Privacy Policy
DNA Connect — Post-Quantum Encrypted Messenger
Effective Date: March 17, 2026 · Last Updated: March 26, 2026
1. Overview
DNA Connect is a decentralized, peer-to-peer messaging application built on post-quantum cryptography. This privacy policy explains what data the application accesses, how it is used, and your rights as a user.
DNA Connect does not collect, store, or transmit any personal data to centralized servers. All communication is end-to-end encrypted using NIST-approved post-quantum algorithms (Kyber1024 for key encapsulation, Dilithium5 for signatures).
2. Data We Do NOT Collect
DNA Connect is designed with privacy as its core principle. We do not collect:
- Personal information (name, email, phone number)
- Message content — all messages are end-to-end encrypted and only readable by the intended recipient
- Contact lists or address books from your device
- Location data
- Usage analytics or telemetry
- Advertising identifiers
- Device fingerprints for tracking purposes
- Browsing history or app usage patterns
3. Data Stored Locally on Your Device
The following data is stored exclusively on your device and never transmitted to us:
Cryptographic Material
| Data | Purpose | Storage |
|---|---|---|
| Dilithium5 signing key pair | Identity verification and message signing | Local file (identity.dsa), derived from recovery phrase |
| Kyber1024 encryption key pair | Post-quantum key encapsulation | Local file (identity.kem), derived from recovery phrase |
| Recovery phrase (24 words) | Account backup and recovery | Encrypted with Kyber1024 public key (mnemonic.enc). Never stored as plain text. |
| DHT node identity | Authentication on the decentralized network | Cached locally (dht_identity.bin), deterministically derived from recovery phrase |
Application Data
| Data | Purpose | Storage |
|---|---|---|
| Contact list | Managing trusted contacts, block list | Local SQLite database (contacts.db) |
| Message history | Conversation backup and display | Local SQLite database (messages.db) |
| Profile cache | Caching display names, avatars, and public keys of contacts | Local SQLite databases (profiles.db, keyserver_cache.db) |
| Wall post cache | Offline access to public posts, comments, and likes | Local SQLite database (wall_cache.db) |
| Group & channel data | Group memberships, encrypted group keys, channel subscriptions | Local SQLite databases (groups.db, channel_subscriptions.db) |
| Wallet balance & transaction cache | Displaying wallet balances and transaction history | Local SQLite database (wallet_cache.db). Private keys are never stored — derived on-demand from recovery phrase. |
| Wallet address book | Saved recipient addresses with labels | Local SQLite database (addressbook.db) |
| App lock PIN | Optional app lock authentication | PBKDF2-SHA256 hash with random salt, stored in Android Keystore / iOS Keychain (encrypted by OS) |
| App preferences | Settings such as biometric lock, notification preferences | OS-managed local storage (SharedPreferences) |
Local SQLite databases are not individually encrypted. The application relies on OS-level storage isolation (Android app sandbox) to protect database files. Sensitive cryptographic material (recovery phrase, PIN) uses dedicated encryption as described above.
4. Decentralized Network (DHT)
DNA Connect uses a decentralized hash table (DHT) network called Nodus for message delivery and profile discovery. Data published to this network falls into two categories:
Public Data (readable by DHT nodes and other users)
- Public profile: Your public cryptographic keys, registered display name, bio, avatar, location, website, social links, and wallet addresses. This data is intentionally public to allow others to find and communicate with you.
- Wall posts, comments, and likes: Public posts you choose to publish, along with any comments or likes, are visible to anyone on the network. Posts are signed but not encrypted.
- Channel posts and metadata: Public channel content including channel name, description, and posts are readable by DHT nodes.
Encrypted Data (not readable by DHT nodes)
- Direct messages: Encrypted with Kyber1024 key encapsulation and AES-256-GCM. Only the intended recipient can decrypt them.
- Group messages: Encrypted with a Group Encryption Key (GEK), distributed to group members via Kyber1024 encapsulation.
- Contact lists and address books: Self-encrypted with your own Kyber1024 public key.
- Message backups: Self-encrypted with your own Kyber1024 public key.
- Group membership lists: Self-encrypted with your own Kyber1024 public key.
No centralized server stores or has access to your private keys. DHT nodes can read public profile information and wall posts, but cannot read your private messages, contact lists, or group memberships.
5. Device Permissions
DNA Connect requests the following Android permissions:
| Permission | Purpose | Required? |
|---|---|---|
| Internet | Connect to the decentralized DHT network for messaging | Yes |
| Network State | Detect online/offline status for message delivery | Yes |
| Camera | Take photos for profile avatar and scan QR codes for adding contacts | No — optional |
| Biometric | App lock feature — authenticate with fingerprint or face recognition | No — optional |
| Notifications | Receive alerts for new messages | No — optional (Android 13+) |
| Vibrate | Haptic feedback for notifications | No — optional |
| Wi-Fi State | Detect Wi-Fi connectivity for optimizing network connections | Yes |
| Battery Optimization Exemption | Keep background message delivery active (user-triggered from Settings) | No — optional |
No permission is used for advertising, tracking, or data collection. Camera and biometric access are only activated when you explicitly use those features.
6. Third-Party Services
DNA Connect does not integrate any third-party analytics, advertising, or tracking services. Specifically:
- No Google Analytics or Firebase Analytics
- No Facebook SDK
- No advertising networks
- No crash reporting services that transmit data externally
The application connects to the following third-party services for wallet functionality:
- Blockchain RPC endpoints (Cellframe, Ethereum, Solana, TRON) for wallet balance queries and transaction broadcasting. These connections transmit only your public wallet address — never private keys.
- BitcoinTry API (api.bitcointry.com) for real-time cryptocurrency price data. No personal data or wallet addresses are sent — only token pair identifiers (e.g., ETH_USDT).
7. Encryption & Security
All cryptographic operations use NIST-approved post-quantum algorithms:
- Key Encapsulation: ML-KEM (Kyber1024) — NIST Category 5
- Digital Signatures: ML-DSA (Dilithium5) — NIST Category 5
- Symmetric Encryption: AES-256-GCM for message content
- Hashing: SHA3-512 for identity fingerprints
These algorithms are designed to resist attacks from both classical and quantum computers. Your private keys never leave your device.
8. Data Retention & Deletion
- All data is stored on your device. Uninstalling the app deletes all local data.
- Public profile data on the DHT network is stored permanently to ensure your contacts can always find you. Your device periodically refreshes this data to keep it current.
- Wall posts have a 30-day TTL on the network and expire automatically.
- You can delete your account at any time by uninstalling the app. There is no server-side account to delete.
9. Children's Privacy
DNA Connect does not knowingly collect any information from children under the age of 13. The application does not require any personal information to create an account — only a locally-generated cryptographic key pair.
10. Changes to This Policy
We may update this privacy policy from time to time. Any changes will be reflected on this page with an updated "Last Updated" date. Continued use of DNA Connect after changes constitutes acceptance of the revised policy.
11. Contact
If you have questions about this privacy policy or DNA Connect's data practices:
- Email: privacy@cpunk.io
- Website: cpunk.io
- GitHub: github.com/nocdem/dna-messenger