Legal
Privacy Policy
Effective date: July 12, 2026
Applies to: the CruiseMesh mobile apps, the optional internet relay at relay.davidjacobson.work, and this website (cruisemesh.app).
Short version: CruiseMesh is offline-first family messaging. Message contents are end-to-end encrypted on your devices. We do not run accounts, advertising, or analytics SDKs. The optional relay stores only sealed ciphertext and routing hints for a limited time. This website is static, with no cookies or trackers.
1. Who operates CruiseMesh
CruiseMesh is an open-source project operated by David Jacobson (“we,” “us”). Source code is published at github.com/davidmjacobson/cruisemesh. You may also self-host the relay; if you do, you are the operator of that instance, and this policy describes the design of the software rather than every third-party host’s practices.
2. Scope of this policy
This policy covers three surfaces:
- Mobile apps for Android and iOS that store data on your device and optionally sync over Bluetooth or the internet relay.
- Internet relay (
cruisemesh-relayd), a mailbox that holds sealed envelopes until devices fetch and acknowledge them. - This website, a static landing page and friend-link fallback. It requires no account and sets no analytics or advertising cookies.
3. What we do not collect
Based on the current software:
- No email address, phone number, or password account is required to use the app.
- No advertising identifiers, crash-reporting SDKs such as Firebase or Sentry, or product-analytics SDKs are bundled in the apps.
- The Android app requests Bluetooth with
neverForLocationand does not request location permission for scanning. - The relay cannot open sealed message bodies. It does not store plaintext messages, read/delivery receipt contents, or sender identity in the public envelope header.
- This website uses no third-party scripts, analytics, or tracking cookies.
4. Data on your device
CruiseMesh is designed so cryptographic identity and conversation data live primarily on your phone:
- Identity keys. Ed25519 signing and X25519 encryption keypairs are generated on device. Android protects the installed identity with hardware-backed Keystore encryption where available.
- Manual encrypted backups. If you explicitly create an account backup, CruiseMesh exports identity keys, local message data, profile information, and relay configuration into a passphrase-encrypted file you choose where to save. That file can restore the same identity after reinstalling. Anyone with both the file and its passphrase can impersonate the identity and read its included history, so protect it accordingly.
- User ID. A short ID derived from your public signing key and displayed for friending. It is not a government identifier or phone number.
- Profile. A display name you choose and an optional profile photo used as contact metadata.
- Contacts and groups. Friend cards, public keys, optional relay URL/token, group membership, and group keys.
- Messages and media. Chat history, delivery/read state, and photos or voice memos—stored locally and sealed before leaving the device.
- Relay configuration. If you use an internet relay, the app stores its URL and family bearer token.
Deleting the app or clearing app data removes on-device data subject to your operating system. CruiseMesh app data is not included in Android Auto Backup. iOS device backups, if enabled, may include app data under Apple’s backup rules. Files you manually exported remain wherever you saved them.
5. Permissions the apps request
- Bluetooth — discover nearby CruiseMesh peers and exchange sealed mesh traffic without internet.
- Camera — scan friend QR codes and take photos for chat or profile use.
- Microphone — record short voice memos when you use that feature.
- Photo library — choose an existing photo to send or use as a profile image.
- Internet and network state — optionally flush sealed envelopes to the relay when a network path exists.
- Notifications — alert you about new messages and friend connections when the OS allows.
- Foreground service and battery exemptions on Android — keep mesh sync more reliable in the background; declining reduces background reliability.
Permissions are used for these features, not advertising or cross-app tracking.
6. Data other devices may process
CruiseMesh uses delay-tolerant networking:
- Direct Bluetooth. Your phone exchanges sealed envelopes with a peer in range. A brief unauthenticated hello announces your User ID so a peer can map the link to a known contact for routing and UI.
- Data mule. Another CruiseMesh device may temporarily store and carry sealed envelopes it cannot read until they reach the recipient or expire.
- Internet relay. A device with your family’s relay configuration and network access can upload or download sealed envelopes for matching recipient hints.
- Broadcast mode. Traffic on a public broadcast channel is intentionally readable by any CruiseMesh app. Treat it as public rather than private messaging.
Nearby Bluetooth observers may learn that CruiseMesh devices are present and may see transient User IDs or public envelope headers such as message ID, hop limit, expiry, rotating recipient hint, and ciphertext. They cannot open sealed family traffic without recipient keys.
7. Internet relay mailbox
The hosted relay at relay.davidjacobson.work is a content-agnostic mailbox. Authenticated clients using a shared family bearer token may post and fetch envelopes. Stored fields are essentially:
msg_id, an opaque deduplication identifierhop_ttlandexpiry_msrecipient_hint, a short hash of recipient identity salted by calendar daysealed, containing ciphertext only- server creation time and family-token scope for access control
Sender identity and plaintext—including receipt details—are inside the seal. A compromised or curious relay can observe timing, volume, and approximate social-graph size for a family token, but not message content or read state.
Retention: clients typically set expiry around seven days. The server enforces a hard ceiling of 30 days from creation. Rows are removed when acknowledged or when expiry/retention pruning runs.
Anyone holding a family bearer token can use that family’s mailbox. Protect QR codes and tokens like a household shared secret.
8. Website and infrastructure logs
- This website is served through Cloudflare Workers Static Assets and does not set first-party analytics cookies or embed third-party trackers.
- Friend links place the friend card after
#in the URL. URL fragments are processed locally by the browser and are not included in HTTP requests to Cloudflare or this website. - Cloudflare and relay infrastructure may process standard connection metadata such as IP address, timestamp, URL path, user agent, and response status for security, delivery, and operations under their respective terms.
- Family tokens should be sent in the
Authorizationheader. Putting tokens in query strings can expose them to infrastructure logs.
9. How data is used
- To deliver messages and receipts between people you deliberately friend or group with.
- To operate the optional relay and keep it secure and available.
- Not for advertising, selling personal data, or building marketing profiles.
10. Sharing
We do not sell personal data. Message contents leave your device only as sealed ciphertext to mesh peers or a relay you configure. Infrastructure providers and certificate authorities may process connection metadata under their terms. Open-source distribution through GitHub is separate from app message data.
We may disclose information if required by law or necessary to protect rights, safety, or the relay from abuse—keeping in mind that the hosted relay holds sealed blobs rather than plaintext.
11. Your choices and controls
- Do not configure a relay if you want Bluetooth-only delivery.
- Rotate or revoke family relay tokens if one is exposed.
- Delete contacts or groups on device; remove the app to delete local data subject to OS backups.
- Create manual encrypted backups only when wanted, store them somewhere trustworthy, and use a strong passphrase.
- Verify contacts using the short fingerprint phrase shown during friending.
- Treat broadcast channels as public.
Because there are no cloud accounts, there is no central “download my data” portal. Authoritative chat copies live on participating devices. Relay contents are sealed and time-limited.
12. Children
CruiseMesh is intended for family use. It is not directed to children under 13 as a general-audience product, and we do not knowingly collect children’s personal information through accounts because CruiseMesh does not offer accounts. Parents and guardians who install the app for family messaging control devices and friending choices.
13. International and self-hosted use
The hosted relay and website use infrastructure under our control and third-party service providers. If you configure another relay URL, that operator’s privacy and logging practices apply to envelopes sent there.
14. Security
We use end-to-end sealing as implemented in the open-source core, HTTPS for relay transport, and minimize what the relay can see. No transmission or storage method is perfectly secure. The current threat model prioritizes unreliable connectivity and untrusted carriers of ciphertext, not nation-state anonymity. See DESIGN.md for technical detail.
15. Changes
We may update this policy as the software evolves—for example, if store distribution, multi-device sync, or optional telemetry is added. The effective date will change, and material changes should be reflected here and, when practical, in release notes.
16. Contact
For privacy questions or questions about the hosted relay, open an issue in the CruiseMesh GitHub repository.