google Push ID can change.
  • Snikket Service ID (Node ID): Generated by the push service, we provide this to your Snikket service so it can tell us which device we need to send a notification to.

Our push service never sees your IP address and does not store your Snikket username. Furthermore, none of these token/IDs are linked to your identity. A Snikket server will never share the content or metadata of any of your messages with the push service. The Snikket Android app fetches messages directly from the Snikket service where your account is registered.

Currently for diagnostic purposes the Snikket push service also stores the domain of the Snikket service where the push registration came from.

1.1.2 iOS: Apple App Store version

The Snikket iOS app will register with the Snikket push service, which stores a “device token”. This token is generated by Apple’s iOS operating system on your device and provided to the Snikket app. Apple requires us to provide them this token when we generate notifications, so they can identify which device to send the notification to. The token is unique to each installation of the Snikket app, and it cannot be used to link your identity between different apps on your device.

Our push service never sees your IP address, and the device token does not reveal, and is not linked to, your identity.

The following data is stored by the iOS app push service:

  • Your Snikket address (e.g. username@chat.example.com)
  • The address of your Snikket service (e.g. chat.example.com)
  • Apple Push ID (device token): Generated by iOS on your device. We send this token to Apple with push notifications so that they know which device and app to deliver the notification to.
  • Snikket Service ID (Node ID): Generated by the push service, we provide this to your Snikket service so it can tell us which device we need to send a notification to.

The following data may be included in push notifications, but encrypted with a key (AES128 GCM or stronger) known only to your app and your Snikket service. This encryption protects message contents and metadata from both the Snikket push service and Apple’s notification servers.

  • Encrypted:
    • Message sender
    • Count of unread messages
    • Message type (e.g. private, group chat or call)
    • Message content
    • Sender name (if from a group chat)
    • Call info (only included if notification is an incoming call):
      • Unique call identifier
      • Supported media types by the caller
  • Unencrypted:
    • Your device token (required by Apple)
    • Your Snikket domain (visible only to our push service when your server sends us a request)

2. Data shared with your service operator

This section is purely informational in nature, and describes the kind of data that may be sent to your chosen service provider while using the Snikket app.

The Snikket app connects directly to any services that you register an account on. Be sure to review the privacy policy for your chosen service. If you use Snikket hosting provided by us, please refer to the Snikket Hosting privacy policy.

Data that goes through your service operator includes:

  • Contacts that you add on Snikket (name and XMPP address only)
  • Messages (this includes text messages, images and other files)
  • Your profile picture, if you choose to upload one
  • Your OMEMO public keys used to enable people to send you encrypted messages

There may be additional data that you provide within the app to be shared with services, such as group chat names, membership lists, and other kinds of information.

Data that is not shared with your service operator includes:

  • Your phone address book contacts. The Snikket app may ask for permission to access your address book contacts so it can display the names and profile pictures of your contacts within the app. It does not send this information anywhere. If you do not grant this permission when prompted, Snikket will work just fine, but will not use names/profile pictures from your address book.

Once again, refer to your provider’s privacy policy to learn how they store, handle and process data that you share with their service through using the Snikket app.

2.1 Encryption of data

The app has the ability to encrypt message contents and file uploads when this feature is enabled. We encourage you to keep this feature enabled, and to use the in-app verification functions, if you want to ensure your communications stay private even in the event of a malicious or compromised service.

Changes

  • 2020-12-16: Updated to include iOS app.
  • 2021-06-08:
    • Added a section about who the document is for
    • Added a section providing an overview of our approach to privacy
    • Added section numbering
    • Further clarified:
      • the separation of app developer and service provider
      • the need and lawful basis for collecting and processing the data that we do
      • the encryption capabilities of the app