This policy describes what Tin-Can collects, why we have it, and how long we keep it—in plain language.
Any data collected or stored is used only as required to run the app, is as minimal as possible, and is never used outside of our scope. Last updated: April 2026.
Messages
Messages are encrypted on your device, with a code that only the recipients have, and there is no way to decrypt the message in transit.
Messages do transit through our servers, but only with the generated ID's for delivery, and the content is useless without the decryption keys, which no one but you and the recipients have. Messages are deleted from our servers once delivered to the recipients, or expire after 90 days of not being delivered, whichever comes first.
Email and username
You can sign in with an email or a username—your choice. We only keep that credential so you can log in securely, and that is done with a secure third party provider (Firebase). The only advantage to using email is the ability to reset a forgotten password. Neither your email nor your username appears inside the app as part of the messaging experience; they are for login authentication only.
User ID, Device ID, Display name, and Device type
User ID and Device ID are system-generated identifiers (they are not derived from your email or username). We use them so devices can find each other and deliver messages without tying routing to sensitive personal information.
Display name is the label other people see—it is whatever you want it to be, and you can change it whenever you like.
Device type starts as a simple, generic label so everyone has context about which device is in a room (for example, iPhone or Android tablet). You can edit that label anytime—for example to “work phone” or “Rabbit Hole”, there is no requirement to advertise what device you are using.
Camera and files
We use the camera in two ways:
- Exchanging security material with other devices.
This is core to how we share keys securely (so that they don't transmit over the airwaves), and is a requirement for the app to function. The data here is processed locally and never leaves each device. - Taking pictures that you choose to share in chat.
Photo taking is optional, in the sense that you control who and what to share with. The data here is encrypted as a message package and delivered through the same encrypted path.
Data sharing
TL;DR: we don't share or sell your data for advertising or analytics. The specifics of what we collect and use is covered in the email, device and messages sections. The intent is to collect the minimum required, and to keep moving those goalposts towards zero.
There is a cool thing that happens with this approach:
It isn't that we don't sell or share data; we can't. We don't have any data to sell.
Zero data retention*
The asterisk:
We aim for zero, but need a minimal amount to operate, but that doesn't mean we want to keep it. Your login information is only used for authentication, once you are in app we use generated ID's for exchanging everything else, and pseudo names for what others see. You can set those as you please.
This low amount is always up for review and if we can shrink it, we will.
Account deletion
To permanently delete your account, visit the Delete Account page.