// Legal

Privacy
Policy

Last updated: March 2026 · We collect almost nothing. Here's exactly what we do handle.

The short version: MESH cannot read your messages — they are encrypted on your device before they leave it. We don't know your name, email, or phone number. The only things our relay server stores are your Stellar address, your NaCl public key, and your chosen username — all of which are public by design.

1. Who We Are

MESH Protocol is an independent project developed by Mohamed Abdellah. The relay server and website are hosted at meshprotocol.ru.

Contact: contact@meshprotocol.ru · support@meshprotocol.ru

2. What We Collect — and What We Don't

Data Type	Collected?	Where?
Your name	✗ Never	—
Email address	✗ Never	—
Phone number	✗ Never	—
IP address	✗ Not stored	Briefly visible in server logs (not retained)
Message content	✗ Never readable	Encrypted blobs only — stored on IPFS, not our server
Stellar public address	✓ Yes	Relay server — public by nature of blockchain
NaCl public key	✓ Yes	Relay server — needed for encryption, public by design
Username (@handle)	✓ Yes	Relay server — chosen by you, publicly searchable
Message pointers (memoKey)	✓ Temporarily	Relay server — deleted after delivery confirmed

3. How Your Messages Actually Work

Your messages are encrypted on your device using NaCl box encryption (Curve25519 + XSalsa20 + Poly1305) before they leave your phone. The encrypted blob is uploaded to IPFS via Pinata. A pointer to that blob travels via the Stellar blockchain.

Our relay server only ever sees an encrypted pointer — never the message content. We have no technical ability to read your messages. This is not a policy — it is a cryptographic guarantee.

4. Data Stored on Your Device

The MESH app stores the following locally on your device using Expo SecureStore (hardware-backed encrypted storage on supported devices):

Your Stellar key pair (public + secret)
Your NaCl encryption key pair (public + secret)
Your 12-word BIP39 recovery mnemonic
Your chosen username
Pinata API credentials (for IPFS uploads)
All messages and contacts (in a local SQLite database)

None of this is transmitted to us. It lives only on your device. If you uninstall the app or use "Clear All Data", it is permanently deleted. Make sure you have your recovery phrase before doing so.

5. Third-Party Services

MESH uses the following third-party services:

Stellar Network — public blockchain. Transactions (message pointers) are permanently recorded on-chain. The Stellar Foundation operates this network independently of MESH.
Pinata / IPFS — encrypted message storage. Pinata stores encrypted blobs. They cannot decrypt them. Pinata's own privacy policy applies to their service.
sweb.ru — our relay server hosting provider (Russia). The relay server stores only the public data described in Section 2.
Cloudflare Pages — website hosting. Standard Cloudflare analytics may apply to the meshprotocol.ru website.

6. Cookies and Tracking

The MESH website (meshprotocol.ru) does not use advertising cookies, tracking pixels, or analytics scripts. The only browser storage used is localStorage to remember your chosen accent color preference.

The MESH mobile app does not use any analytics SDK, crash reporting service, or advertising framework.

7. Data Retention

Message pointers on the relay: deleted after you confirm delivery, or after 30 days if undelivered
Username registry: retained indefinitely while your account exists. You can request deletion by contacting us
IPFS blobs: stored on Pinata under our account. We do not currently auto-delete them. This may change as the service scales
Local device data: you control this entirely via "Clear All Data" in Settings

8. Your Rights

You have the right to:

Delete your username from our relay by contacting us
Delete all local data using "Clear All Data" in Settings → Danger Zone
Request information about what we store about your Stellar address

Because we don't know who you are, you'll need to identify yourself by your Stellar public address when making a request.

9. Children

MESH is not intended for users under 13 years of age. We do not knowingly collect data from children. Because we collect no personal information at all, we have no way to verify age — parental guidance is advised.

10. Changes to This Policy

We may update this policy as MESH evolves. The "Last updated" date will always be current. Continued use of MESH after changes means you accept the updated policy.

11. Contact

Privacy questions or deletion requests: contact@meshprotocol.ru

PrivacyPolicy