Privacy Policy

Last Updated: May 1, 2026

Overview

SocialMesh ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we handle information when you use our mobile application ("App").

SocialMesh is intended for users aged 18 and older. The App is not designed for, marketed to, or intended to be used by children under 18.

Our Privacy Commitment

SocialMesh is designed with privacy as a core principle. We believe your communications should belong to you, not to corporations or third parties.

Data We Do NOT Collect

• No Account Required for Core Features: You do not need to create an account to use mesh radio communication features. An optional account is required only for social features (profiles, posts, signals with images, cloud sync).
• No Mesh Message Storage: Your mesh radio messages are transmitted directly between devices via the Meshtastic mesh network. We do not have access to, store, or process your mesh messages on any server. Messages are stored only on your device. Because mesh transmissions are relayed by third-party devices in a decentralised network, messages cannot be recalled once sent over radio.
• No Location Tracking: While the App may use GPS for mesh network functionality, your location data stays on your device and is only shared with other mesh network participants if you choose to enable location sharing.
• No Behavioral Analytics or Ad Tracking: We do not profile your behavior, build advertising profiles, or sell data to third parties. The App includes opt-in usage analytics and crash reporting (both disabled by default) which you can control from Settings > Privacy. See the Consent and Controls and Third-Party Services sections below.
• No Advertising: We do not display advertisements or share data with advertising networks.

Data That Stays on Your Device

The following data is stored locally on your device and is never transmitted to us:

• App settings and preferences
• Mesh radio message history
• Node information and contacts
• Saved routes and waypoints
• Ringtone and theme preferences
• TAK entity data (callsigns, positions, CoT types) received from the TAK Gateway, if the feature is enabled

Data Stored on Our Servers

If you create an account and use social features, the following data is stored on our servers (Google Firebase):

• Profile information: Display name, avatar image, banner image, and bio text you provide
• Social content: Posts, comments, likes, signal images, and stories you create
• Social connections: Follow relationships and follow requests
• Shared mesh data: Nodes and channels you choose to share with other users
• Push notification tokens: Device tokens used to deliver notifications, stored with the device platform and last-updated timestamp
• Presence status: Online/offline status and last-seen timestamp
• Device Shop activity: Products you favorite and any reviews you write are stored on our servers so they appear across your devices and so other users can see your reviews. Anonymous product view and favorite counts are also incremented on the product record.

This data is used solely to provide the social features you opted into. It is not sold, shared with advertisers, or used for profiling. You can delete all server-side data at any time by deleting your account (see Account Deletion below).

Background Processing (Android)

On Android, the App may continue processing incoming mesh radio data while running in the background. This uses an Android foreground service to maintain the Bluetooth Low Energy (BLE) connection to your radio. During background operation:

• Incoming messages are decoded and stored in your device's local database so they are available when you return to the App.
• Sender names are resolved from the locally stored node directory to display meaningful notifications.
• Local notifications may be shown for new messages based on your notification preferences.

All background processing happens entirely on your device. No message content, node information, or connection data is transmitted to us or any third party during background operation. You can disable background connectivity in the App's settings.

Signals Feature

Signals are ephemeral messages broadcast over the Meshtastic mesh network. They:

• Are stored locally on your device until they expire
• Are never uploaded to any server unless you sign in and attach an image
• Expire automatically based on the TTL you select (15 minutes to 24 hours)
• Never contain analytics or tracking data

When signed in, image uploads are stored temporarily in secure cloud storage for mesh sharing. Images inherit the Signal's TTL and are deleted when the Signal expires.

Consent and Controls

The App is designed with privacy-by-default:

• Analytics and crash reporting are disabled by default. Both Firebase Analytics and Firebase Crashlytics are turned off at app startup and remain off until you accept the Terms of Service and Privacy Policy.
• You can independently enable or disable usage analytics and crash reporting at any time from Settings > Privacy.
• When disabled, the Firebase SDK silently drops all events and crash data. No data is transmitted.
• IFTTT Webhooks integration requires you to explicitly configure a webhook key. A disclosure is shown before your first webhook configuration explaining that mesh data will be sent to IFTTT servers.
• Debug exports redact message text and coarsen GPS coordinates. A disclosure banner is shown before sharing.
• Bug reports mask your email address and hash your user identifier before transmission.

Data Retention

We retain data only as long as necessary to provide the service. Specific retention periods:

• Local messages: Up to 500 per conversation, auto-trimmed
• Local routes: Auto-deleted after 365 days
• Local node directory: Capped at 10,000 entries, oldest entries pruned first
• Presence data: Expires after 30 days of inactivity (automatically cleaned up)
• Shared nodes: Expire after 90 days (automatically cleaned up)
• Firebase Analytics data: Google's default retention of 14 months (if you opted in)
• Firebase Crashlytics data: Google's default retention of 90 days (if you opted in)
• All server-side data: Permanently deleted when you delete your account

Third-Party Services

Firebase Analytics (Usage Analytics)

If you opt in via Settings > Privacy, we use Firebase Analytics to understand which features are used most. This may collect:

• Anonymous app instance identifiers
• Feature usage events (screen views, button taps)
• Device type and operating system version
• App version

No message content, node names, GPS coordinates, or personal information is included in analytics events. Analytics is disabled by default and can be toggled off at any time.

RevenueCat (In-App Purchases)

We use RevenueCat to process in-app purchases. RevenueCat may collect:

• Anonymous transaction identifiers
• Purchase history for your account
• Device identifiers for purchase restoration

RevenueCat's privacy policy: https://www.revenuecat.com/privacy

Firebase Crashlytics (Crash Reporting)

If you opt in via Settings > Privacy, we use Firebase Crashlytics to collect crash reports to improve app stability. Crash reporting is disabled by default. This may include:

• Device type and operating system version
• App version
• Crash logs and stack traces
• SHA-256 hashed installation identifier (truncated; the original identifier is not transmitted)

No personal information or message content is included in crash reports. All error reports are routed through a centralized handler that sanitizes PII before recording.

Firebase's privacy policy: https://firebase.google.com/support/privacy

OpenSky Network (Sky Scanner)

The Sky Scanner feature uses the OpenSky Network API to display live flight position data for scheduled flights. When you view an active flight, we query OpenSky Network with the flight callsign to retrieve:

• Aircraft position (latitude, longitude, altitude)
• Flight velocity and heading
• Ground status

This data is fetched on-demand and is not stored. We do not send any personal information to OpenSky Network.

OpenSky Network's privacy policy: https://opensky-network.org/about/privacy-policy

Meshtastic Network

Communications over the Meshtastic mesh network are peer-to-peer. We have no involvement in or access to mesh network communications. Please refer to the Meshtastic project for information about mesh network privacy: https://meshtastic.org

TAK Gateway

If you enable the TAK Gateway feature, the App connects to a SocialMesh-operated server via WebSocket to stream Cursor-on-Target (CoT) map entity data. During this connection:

• Your Firebase ID token is sent to authenticate the WebSocket connection
• CoT entity data (callsigns, positions, types, and affiliations) is received and displayed on the map
• Received entity data is stored locally on your device and is not forwarded to any other party

No message content, mesh node data, or personal information is sent to the TAK Gateway beyond the authentication token. The gateway URL is configurable in TAK Settings. This feature is optional and disabled by default.

IFTTT Webhooks (Automations)

If you configure IFTTT Webhooks in Automations settings, the App sends event data to IFTTT's servers when triggers fire (e.g., message received, node online/offline, position update, battery low, SOS emergency). Each webhook POST includes up to three text values describing the event.

This feature is optional, disabled by default, and requires you to provide your own IFTTT Webhook key. A disclosure is shown before your first configuration. No data is sent to IFTTT unless you explicitly enable and configure it.

IFTTT's privacy policy: https://ifttt.com/privacy

Device Shop (Marketplace)

The Device Shop is an in-app catalog of Meshtastic-compatible radios and accessories from third-party sellers. Browsing the shop involves:

• Catalog and seller profiles: Loaded from our servers (Google Firebase) when you open the shop. No identifying information about you is sent to retrieve the catalog.
• Product images: Hosted on Firebase Storage and on sellers' own image hosts; standard HTTPS image requests are made by the App when product cards are displayed.
• LilyGo product data: For products from the LilyGo brand, the App fetches public product information directly from lilygo.cc on demand. These requests are anonymous and contain no personal information.
• Outbound links to seller stores: Tapping “Buy Now” or a seller's website opens the seller's official store in your device's browser. From that point onward, the seller's own privacy policy applies. SocialMesh does not handle payment, shipping, warranty, or returns; we may earn a small commission on purchases made through these links.
• Local interaction analytics: Counts of which products you tapped “Buy Now” on, and any partner-contact or discount-code interactions, are stored only on your device to improve the popularity ordering you see locally. These counts are never transmitted off your device.
• Favorites and reviews: If you favorite a product or write a review, that activity is stored on our servers as described in Data Stored on Our Servers. You can remove favorites and reviews at any time, and they are deleted automatically when you delete your account.

The Device Shop does not track your browsing across products, does not share your identity with sellers, and does not pass any personal information to seller stores when you tap an outbound link.

Sigil API (Node Identity Artwork)

The Sigil API generates unique visual emblems for mesh nodes. When you view a node's sigil, the App sends a hashed node identifier to our Sigil API server. No personal information, GPS data, or message content is included in these requests.

Account Deletion

You can delete your account at any time from the Profile screen in the App. When you delete your account, the following data is permanently and irreversibly erased:

• Server-side data: Your user profile, social profile, presence record, all posts and their comments and likes, all stories, follow relationships, follow requests, shared nodes, shared channels, Device Shop favorites, and Device Shop reviews are deleted from our servers
• Uploaded files: Profile avatars, profile banners, story images, signal images, post images, and bug report attachments are deleted from cloud storage
• Subscription data: Your subscriber record is removed from our payment processor (RevenueCat)
• Push notification tokens: All registered device tokens are removed
• Local data: All local databases (messages, signals, routes, node directory, telemetry, automations, widgets, traceroute history, TAK events, and packet deduplication), app preferences, and secure storage are wiped from your device
• Authentication record: Your Firebase Authentication account is deleted

This process is automated and typically completes within seconds. Account deletion is permanent and cannot be undone.

Data Security

Your mesh radio messages, node data, and app settings are stored locally on your device and protected by your device's built-in security features.

If you use social features, your profile and content data is stored on Google Firebase servers, protected by Firebase's security infrastructure including encryption in transit and at rest. Access is controlled by Firebase Authentication and Firestore security rules.

Crash reports collected by Firebase Crashlytics are stored on Google's servers under their security practices. Purchase records managed by RevenueCat are stored on RevenueCat's servers. In both cases, the data is limited to diagnostic and billing purposes and does not include message content or personal communications.

Children's Privacy and Minor User Safety

Our App requires users to be 18 or older. We do not knowingly collect any personal information from users under the age of 18. Since we don't collect personal information from any users, this applies universally.

Users aged 13–17 who confirm their age range at app startup will have privacy-enhanced defaults applied automatically, including a larger location blur radius that prevents street-level location resolution.

Brazil — Lei 15.211/2025 (Digital ECA). In compliance with Brazil's Lei Federal 15.211/2025 (Estatuto da Criança e do Adolescente Digital), SocialMesh applies age attestation at first launch and at each policy-version update. All users under 18 receive privacy-enhanced processing defaults. The app does not collect biometric data, precise location, or advertising identifiers from any user, regardless of age. Parents or guardians of users aged 13–17 may contact us at privacy@socialmesh.app to request information about data practices.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy in the App and updating the "Last Updated" date.

Your Rights

You have the following rights regarding your data:

• Right to deletion: You can delete your account and all associated server-side data at any time from the Profile screen in the App. See Account Deletion for details of what is erased.
• Right to access: You can view all data associated with your account within the App (profile, posts, follows, shared nodes).
• Local data: You can clear all locally stored app data at any time through your device settings or by deleting your account.
• Third-party data: For data held by third-party services (Crashlytics crash reports, RevenueCat purchase records), please refer to their respective privacy policies linked above.

If you have questions about your data or wish to exercise your rights under GDPR, the Australian Privacy Act, CCPA, or other applicable privacy legislation, please contact us at privacy@socialmesh.app.

Contact Us

If you have any questions about this Privacy Policy, please contact us at:

Privacy enquiries: privacy@socialmesh.app
General support: support@socialmesh.app
Safety reports: Safety & Reporting page or support@socialmesh.app
Website: https://socialmesh.app