Privacy policy

1. Who we are

Shoal is operated by [Shoal Ltd / company name TBD], a UK-registered company at [registered address TBD]. We are the data controller for the personal data described in this policy.

Our ICO registration number is [TBD].

For privacy questions or to exercise any of the rights described below, email [email protected].

2. What we collect, and why

We process three categories of personal data:

Account data

When you sign up, we store the email address you provide and the display name you choose. You can also upload a profile picture. Your email address is held in plaintext, because we need to be able to send sign-in emails to it; it is the only piece of personal data we hold in plaintext. Your display name and profile picture (if you set one) are encrypted at rest in our database. The legal basis for processing this account data is performance of a contract.

Device data

For every device on your account, we store a public key (used to encrypt messages to that device), a device label, and the metadata needed to route push notifications. Public keys are held as-is — they are public by design. Device labels and the metadata associated with them are encrypted at rest. The legal basis is performance of a contract.

Routing metadata

When you send a message, we store the encrypted ciphertext along with the metadata required to deliver it: which conversation it belongs to, who the recipients are, and a timestamp. This routing metadata is encrypted at rest. The legal basis is performance of a contract.

Voice notes

When you send a voice note, the audio is encrypted on your device with the same conversation key that wraps text messages, and the ciphertext is stored on our servers for delivery. If a recipient turns on transcription for a conversation, their device runs its operating system's on-device speech recogniser locally and encrypts the resulting transcript before storing it alongside the audio. We do not receive decrypted audio, do not call any cloud speech service on your behalf, and do not receive transcript text. The legal basis is performance of a contract.

We additionally process diagnostic and security logs (errors, request volumes, rate-limit events) on the basis of legitimate interest in keeping the service running and protecting it from abuse. These logs are aggregated and do not identify individuals.

3. What we don't collect

We do not collect:

Plaintext message contents — messages are encrypted on your device before they reach our servers, and we never see them in the clear in transit or at rest
Phone numbers
Date of birth, address, or other identity data beyond what you choose to put in your profile
Precise location data
Your browsing or activity outside of Shoal
Behavioural profiles or fingerprinting from third-party SDKs
Anything from advertising networks — we don't have any ad networks integrated

4. Encryption

Shoal's encryption operates in two layers. We want to describe both of them honestly so you can decide what trust we've earned.

Message-level encryption

Messages are encrypted on the sending device using AES-256-GCM. The keys for those messages are wrapped per device using ECDH P-256, with HKDF-SHA-256 key derivation. Each recipient's device uses its own private key to unwrap the conversation key and decrypt the message locally. Our servers route ciphertext; they never see plaintext message contents.

Database-level encryption

Almost everything we store on our servers is additionally encrypted at rest under a server-side environment secret. The only exception is your email address, which must be held in plaintext so we can send sign-in emails to it. Everything else — message ciphertext, voice note audio and any on-device transcripts, your display name, your profile picture, device labels, public keys, encrypted copies of your decryption keys, and routing metadata — is encrypted in our database under that environment secret.

What this means today

An attacker who gains read access to our database, but not to our deployment environment, sees encrypted bytes they cannot decrypt.
No Shoal employee can read your messages, your display name, your profile picture, or any other data we hold encrypted at rest in the course of normal operation. The infrastructure to do so has not been built.
A device that has unlocked physical access can read the messages on that device, because that's intrinsic to how messaging on a device works.

An important limit we want to be upfront about

Encrypted copies of your device decryption keys are themselves stored in our database, protected by the environment secret. We currently have no code path that would unwrap those copies, and no plans to write one. But it would be technically possible for us to do so in the future — for example, if we were ordered to comply with a lawful disclosure request that we could not refuse, or if we built a feature for users to recover messages after losing all of their devices.

In other words: this is operationally enforced, not cryptographically enforced against us specifically. The protection sits in the fact that the code to decrypt does not exist and the environment secret is not exposed to staff in normal operation — not in a mathematical impossibility. If we ever build a capability to read data we cannot read today, we will say so clearly in this policy and notify users in advance.

For our full threat model, see our security page.

5. Children's privacy

Shoal is designed to be safe for children, and is built to comply with the UK Age-appropriate Design Code (the "Children's Code"), the UK GDPR provisions on children, and equivalent regimes in other jurisdictions.

A child can be added to a Shoal family without an email address or a password by being added as a device rather than registered as a user. The data we collect about a child device is:

The display name chosen by the family admin or the child (encrypted at rest)
A profile picture, if one is set (encrypted at rest)
The device's public key
Encrypted ciphertext of messages the device sends
Routing metadata for those messages (encrypted at rest)

We do not collect children's email addresses, phone numbers, dates of birth, or other identifying information. We do not profile children. We do not show advertising to anyone. We do not allow third-party tracking.

Family admins are responsible for ensuring they have appropriate authority to add a child to a family. If you believe a child has been added to Shoal without appropriate consent, contact [email protected] and we will remove the relevant data.

6. Admin oversight in family conversations

When a child is in a Shoal family conversation, family admins are cryptographic recipients of that conversation's encryption key, and can read its contents. This is a structural feature of how Shoal works, not a separate decryption pathway — it's described in detail on our security page.

By participating in a Shoal family that includes you as a child member, you should be aware that family admins on that family will be able to read:

Conversations within the family
Cross-family conversations explicitly approved by an admin from each side

That visibility does not extend to:

Other Shoal families you may belong to
Conversations you have on accounts that aren't part of an admin-managed family

7. Subprocessors

We use the following third parties to operate Shoal. Each has appropriate data-processing agreements in place and complies with UK GDPR and EU GDPR:

Cloudflare, Inc. — provides our hosting, edge network, database (D1), object storage (R2), and message queues. The primary database is configured to reside in the EU. See Cloudflare's privacy policy.
Resend — sends transactional email (magic-link sign-in messages). See Resend's privacy policy.
Push notification services — when you enable push notifications, encrypted notification payloads are routed via Apple Push Notification Service (Apple Inc.), Firebase Cloud Messaging (Google LLC), or Mozilla Push Service (Mozilla Foundation), depending on your device. These services see metadata (your push subscription endpoint and the size of the payload) but cannot decrypt the payload itself.

We do not sell or rent personal data to anyone, ever.

8. International transfers

Shoal's primary data store is in the EU. Some of our subprocessors (notably Cloudflare and the push notification services) are headquartered in the United States and may process limited operational data there.

For transfers from the UK or EU to the US, we rely on the UK Extension to the EU-US Data Privacy Framework, the EU-US Data Privacy Framework, and/or Standard Contractual Clauses, depending on the subprocessor. Equivalent safeguards apply for transfers to other jurisdictions.

9. How long we keep data

Account record (email, display name, profile picture): until you delete your account.
Message ciphertext: until you delete the message, the conversation, or your account.
Device public keys: until you revoke the device or delete your account.
Magic-link sign-in tokens: 15 minutes.
Session tokens: until you sign out, or after [TBD] of inactivity.
Diagnostic and security logs: [TBD — typically 30–90 days].
Backups: [TBD — state retention period and how deletions propagate].

Deleting your account triggers deletion of your account record and revocation of all device keys. Messages you've sent in conversations that include other people remain readable to those other people unless they also delete them — we cannot delete those copies on your behalf, because the encrypted ciphertext is held on their devices and only they hold the keys to read it.

10. Your rights

If you are in the UK, EU, or another jurisdiction with similar data-protection rights, you have the right to:

Access the personal data we hold about you
Rectification of inaccurate data
Erasure of your data ("right to be forgotten")
Restriction of processing
Portability of data you've provided
Objection to processing based on legitimate interest
Withdrawal of consent, where consent was the legal basis for processing

To exercise any of these rights, email [email protected]. We respond within 30 days, with a possible extension of up to 60 additional days for complex requests as permitted by GDPR.

You also have the right to lodge a complaint with the UK Information Commissioner's Office at ico.org.uk, or with the data protection authority of your country of residence within the EU.

11. Cookies and similar technologies

The Shoal marketing site (shoal.chat) does not set any cookies and does not use tracking technologies of any kind.

The Shoal app (app.shoal.chat) uses browser storage (IndexedDB and localStorage) to:

Hold your device's encryption keys, so messages can be decrypted on your device
Hold a session token, so you stay signed in
Cache the application's static assets for offline use

These are strictly necessary for the service to function and are not used for tracking, analytics, or advertising. We do not display a cookie banner because we do not use any non-essential cookies or similar technologies.

12. Security

Our practical security measures include:

Client-side encryption of all message contents on the sending device (AES-256-GCM, with ECDH P-256 key wrapping for recipients) — see section 4 for the full picture, including the limits of this claim
Encryption at rest of all data in our database, except your email address, under a server-side environment secret
TLS 1.3 for all transport between devices and our servers
Magic-link authentication with single-use tokens that expire after 15 minutes
Rate limiting and abuse protection on authentication endpoints
A responsible disclosure programme at [email protected]

For our full threat model, see /security.

13. Changes to this policy

If we make material changes to this policy we will notify users by email and update the "Last updated" date at the top. Non-material changes (typo fixes, clarifications) will be made without notification. The current version is always live at shoal.chat/privacy.

14. Contact us

For privacy questions or to exercise your rights: [email protected]

For security disclosures: [email protected]

For general enquiries: [email protected]

You can also write to us at: [registered address TBD].