Effective 1 July 2026 · Applies to the Sendant mobile app (io.sendant) and web client.
Sendant is a private, end-to-end encrypted messenger. The short version: your messages belong to you. They are encrypted on your device, your keys never leave it, and our infrastructure only ever handles content it cannot read. We don't ask for your phone number, and we don't run analytics by default.
Sendant ("we", "us") is the Sendant messenger, developed by Yoni Ryabinski (yoniryabinski.com). You can reach us about privacy at privacy@sendant.io.
The following stays local to your device and is not transmitted to us in readable form:
Uninstalling the app removes these local databases from your device.
Sendant requests only feature-specific permissions when needed: camera access to scan invite or verification QR codes, microphone/audio access for voice messages and calls, network access to send and receive encrypted messages, and notification permission so your device can show a local alert after it receives a content-free wake signal. These permissions are not used for advertising, profiling, or contact discovery.
To deliver messages when your contact is offline, Sendant uses a store-and-forward "mailbox" and relay infrastructure. What that infrastructure sees:
| Data | What we can see | Retention |
|---|---|---|
| Message & attachment content | Opaque ciphertext only. Messages are end-to-end encrypted; we cannot read, search, or decrypt them. | Held only until delivered, and auto-expires (currently up to 30 days), then deleted. |
| Delivery/routing data | The minimum needed to route an encrypted envelope to its mailbox. Sealed-sender techniques minimize sender metadata. | Transient; not used for profiling or advertising. |
| Network connection data | Standard connection metadata (e.g. IP address) inherent to any internet service, used to operate and protect the service. | Not used to build a profile of you. |
| Push token | An FCM device token tied to your device so the mailbox can send content-free wake pushes. | Kept while notifications are enabled for that device, then replaced or removed when the token rotates or notifications are disabled. |
All communication with our infrastructure is encrypted in transit (TLS); the app does not permit cleartext network traffic.
Push notifications. On Android, Sendant uses Firebase Cloud Messaging (FCM) to wake the app when you have mail. These push messages are data-only and contain no message content — just a signal to fetch; the app then retrieves and decrypts your messages locally. Google (the FCM provider) can see that your device received a wake signal and when, but not who messaged you or what they said.
Sendant does not collect crash or diagnostic telemetry by default, and the app currently ships with no analytics or crash-reporting SDKs. If we ever add optional diagnostics, they will be off by default, scrubbed of message content before anything is sent, and used only to fix bugs and improve reliability — never for advertising or profiling.
We use the limited data above only to: deliver your encrypted messages, operate and secure the service, and (if you opt in) diagnose crashes. We do not sell your data, and we do not share message content with third parties — we cannot, because it is encrypted.
Because message content is end-to-end encrypted and only transient ciphertext passes through our infrastructure, we have no plaintext messages to disclose. If compelled by valid legal process, we can only provide the limited data we actually hold, which by design excludes the content of your conversations.
Sendant is intended for adults and is not directed to children under 13. We do not knowingly collect personal information from children under 13.
If we change this policy we will update the effective date above and, for material changes, surface a notice in the app or on this page.
Questions about your privacy? Email privacy@sendant.io.