Privacy policy for a system built around client-side secret creation and viewer-first web opening.

Privacy Policy

Effective Date: 23 March 2026
Last Updated: 23 March 2026

1. Introduction

ANOMONUS - FZCO (“Anomonus,” “we,” “us,” or “our”) provides a privacy-oriented service that allows users to create, protect, share, and view encrypted secrets and related protected content, including secret messages, secret links, secret locations, secret posts, secret party content, QR-linked content, and related access-controlled materials (the “Service”).

This Privacy Policy explains how we process information in connection with the Service, including through our website, mobile applications, and related infrastructure.

The Service is designed to reduce unnecessary exposure of plaintext content and to minimize personal data processing where reasonably possible. However, operating the Service still requires the processing of certain encrypted data, metadata, technical request data, and security-related information.

By using the Service, you acknowledge that your information may be processed as described in this Privacy Policy.

⸻

2. Scope of This Policy

This Privacy Policy applies to information processed through:
• the Anomonus mobile application,
• the Anomonus website and web viewer,
• secret creation, access, ticket, RSVP, challenge, and device-binding flows,
• support, abuse-prevention, operational, and security-related functions connected to the Service.

This Privacy Policy does not apply to third-party websites, services, applications, or platforms that may be linked to, integrated with, or used alongside the Service, and we are not responsible for the privacy practices of those third parties.

⸻

3. Categories of Information We Process

3.1 Encrypted Secret Content

The Service is designed so that core secret payloads are encrypted on the user’s device before upload. Depending on the feature used, this may include encrypted secret bundles and related protected content.

Although the system is intended to reduce server-side access to plaintext secret content, the Service may still process associated metadata and technical information necessary to store, deliver, secure, expire, or display encrypted materials.

3.2 Identity, Verification, and Access-Control Data

Depending on the Service flow, we may process data related to identity, access control, authorization, or session verification, such as:
• identity hash values,
• public keys,
• challenge-response data,
• cryptographic signatures,
• session-related data,
• device-binding data,
• ticket and RSVP-related data,
• secret access state and access-control metadata.

3.3 Metadata and Configuration Data

We may process metadata associated with secrets and protected content, such as:
• secret type,
• creation parameters,
• expiration settings,
• burn-after-read or maximum-view settings,
• access restrictions,
• viewing configuration,
• device-binding or recipient-control settings,
• content lifecycle settings,
• anti-abuse and routing-related flags.

3.4 Technical Request and Device Data

When you use the Service, we may process limited technical data necessary to operate, secure, and protect it, such as:
• IP-related request data,
• timestamps,
• request headers,
• device or app version information,
• network or transport-related data,
• temporary identifiers,
• rate-limiting inputs,
• challenge and ticket timing data,
• security event data.

We seek to minimize the collection and retention of such data where reasonably possible, but some of it may be necessary for service delivery, abuse prevention, diagnostics, or infrastructure security.

3.5 Local Device Data

Certain information may be stored locally on your device, including through secure local storage mechanisms, keychain-like secure storage, or app-managed storage, such as:
• identity-related local data,
• session-related local data,
• locally stored access state,
• optional mnemonic or recovery-related local data,
• RSVP-related local state,
• developer cache or debugging-related local state in development environments,
• app-lock or local-authentication state.

Local device data may remain on the device until removed by the user, cleared by app actions, overwritten, or deleted through logout, uninstall, or device-level controls.

3.6 Permissions-Based Data

Depending on the features you use, the application may request access to certain device capabilities, including:
• Camera for QR scanning and related flows,
• Location for secret-location and map-related flows,
• Biometric or local authentication for app-lock or similar local device protection,
• Network access to communicate with the Service.

These permissions are feature-dependent. Denying a permission may disable the related feature.

3.7 Support, Safety, and Abuse-Handling Data

If you contact us, report abuse, submit a complaint, or communicate with support, we may process:
• your contact details,
• the contents of your message,
• related technical or investigative data,
• evidence provided by you,
• service usage context relevant to the issue.

⸻

4. Information We Do Not Intend to Collect as Plaintext

Based on the reviewed client codebase at the time of drafting, the Service is designed so that core secret payloads are encrypted on-device before upload.
In addition, we did not identify integrated third-party analytics or crash-reporting SDKs in the reviewed application-owned mobile source code.

However:
• this does not mean the Service processes no personal data,
• this does not by itself constitute a representation regarding all infrastructure components, reverse proxies, hosting providers, logs, or future versions of the Service,
• this does not eliminate the possibility that metadata, technical request data, or security-related records may still be processed.

Where we describe architectural intent, that description should not be read as a guarantee of absolute anonymity, zero knowledge in the strict cryptographic or legal sense, or complete absence of operational data.

⸻

5. Why We Process Information

We process information for the following purposes:

5.1 To Provide the Service

We process information to create, store, route, deliver, decrypt, view, expire, manage, and protect secrets and related access-controlled content.

5.2 To Authenticate and Authorize Access

We process information to verify access rights, manage challenge flows, issue or validate tickets, enforce device binding, and apply access-control rules.

5.3 To Maintain Security and Integrity

We process information to detect abuse, enforce rate limits, prevent fraud, investigate misuse, protect the Service, and maintain infrastructure security and operational integrity.

5.4 To Support Privacy and User-Controlled Lifecycle Features

We process information to implement secret expiration settings, maximum-view restrictions, burn-after-read behaviors, device restrictions, and related content lifecycle controls.

5.5 To Communicate With You

We process information to respond to support requests, legal requests, security issues, and service-related inquiries.

5.6 To Comply With Law and Enforce Our Terms

We may process information to comply with applicable law, respond to lawful requests, enforce our Terms, resolve disputes, and protect rights, safety, and security.

⸻

6. Legal Bases for Processing

Where applicable law requires a legal basis for processing, we rely on one or more of the following:
• Performance of a contract: to provide the Service you request and enable the functionality you use;
• Legitimate interests: to secure, maintain, improve, defend, and abuse-protect the Service;
• Consent: where required by law, including for certain optional permissions or device features;
• Compliance with legal obligations: where we must comply with applicable law, lawful process, or regulatory requirements.

The specific legal basis may depend on the type of information, the jurisdiction, and the context in which it is processed.

⸻

7. Permissions and Device Access

The Service may request the following device permissions, depending on which features you use:

Camera

Used for QR scanning and related secret access or creation functions.

Location

Used for location-related secret creation, map flows, or location-based protected content features.

Biometric / Local Authentication

Used for local app-lock and device-side access protection features.

Network Access

Used to communicate with backend services, validate access, and retrieve encrypted content or related service data.

You can typically manage permissions through your device operating system settings. If you disable a permission, some Service features may no longer function properly.

⸻

8. Local Storage and On-Device Protection

Some Service data may be stored locally on your device for usability, continuity, identity handling, session continuity, local-auth protection, and related feature support. This may include secure local storage, system keychain-like storage, and app-managed local state.

If your device is compromised, rooted, jailbroken, shared, or otherwise insecure, the confidentiality and integrity of locally stored data may be reduced. You are responsible for maintaining reasonable device security.

⸻

9. Sharing and Disclosure of Information

We do not sell personal data in the ordinary commercial sense described by many privacy laws.

We may disclose or make information available in the following circumstances:

9.1 Service Providers and Infrastructure

We may use hosting, networking, security, storage, cryptographic, mapping, transport, or related technical providers and components needed to operate the Service.

9.2 Legal Compliance and Protection

We may preserve, use, or disclose limited information where reasonably necessary to:
• comply with applicable law,
• respond to valid legal process,
• enforce our Terms,
• investigate fraud, abuse, or misuse,
• protect the rights, safety, security, users, systems, or integrity of the Service,
• prevent harm.

9.3 Business Transactions

If Anomonus undergoes a merger, acquisition, restructuring, financing transaction, asset sale, or similar event, information may be transferred as part of that transaction, subject to applicable law.

9.4 With Your Direction

We may process or disclose information where you direct us to do so or where disclosure is inherent in the feature you choose to use.

⸻

10. Third-Party Components and Services

The Service may rely on selected third-party components, libraries, or technical providers, including security, cryptography, mapping, networking, transport, and infrastructure-related components.

Based on the reviewed materials provided for drafting, we did not identify integrated third-party analytics or crash-reporting SDKs in the reviewed mobile application-owned codebase. However, the Service may still involve third-party technical dependencies or infrastructure components, and this statement should not be read as a representation that no third parties are involved in Service operation.

Third-party components may be governed by their own terms, licenses, and privacy practices.

⸻

11. Retention

We retain different categories of information for different periods depending on:
• technical necessity,
• service functionality,
• security and abuse prevention,
• legal obligations,
• dispute handling,
• creator-configured lifecycle settings,
• system architecture and deployment configuration.

Examples may include:
• short-lived ticket or challenge artifacts designed to expire automatically after limited periods,
• secret availability governed by creator-selected expiration, burn-after-read, or maximum-view settings,
• local device data that persists until cleared, overwritten, logout occurs, or the app is removed,
• technical logs, abuse-prevention records, caches, backups, or diagnostic records that may persist longer where reasonably necessary.

Because deployment architecture and infrastructure configuration may vary, we do not make absolute retention guarantees for every system component, log source, cache, or backup layer unless expressly stated in a service-specific notice.

⸻

12. Security Measures

We use technical, organizational, and architectural measures designed to reduce unnecessary exposure of sensitive information and to protect the Service. These measures may include client-side encryption design for core secret payloads, access-control enforcement, challenge and ticket mechanisms, device-binding features, transport protections, rate limiting, and local secure storage measures.

However, no service can guarantee absolute confidentiality, anonymity, integrity, availability, or resistance to misuse. Security outcomes depend in part on:
• user behavior,
• recipient behavior,
• device security,
• operating system behavior,
• deployment configuration,
• network conditions,
• third-party infrastructure,
• evolving threats.

You should not rely on the Service as providing a guarantee of complete anonymity, complete invisibility, perfect deletion, or total immunity from compromise.

⸻

13. International Data Transfers

Your information may be processed in countries other than your country of residence. Where applicable law requires safeguards for cross-border transfers, we will seek to apply appropriate legal and operational measures reasonably required in the circumstances.

⸻

14. Children

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from individuals under 18. If you believe that a person under 18 has provided personal data through the Service, contact us so we can review and take appropriate action.

⸻

15. Your Rights

Depending on your location and applicable law, you may have the right to request:
• access to personal data,
• correction of inaccurate data,
• deletion of certain data,
• restriction of processing,
• objection to certain processing,
• data portability, where applicable,
• withdrawal of consent where processing is based on consent,
• complaint to a competent data protection authority or regulator.

These rights are not absolute and may be limited by law, technical feasibility, security needs, the rights of others, or the nature of the Service architecture.

To exercise applicable rights, contact us using the contact information below.

⸻

16. Cookies, Similar Technologies, and Web Viewer Behavior

If the web components of the Service use cookies, local storage, session storage, URL fragments, or similar mechanisms, those technologies may be used to:
• enable secret viewing flows,
• maintain temporary access state,
• support viewer security behavior,
• preserve limited client-side functionality,
• improve reliability or usability.

A separate Cookie Notice may be provided if required by applicable law or if cookie usage becomes more extensive.

⸻

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in the Service, security design, legal requirements, or operational practices. The updated version will be posted with a revised “Last Updated” date. Where required by applicable law, we will provide additional notice or obtain consent.

Your continued use of the Service after an updated Privacy Policy becomes effective may constitute acknowledgment of the updated policy to the extent permitted by law.

⸻

18. Contact Information

For privacy questions, support, or data rights requests, contact:

ANOMONUS - FZCO
Email: privacy@anomonus.com
Website: https://anomonus.com
Support: https://support.anomonus.com
Address: IFZA Business Park, Dubai Digital Park, Dubai Silicon Oasis, Dubai, United Arab Emirates