Privacy
Last updated 2026-06-06
This page explains, in plain language, what data SafeAlias collects, why, who can see it, and how to remove it. It is the binding privacy notice for your use of the service. If anything below is unclear, write to privacy@safe-alias.app and we will rewrite it.
Who we are
SafeAlias provides privacy and safety tooling for independent professionals, on the web and in our mobile app. We are not a marketplace: we do not facilitate bookings, take commissions, or display public profiles. The contact address for privacy questions is privacy@safe-alias.app.
What we collect
Account data: a verified email address and the handle you choose. We do not ask for your real name, date of birth, or government ID; a profile picture is optional. Inbox data: aliases you create, message content sent to your aliases by other people, the email of senders who write to you (after they verify it), per-thread notes you write, and the personal blocklist you maintain. Safety data: trusted-contact labels, emails, and optional phone numbers (used only for SMS and voice alerts on plans that include them), scheduled check-in details (including any address or notes you add and, only if you opt in for a given check-in, your device's last-known location), and the timestamps of confirmations or alerts. Subscription data: if you subscribe, your plan and its status. Mobile data: if you use the app and allow notifications, a device push token so we can send check-in reminders and alert mirrors. Operational data: short-lived, salted hashes used to rate-limit abuse and one-time sign-in codes; we do not retain raw IP addresses beyond the immediate request lifetime. Payments are handled entirely by the payment provider or app store described below; no card or bank details ever reach SafeAlias.
Why we collect it (lawful basis under GDPR Art. 6)
Performance of a contract (Art. 6(1)(b)) for everything required to operate the inbox, safety check-ins, subscriptions, and your account. Legitimate interests (Art. 6(1)(f)) for fraud and abuse prevention via rate-limit hashes and short-lived OTP records. Consent (Art. 6(1)(a)) for anything you actively choose to add, such as attaching your last-known location to a check-in or uploading a profile picture. Every cookie we set is either strictly necessary or set by your explicit action (e.g. choosing a language in Settings).
Who can see your data
Inside the database, row-level security policies restrict each row to its owner: you. When end-to-end encryption is enabled, message content is encrypted on your device and we store only ciphertext we cannot read; it is readable only on your own devices. SafeAlias staff cannot read your message bodies, notes, contacts, or check-in history through the application. Database administrators may incidentally see metadata (account creation times, message volumes) during operational work. On your phone, biometric unlock (fingerprint or face) is handled entirely by your device's operating system; that biometric data never reaches SafeAlias. The only people who receive your data outside the sub-processors below are the trusted contacts you designate yourself, and only when you miss a check-in.
Selling, advertising, and tracking
We do not sell your personal data, we do not share it for advertising, and we run no third-party advertising or analytics-tracking SDKs in the app or on the site. The only recipients of your data are the sub-processors listed below and the trusted contacts you choose.
Sub-processors
Supabase (managed Postgres and auth, EU region). Resend (transactional email: sign-in codes, sender verification, reply notifications, and trusted-contact alerts). Twilio (SMS and voice trusted-contact alerts on plans that include them). Netlify (application hosting and the scheduled functions that drive safety check-in alerts). Expo (delivery relay for mobile push notifications). For payments made on the website, a PCI-DSS-certified payment processor handles the transaction and reports only your subscription status back to us. For purchases made in the mobile app, Google Play processes the payment and a subscription-management provider (RevenueCat) reports only your subscription status; through either path, no card data reaches SafeAlias. All sub-processors are bound by data-processing agreements aligned with GDPR. We will list any new sub-processor here at least 30 days before granting access to production data.
International transfers
Where a sub-processor stores data outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (SCCs) and on the sub-processor's own GDPR-Article-32 technical and organisational measures. We do not transfer data to jurisdictions without an adequacy decision or SCC coverage.
Retention
Account, inbox, safety, and subscription data are retained for as long as your account is active. When you delete your account, from Settings on the web or in the app, your profile and everything keyed off it (aliases, threads, messages, notes, trusted contacts, check-ins, blocklist, and subscription record) is removed from the live database immediately. Encrypted backups roll off within 30 days. Hashed rate-limit and one-time-code records are short-lived (minutes to hours) and are not used for analytics.
Your rights
Under the GDPR you have the right to access, correct, and delete your personal data; to obtain a copy in a portable format; to object to processing based on legitimate interests; and to lodge a complaint with your supervisory authority. You can correct your handle and delete your account directly from Settings, both on the web and in the mobile app. For access and portability requests outside of the in-app flows, email privacy@safe-alias.app and we will respond within 30 days.
Children
SafeAlias is not directed at children under 18. We do not knowingly collect data from minors. If you believe a minor has created an account, write to privacy@safe-alias.app and we will delete the account.
Changes to this policy
We will update this page as the product evolves. Material changes (new sub-processors, new categories of data, changes to retention) will be announced via in-app banner before they take effect. The date below is the last revision.
See also our /refunds, /cookies, /terms, and /security pages.