[//] CIPHAR

Privacy Policy

Summary

Ciphar is a zero-knowledge encrypted chat app. There is no account, no phone number, and no email. The server only ever sees ciphertext, and channels self-destruct after 60 minutes. This page explains, in plain English, what we do and do not collect, who else touches the request, and how long anything lives.

What we collect

When you create or join a channel, the relay stores: the channel name, a random salt, a verification ciphertext, encrypted message blobs with their initialization vectors and authentication tags, encrypted file blobs, an expires_at timestamp, and a randomly generated sender token used to distinguish your messages from peers' on the same channel. None of these reveal your identity, the conversation content, or who you are talking to. The encryption key is derived inside your browser from the access key and never reaches the server.

Application server logs record only the request method, the path (with the query string stripped), the response status code, and an internal request ID. We do not log IP addresses, user-agents, request bodies, headers, cookies, or anything that identifies you or your device.

Aggregate metric

The home page displays a single number: the total count of channels ever created, shown as "X channels forged. Zero retained." This is one row in a database table (app_stats.total_rooms_created) holding a single integer. It is incremented atomically when a channel is created. It contains no per-channel data, no timestamps, no identifiers, and no link to any specific channel or participant. Nothing in it can be used to single out any user, conversation, or session. We disclose it explicitly because the page shows it; we do not consider an opaque global counter to be personal data, but transparency about every persistent piece of state is the policy.

Intrusion alerts and rate-limiting

If a participant submits a wrong access key on a channel's lock screen, the relay rate-limits the requesting IP (temporary lockout with a retry-after window) and writes a row to a security_events table tied to the channel ID. Each row records only that an invalid attempt occurred and when. The IP is used in-memory for the rate-limit decision and is not stored. The same event triggers a system message inside the channel so authenticated participants are warned in real time — those system messages contain no IP, no device data, and no identifier. The security_events rows cascade-delete with the channel at expiry or manual burn; nothing about access attempts survives the channel itself.

Manual destruction

Every channel has a destruct button (BURN CHANNEL) that any participant can press at any time. Pressing it deletes the channel and every encrypted blob associated with it from the relay immediately, before the 60-minute timer would otherwise fire. There is no "undo", no confirmation prompt that delays it, and no soft-delete. Manual destruction does not generate a separate log entry beyond the request line that handled it.

What we do not collect

No account. No phone number. No email. No real name. No contact list. No device fingerprint. No advertising identifier. No location data. No analytics events. No cross-site tracking. We do not run Google Analytics, Plausible, Sentry, NewRelic, Mixpanel, PostHog, or any equivalent.

Cookies

Ciphar sets one cookie, __Host-ciphar=1, with no value other than the literal 1. It carries no session data, no identifier, and no tracking payload. It exists only to enforce browser-side cookie security rules. The hosting platform (see below) may also set a routing cookie (GAESA) outside our control; it is used to keep your TCP connection on the same backend.

Third parties and sub-processors

  • Replit — application hosting, container runtime, and managed Postgres database. Replit's infrastructure runs on Google Cloud; the public IP for ciphar.org is a Google Cloud HTTPS load balancer managed by Replit. The encrypted blobs and channel rows live in Replit's managed database.
  • Google Fonts — the JetBrains Mono typeface is fetched from Google at build time and self-hosted by Ciphar; the browser does not contact Google at runtime.
  • ImprovMX — inbound mail forwarding for the contact@ciphar.org address. Messages you choose to send to that address transit ImprovMX's servers (which see the sender address, message body, and headers including the sender's IP) before being delivered to the operator's personal mailbox. ImprovMX is not used by, and has no visibility into, the chat application itself. If you would prefer a contact channel that does not pass through a forwarding provider, do not email us.

We use no analytics provider, no error reporting service, no captcha service, and no payment processor. The only third party that touches user-generated content is ImprovMX, and only for messages you voluntarily send to the contact address.

Network-level visibility

The hosting infrastructure (Replit and Google Cloud) necessarily sees your IP address because the network requires it to route packets. We do not have access to those infrastructure logs and we do not retain or process them. Replit's own data handling is governed by Replit's policies.

Retention

Channels expire 60 minutes after creation. After that, any read of the channel returns "not found" and the encrypted blobs are deleted from the database on the next request that touches the cleanup path. Application logs are retained according to Replit's container log retention; we operate no separate log storage.

Cross-border data transfers

The operator is based in the Kingdom of Saudi Arabia, but the infrastructure that runs Ciphar is not. Application code, the managed Postgres database, and the load balancer are operated by Replit on Google Cloud, and Google Cloud's data centres are located outside Saudi Arabia (primarily in the United States and the European Union, depending on Replit's region selection). Inbound email to contact@ciphar.org is forwarded by ImprovMX, whose servers are in the United States. The data that crosses these borders is, by design, opaque encrypted ciphertext with no identifier attached to it; the encryption keys never leave your browser. This disclosure is provided in line with the Saudi PDPL's expectation that controllers explain when personal data may be transferred outside the Kingdom.

Your rights

Because the operator is in Saudi Arabia, the primary applicable regime is the Saudi Personal Data Protection Law (PDPL), enforced by the Saudi Data & Artificial Intelligence Authority (SDAIA). Under the PDPL you have the right to be informed about how your personal data is handled, to access it, to request correction or deletion, to withdraw any consent you previously gave, and to lodge a complaint with SDAIA if you believe your rights have been infringed.

If you are a visitor from the European Union, the United Kingdom, or another jurisdiction with comparable data-protection rules (GDPR, UK GDPR, California CCPA/CPRA, and similar), the equivalent rights — access, rectification, erasure, restriction of processing, objection, and data portability — also apply to whatever personal data we may hold about you.

In practice, all of these rights are largely moot by design: Ciphar holds no account, no email address, no phone number, no profile, no identifier linked to you, and no plaintext message content. After 60 minutes, the channel itself is gone. There is, in almost every case, nothing for us to access, correct, export, or delete because nothing relating to you exists. For any request — including PDPL requests, GDPR requests, or simply a question about what we hold — write to the contact address below.

Children

Ciphar is not intended for anyone under 16. We do not knowingly process data from anyone under 16.

Security

Read the security model for the full threat description, what cryptography we use, and what we do not protect against.

Changes to this policy

Updates are posted on this page with a new "Last updated" date. Continued use of Ciphar after a change constitutes acceptance.

Contact

Privacy and data requests: contact@ciphar.org.

Governing law and jurisdiction

This policy is governed by the laws of the Kingdom of Saudi Arabia, including the Personal Data Protection Law (Royal Decree M/19 of 9/2/1443H, as amended) and its implementing regulations issued by the Saudi Data & Artificial Intelligence Authority (SDAIA). The operator is an individual based in Saudi Arabia. Where Ciphar is accessed from another jurisdiction, the operator will respond to lawful requests from data subjects under that jurisdiction's applicable data-protection law, to the extent compatible with Saudi law.

Last updated: 21 April 2026.

This document describes Ciphar's current practices and is provided for transparency. It is not legal advice. For binding regulatory obligations, consult counsel in your jurisdiction.

Related: Terms of Service · Security model · FAQ.