Less is more, especially with your data.

Effective: 15 June 2026

FRIENDA exists so two people can confidentially agree to keep something confidential. The whole product would fall apart if we treated your data the way most apps do. This page tells you exactly what we collect, what we do with it, and how to make us forget you.

What we collect

Account information (senders)

To send NDAs, you sign in with Apple. We collect:

The display name you provide during onboarding.
Your Apple Sign In identifier (a stable, opaque token from Apple) and the email Apple shares — which may be a private relay address if you use Hide My Email.
A per-install device id (a random UUID) that ties NDAs you create on a device to your account.
If you enable notifications, an Apple Push Notification token so we can tell you when an NDA is signed or declined.

Recipients don't need an account. Someone signing an NDA you send can do it through the App Clip or the web with no sign-in at all.

NDA content

The topic you typed, the term you picked, your name, and (after signing) the recipient's typed legal name.
The signed PDF, stored in our object storage (Cloudflare R2) for as long as you want access to it.
Audit metadata: signing timestamp, IP address at sign-time, browser/device user-agent, whether the signer confirmed with Face ID / Touch ID, and a tamper-evident hash chain of state changes.

Recipient identity lock (optional, Pro)

If you lock an NDA to a specific person, we store the email address or phone number you choose to lock to — so we can send the recipient a one-time verification code. The code itself is short-lived (it lives in a temporary cache and expires in minutes), and it's never stored after it's used. A recipient may instead verify with Sign in with Apple, in which case we briefly check whether their Apple-verified email matches the locked address — we don't keep their Apple identifier.

A note on Face ID

Signing is confirmed with Face ID / Touch ID on the signer's device. Your biometrics never leave your device and we never see them — iOS only tells the app whether the check passed, and we record that single yes/no in the audit trail.

Things we deliberately do not collect

Your iMessage conversations. Apple sandboxes our extension from reading them.
Your address book. We never read your contacts — the system contact picker runs outside the app and only hands back the one detail you tap (a name, or the email/phone you choose for a recipient lock).
Analytics events tied to your identity. We use aggregate Cloudflare logs to keep the service running, not to profile you.
Third-party trackers, marketing pixels, or ad SDKs. None.

How we store it

Everything sits on Cloudflare infrastructure (D1 for structured data, R2 for signed PDFs, KV for short-lived token caches). Cloudflare encrypts at rest. We do not currently end-to-end encrypt NDA content — the server can read it. End-to-end encryption is on the roadmap for the Business plan.

Plain-language summary: we keep what's necessary to make signed NDAs verifiable later, and almost nothing else. We never sell your data, and we don't run ads.

How we use it

To operate the product — render your NDAs, generate signed PDFs, show you your library.
To maintain the audit trail — so a signed NDA is verifiable months or years later.
To prevent abuse — rate limits, spam detection, debugging. We look at logs only when we need to.

Sharing

We don't share your data with third parties for marketing or analytics. We may be required to share it in response to a valid legal request (subpoena, court order). If that happens to your account specifically, we'll notify you unless we're legally prohibited from doing so.

Sub-processors

Cloudflare — hosting, storage (D1 / R2 / KV), and edge compute.
Apple — Sign in with Apple identity exchange and Apple Push Notification service.
Resend — sends recipient verification codes by email (only when an NDA is locked to an email address).
Twilio — sends recipient verification codes by SMS (only when an NDA is locked to a phone number).

That's the full list. If we add another, we'll update this page.

Your controls

Export — every signed NDA is downloadable as a PDF from your library.
Delete — Profile → Delete account removes your account, NDAs, and the per-install device id. Audit hash entries are zero-knowledge after deletion (we keep the hash chain itself for integrity, but the row contents are wiped).
Email us — hi@frienda.chat for anything we missed.

Children

FRIENDA isn't for anyone under 13. We don't knowingly collect data from anyone under 13. If you believe we have, please email us and we'll delete it.

Changes

If we change this policy in a way that affects your data, we'll update the effective date and notify signed-in users by email before the change takes effect.

Contact

Questions, requests, complaints — hi@frienda.chat. A real person reads it.