Pigeon

Privacy Policy

Effective Date: February 22, 2026
Last Updated: May 26, 2026

Pigeon ("Pigeon," "Pigeon Chat," "the App," "we," "us," or "our") is a privacy-first encrypted messaging platform operated by Merandian LLC, a limited liability company. This Privacy Policy describes what information we collect, how we use it, and your rights with respect to it. By using our website at pigeonchatapp.com or our mobile applications (collectively, the "Service"), you agree to the practices described in this policy.

Contact: pigeonchat@proton.me

The short version

Pigeon is built so the server never sees your message content, who you chat with, or how you identify yourself in each chat. Your conversations are encrypted on your device before they leave it, and we cannot read them. We collect the minimum information needed to operate the Service and nothing more (everything else stays on your device).

Information we collect

When you browse our website (no account required)

You may visit our website without creating an account. We do not use analytics, tracking pixels, or cookies to monitor how you browse or use the site. We do not respond to browser Do Not Track (DNT) signals because we do not track users across websites in the first place.

When you create an account

To use the messaging Service, you must create an account. We collect:

  • Email address — used for account authentication and transactional emails such as sign-in verification codes. Your email is never visible to other users of the Service.

When you use the Service

Once you have an account, we collect the minimum data needed to operate the Service:

  • Encrypted messages — your messages are encrypted on your device before being sent to our servers. We store them in encrypted form so they can be delivered to recipients and backed up so they can be restored if you sign in on another device. We cannot decrypt or read your message content.
  • Encrypted files — your files (photos, videos, documents, etc.) are encrypted on your device before being sent to our servers. We store them in encrypted form so they can be delivered to recipients and backed up if you sign in on another device. We cannot decrypt or read your file content.
  • Message delivery metadata — to route messages, we store the intended recipient of each message and when it was sent. We do not store the sender's identity on the server; that information is stored only on the devices of the people within your chat. Because we have no way to associate accounts with each other, we cannot reconstruct who is talking to whom from our server data alone.
  • Encrypted settings — your in-app settings are stored in encrypted form as a backup so they can be restored if you sign in on another device. We cannot read your settings.
  • Encrypted device name — when you connect a device to the Service, we save an encrypted version of your device name. We cannot read your device name, model, or operating system version.
  • Device platform — we store the platform of each device you connect (e.g., iOS, Android) solely to ensure compatibility with the correct app version.
  • Push notification tokens — if you enable push notifications, your device provides us with a token issued by Apple (APNs) or Google (FCM). We use this token only to deliver notification alerts. Notification content is not included in the token and we do not use tokens for tracking.
  • Session and authentication tokens — standard tokens used to keep you signed in securely.

When you purchase a paid plan for the service

You can use the Service entirely for free. However, if you choose to purchase a paid subscription plan, we collect:

  • Subscription details — if you choose to upgrade your use of the Service, we store a record of your latest payment status so we know what features of the Service to provide in your use of the Service.

Your full payment and billing information for in-app purchases is collected and managed by the third parties we use: Apple and RevenueCat. They may collect device identifiers and subscription state even if you never upgrade to a paid plan. For information on how these third-party service providers are used by the Service, see the Sharing your information section below.

Information we do not collect

We do not collect, and our systems are not designed to collect:

  • The content of your messages, files, or media (we cannot decrypt them)
  • Your sender identity at the server level (only stored locally on your device)
  • IP addresses (via the app. note that our website host Vercel and email delivery provider Maileroo may log IP addresses. See Sharing your information section below)
  • Precise or approximate location, GPS coordinates, or geolocation data
  • Your age or date of birth
  • Demographic information of any kind
  • Device fingerprints or hardware identifiers (aside from matching your device platform to the app platform)
  • Browser type, version, or user-agent strings
  • Operating system version or detailed device specifications
  • Screen size, resolution, or display settings
  • Installed plugins, fonts, or extensions
  • Canvas, WebGL, audio, or other fingerprinting data
  • Mouse movements or keystroke patterns
  • Behavioral profiles or interest data
  • Cookies or cross-site tracking data
  • Any advertising identifiers (IDFA, GAID, or similar advertising IDs)
  • Biometric data of any kind, including facial geometry, fingerprints, passcodes, or voice prints

We do not use third-party analytics, advertising networks, or tracking SDKs for analytics or advertising purposes.

How we use your information

We use the information we collect solely to provide, maintain, and improve the Service. Specifically:

  • Email address — to authenticate your account, send sign-in verification codes, and notify you of material changes to this policy or our Terms of Service.
  • Encrypted messages and metadata — to deliver messages to their intended recipients and to provide server-side backup of your encrypted message history.
  • Encrypted files and metadata - to store encrypted files you send for delivery to those in your chat. We also store file metadata including size and send time in order to calculate your usage against your plan limit.
  • Encrypted device name and settings — to allow you to manage connected devices and restore your preferences when signing in on a new device.
  • Device platform — to deliver the correct application version and ensure compatibility.
  • Push notification tokens — to deliver real-time notification alerts to your device.
  • Session tokens — to maintain your authenticated session securely.

We do not use any of your information to serve advertisements, build behavioral profiles, or sell data to any third party.

Legal basis for processing (EEA / UK / Switzerland — GDPR): We process your data on the following legal bases:

  • Contractual necessity — processing your email address and account data is required to provide the Service you signed up for.
  • Legitimate interests — maintaining service security, delivering messages, and preventing abuse, where those interests are not overridden by your rights.
  • Consent — for optional features such as push notifications, where we rely on your explicit consent, which you may withdraw at any time in your device settings.

Legal basis for processing (Canada — PIPEDA / Quebec Law 25): We process your personal information with your implied consent when you create an account and use the Service, and as necessary to fulfill our contractual obligations to you. You may withdraw consent by deleting your account. Quebec residents have additional rights under Law 25, including data portability and the right to be informed of any automated decision-making. Contact us at pigeonchat@proton.me to exercise these rights.

Legal basis for processing (Brazil — LGPD): We process your personal data based on contractual necessity (to provide the Service), legitimate interests (operating a secure platform), and consent for optional features. You have the right to access, correct, delete, and port your personal data, and to revoke consent at any time. Contact us at pigeonchat@proton.me to exercise these rights.

Legal basis for processing (Australia — Privacy Act 1988): We handle personal information in accordance with the Australian Privacy Principles (APPs). You have the right to access and correct your personal information. If you believe we have mishandled your personal information, you may contact us first and, if unresolved, lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

How we store your data

Your messages and settings are encrypted on your device before being transmitted to our servers. We store them in encrypted form. We do not hold the keys needed to decrypt your content.

Your device stores a local copy of your messages, all chat details, contacts within chats, your per-chat identifiers (name and photo), and settings. If you delete the app, that local data is removed from your device. Server-side encrypted backups remain until you delete your account.

Instead of cookies, our web-based session uses your browser's built-in storage for authentication tokens and session state only — not for tracking.

All data is transmitted over encrypted connections (HTTPS/TLS) and stored encrypted at rest in our database.

Sharing your information

We do not sell, rent, or trade your information. We do not share your information with advertisers, data brokers, or marketers.

We may share limited information in the following circumstances in order to provide the Service to you:

Third-party service providers

We use a small number of trusted third-party providers to operate the Service. Each receives only the data necessary for their specific function:

  • Supabase — provides our database and authentication infrastructure. They store your email address, encrypted messages, encrypted files, encrypted settings, device platform, authentication tokens, and subscription plan status on our behalf in accordance with their data processing commitments. We configure our database to use United States-based server regions; however, Supabase operates its own global infrastructure and may store or process data on any of their servers in accordance with their own policies.
  • Maileroo — provides transactional email delivery of sign in verification codes. They process your email address to send these codes. We have disabled click and open tracking in our Maileroo configuration. Maileroo may still retain delivery logs and IP address data according to their own privacy policy.
  • Apple (APNs) / Google (FCM) — if you enable push notifications, your device communicates your push token directly to the platform's notification service. We transmit only a notification alert (not message content) through these services. Apple and Google operate under their own privacy policies.
  • Apple App Store / Google Play — distribute the application to your device. They may collect data about app downloads and usage according to their own policies, which we do not control.
  • Vercel — hosts our public website (pigeonchatapp.com). Vercel may log visitor access requests, which may include IP addresses, browser type, and pages visited, according to their own privacy policy. This applies to website visits only, not to the app.
  • RevenueCat / Apple - we use RevenueCat in conjunction with Apple to manage subscription plans and in-app purchases. They may collect device identifiers and subscription state regardless of whether you upgrade. If you choose to upgrade, RevenueCat and/or Apple process your transaction and collect billing and payment information under their own policies.

We may disclose information if we believe in good faith that disclosure is necessary to:

  • Comply with applicable law, regulation, court order, or other legal process;
  • Enforce our Terms of Service or investigate potential violations;
  • Protect the security or integrity of the Service;
  • Protect the rights, property, or safety of Merandian LLC, our users, or the public.

Because messages and files are encrypted end-to-end, we are technically unable to provide readable content in response to legal demands. If compelled by court order, we can only produce the encrypted ciphertext (which we cannot decrypt) along with the limited metadata we hold (delivery metadata, email address, device platform, and subscription status). We cannot produce message or file content, sender identity of messages, receiver identity of files, or chat membership lists.

We will notify affected users of legal demands for their data when permitted by law and when we believe doing so is appropriate.

Business transfers

If Merandian LLC is involved in a merger, acquisition, asset sale, or similar transaction, your information may be transferred as part of that transaction. In the event of such a transaction, we will endeavor to notify you via email or a prominent notice within the Service, and your information will remain subject to this Privacy Policy until any successor entity provides notice of updated practices.

Data retention

We retain your information for as long as your account is active or as needed to provide the Service.

  • Email address and account data — retained until you delete your account, at which point it is permanently removed.
  • Encrypted messages — retained on our servers until you delete them within the app or delete your account.
  • Encrypted files — retained on our servers until you delete them within the app, delete your account, or hit the retention file limit.
  • Encrypted settings and device records — retained until you remove a device or delete your account.
  • Authentication and session tokens — retained for the duration of your active session or until revoked.

Chat retention

When a chat is created, and depending on your subscription plan, you may select an option to have all chat content be automatically and permanently deleted from the server and all chat member devices on a rolling basis after a number of days. This setting is configured at initial chat creation and cannot be changed later. The deletion of the chat content is permanent for everyone in the chat.

Deleting individual messages or files

You may choose to permanently delete any of the messages or files you sent while using the Service, which permanently deletes every copy of that message or file within the Service on your device, all devices of other chat members, and on our server. Other members of your chats may retain any files you sent them locally on their own devices outside of our Service. Deletion by you does not delete any copies of messages or files moved out of the Service by you or other chat members.

Automatic file deletion due to file retention limits

Each account has a file retention limit based on your subscription plan (1GB for free accounts, 3GB for Pro). This limit applies to files you send and is active for all Service accounts. As the total size of your sent files crosses your plan limit, we will automatically and permanently delete your oldest sent files to keep your account within that limit. This deletion is permanent and cannot be undone. Deleted files are removed from our servers and from the devices of everyone in the relevant chat. Each user is responsible for saving any files they wish to keep outside of the Service. By using the Service, you acknowledge and agree that this automatic deletion will occur and that we are not liable for any loss of files resulting from it.

Deleting all of your messages from a chat

You may choose to permanently delete all of the messages you sent within a chat from the Settings > Leave or Delete screen. Deleting your messages in this way will permanently delete them within the Service from all chat member devices locally as well as from our servers.

Deleting your account

When you delete your account, you are removed from all chats, your email address and any other account data stored by us is permanently deleted including message records addressed to you, and any Pigeon data on your device is deleted. Your previously sent messages are not automatically deleted as this is a separate action you can take (see above).

Your rights and choices

Access and portability

You may view your account and connected devices within the app. To request a copy of the personal data we hold about you, contact us at pigeonchat@proton.me.

Correction

If your email address changes, you may update it by contacting us.

Deletion

You may delete your account at any time from within the app or by contacting us at pigeonchat@proton.me. Upon deletion, we will permanently remove your email address and all associated account data as described in "Data Retention" above.

Push notifications

You may enable or disable push notifications at any time in your device settings. Disabling notifications revokes the push token and we will cease sending alerts to your device.

Objection and restriction (EEA/UK/Swiss users)

You have the right to object to processing based on legitimate interests, request restriction of processing, and lodge a complaint with your local data protection authority. Contact us at pigeonchat@proton.me to exercise these rights.

California residents (CCPA)

You have the right to know what personal information we collect and how it is used, to request deletion of your personal information, and to opt out of the sale of personal information. We do not sell personal information, so the opt-out right has no practical application here. To exercise any rights, contact us at pigeonchat@proton.me.

Other US state residents

Residents of states with applicable consumer privacy laws — including but not limited to Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Utah (UCPA), and Nevada (SB 220) — have rights that may include: the right to access personal data we hold about you, to correct inaccuracies, to request deletion, to obtain a portable copy, and to opt out of the sale of personal data. We do not sell personal data. We will not discriminate against you for exercising any of these rights. To submit a request, contact us at pigeonchat@proton.me. We will respond within the timeframe required by your state's law.

Security

We protect your information through multiple layers:

  • End-to-end encryption: messages and files are encrypted on your device before transmission. We hold only ciphertext and cannot read your content.
  • Encrypted storage: all data stored on our servers is encrypted at rest.
  • Encrypted transit: all connections between your device and our servers use TLS.
  • Encrypted backups: your settings and device records are stored in encrypted form.
  • Access controls: we implement database-level access controls to ensure users can only access their own data.
  • Minimal collection: we limit what we collect to reduce the value of our systems as a target.

No security system is impenetrable. We take reasonable and industry-standard precautions, but we cannot guarantee absolute security.

For more detailed information on our Service security, see Security.

Children's privacy

The Service is not directed to children under the age of 13 (or under 16 for users in the European Economic Area). We do not knowingly collect personal information from children under these ages.

We do not collect age or date of birth during account creation. All sign-in screens display a notice that use of the Service constitutes agreement to this Privacy Policy and our Terms of Service, which require users to meet the applicable minimum age. If you are a parent or guardian and believe your child has created an account, contact us at pigeonchat@proton.me and we will promptly delete the account and all associated data. If we become aware that we have collected personal information from a child under the applicable age without parental consent, we will take steps to delete that information as quickly as possible.

International users

Our Service is operated by Merandian LLC from the United States. If you access the Service from outside the United States, your information may be transferred to, stored in, and processed in the United States, where data protection laws may differ from those in your country. Because messages are encrypted on your device before transmission, the data accessible to us and our infrastructure providers is limited to the encrypted content and the minimal metadata described in this policy.

EEA, UK, and Switzerland: We rely on the legal bases described in the "How We Use Your Information" section. For transfers of personal data from the EEA or UK to the United States, we rely on applicable transfer mechanisms, which may include Standard Contractual Clauses or equivalent safeguards as required by law. You have the right to lodge a complaint with your local supervisory authority.

Canada: We process personal information in accordance with PIPEDA and, for Quebec residents, Quebec Law 25. See "Legal basis for processing (Canada)" above for your rights.

Brazil: We process personal data in accordance with the LGPD. See "Legal basis for processing (Brazil)" above for your rights.

Australia: We handle personal information in accordance with the Australian Privacy Principles. See "Legal basis for processing (Australia)" above for your rights and how to contact the OAIC.

If you have questions about international data transfers or wish to exercise jurisdiction-specific rights, contact us at pigeonchat@proton.me.

Disclaimer of warranties

THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. MERANDIAN LLC DOES NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED, ERROR-FREE, OR COMPLETELY SECURE. YOUR USE OF THE SERVICE IS AT YOUR SOLE RISK.

Limitation of liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MERANDIAN LLC AND ITS MEMBERS, OFFICERS, EMPLOYEES, AGENTS, AND AFFILIATES SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO LOSS OF DATA, LOSS OF PRIVACY, LOSS OF PROFITS, OR BUSINESS INTERRUPTION, ARISING OUT OF OR RELATED TO YOUR USE OF OR INABILITY TO USE THE SERVICE, EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

OUR TOTAL LIABILITY TO YOU FOR ANY CLAIMS ARISING OUT OF OR RELATED TO THIS POLICY OR THE SERVICE SHALL NOT EXCEED THE GREATER OF (A) THE AMOUNT YOU PAID US IN THE TWELVE MONTHS PRECEDING THE CLAIM, OR (B) ONE HUNDRED U.S. DOLLARS ($100).

SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF CERTAIN WARRANTIES OR LIABILITY, SO SOME OF THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU.

Governing law and dispute resolution

This Privacy Policy and any disputes arising from it are governed by the laws of the State of Virginia, United States, without regard to conflict-of-law principles.

Any dispute, claim, or controversy arising out of or relating to this Privacy Policy or our collection, use, or disclosure of your information that cannot be resolved informally shall be resolved by binding arbitration administered under the rules of the American Arbitration Association, with proceedings conducted in English. You waive any right to participate in a class action lawsuit or class-wide arbitration against Merandian LLC.

This section does not limit your rights under applicable data protection law in your jurisdiction, including your right to lodge a complaint with a supervisory authority.

Severability. If any provision of this Privacy Policy is found to be invalid or unenforceable under applicable law, that provision will be modified to the minimum extent necessary to make it enforceable, and the remaining provisions will continue in full force and effect.

No waiver. Our failure to enforce any provision of this Privacy Policy does not constitute a waiver of our right to enforce it in the future.

No third-party beneficiaries. This Privacy Policy does not create any rights in third parties.

Entire agreement. This Privacy Policy, together with our Terms of Service, constitutes the entire agreement between you and Merandian LLC regarding the collection and use of your information, and supersedes any prior representations or agreements on that subject.

Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this page and append a summary of changes in the "Change Log" section below. If we make material changes that affect how we handle your personal information, we will notify users with accounts via email at least 14 days before the changes take effect.

Your continued use of the Service after changes take effect constitutes your acceptance of the updated policy. If you do not agree with any changes, you should stop using the Service and delete your account before the changes take effect.

Contact us

For questions about this Privacy Policy, to exercise your rights, or to report a privacy concern:

Email: pigeonchat@proton.me

We will respond to privacy requests within 30 days. For requests from users in the EEA or UK exercising rights under GDPR, we will respond within the timeframes required by applicable law.

Change log

May 26, 2026 - Clarified files are stored per sender identity for plan limit calculation. Senders and recipients of files are still never available on our server.

May 25, 2026

  • Expanded automatic file deletion section to clarify that storage limits apply to all accounts, that deletion is permanent and removes files from all member devices, and that users are responsible for saving files they wish to keep outside the Service; added explicit acknowledgment of liability limitation.
  • Clarified message delivery metadata: we store recipient identifiers for routing but have no way to associate accounts with each other or reconstruct social graphs.
  • Noted that Apple and/or RevenueCat may collect device identifiers and subscription state for all users, including free users.
  • Clarified that IP addresses are not collected via the app, but that Vercel and Maileroo may log them for website visits and email delivery.
  • Confirmed click and open tracking is disabled in Maileroo.
  • Added disclosure that due to end-to-end encryption and zero-knowledge architecture, we can only produce encrypted ciphertext and limited metadata in response to legal demands — not readable message content, sender identity, or chat membership lists.
  • Updated children's privacy section to describe the agree-by-use notice shown on all sign-in screens.

May 24, 2026 — Original publish date.

Pigeon Chat App

Make it yours

Navigation
HomePricingFAQ
Company
Privacy PolicyContact

© 2026 Pigeon. All rights reserved. Built by Merandian.