HushDM

Privacy Policy

Last updated: April 22, 2026

HushDM ("HushDM", "we", "our") is a private photo vault app for iPhone and iPad. This Privacy Policy explains what information the app collects, how we use it, and the choices you have. The short version: your vault content lives on your device and is encrypted with a key only you control — we cannot read it.

1. Information we do not collect

We do not collect, store, or have access to the photos, videos, or messages you put in your HushDM vault. Vault content is encrypted locally on your device using industry-standard cryptography. The decryption key is derived from your passcode and is never transmitted to our servers. If you lose your passcode and recovery key, we cannot recover your vault.

2. Information we collect

To deliver account features, subscriptions, and optional sharing between HushDM users, we collect a small amount of information:

  • Account identifier. A random user key generated on first launch, used to identify your account on our server and to let other HushDM users add you via QR code or shared link.
  • Authentication data. If you sign in with Apple or Google, we receive your email address and a persistent sign-in token from the provider. We use this only to recognize you on future launches. We never see your Apple or Google password.
  • Profile picture (optional). If you upload a profile picture, it is stored in our storage so that people you share your code with can see it. You can remove it at any time.
  • Public encryption key. To enable end-to-end encrypted messaging with other HushDM users, your public key is published to our server. Your private key stays on your device.
  • Subscription receipts. When you purchase a subscription, Apple provides us with an anonymized receipt so we can unlock premium features for your account. We do not see your payment details.
  • Diagnostics. We may collect crash reports and basic performance metrics (device model, OS version, app version, error stack traces) to keep the app stable. These reports do not include vault content.

3. iCloud backup

HushDM supports an optional encrypted backup of your vault to your personal iCloud account. When enabled, a ciphertext copy of your vault is written to your private iCloud container. Apple's iCloud storage terms apply. We do not have access to your iCloud container. You can disable iCloud backup at any time in Settings.

4. Third-party services

We use a small number of third-party services to operate the app:

  • Apple. App Store purchases, Sign in with Apple, and iCloud storage are handled by Apple under Apple's Privacy Policy.
  • Google Sign-In. If you choose Google as your sign-in method, Google provides us with your email address under its own privacy policy.
  • Cloudflare. Our storage and delivery infrastructure runs on Cloudflare. Cloudflare processes encrypted bytes only.
  • Crash and analytics SDKs. We may use Apple-native diagnostics and a privacy-respecting analytics provider to collect anonymous usage metrics. These tools are configured to not collect personally identifying information or vault content.

5. How we use information

We use the information listed above only to operate HushDM: to log you in, deliver your subscription, let other HushDM users find you by code, encrypt messages between users, and keep the app reliable. We do not sell your information, and we do not use it for advertising.

6. Your choices and rights

  • You can export or delete your vault content from inside the app at any time.
  • Account deletion. You can delete your account from Profile → Danger zone → Delete account. Deletion is immediate and irreversible: we hard-delete your account identifier, profile picture, public and signed prekeys, one-time prekeys, conversation metadata, contact links, chat attachments, device records, and active session tokens. Messages you had already sent to another HushDM user remain on that user's device in decrypted form; we cannot remotely reach into another person's device to remove them.
  • Depending on where you live, you may have the right to access, correct, or delete information we hold about you. Contact us at [email protected] and we will respond within 30 days.

7. Emergency PIN and Decoy PIN

HushDM lets you configure an optional Emergency PIN and, with a premium subscription, a Decoy PIN. These are user-controlled safety features; you decide whether to enable them.

  • Emergency PIN. Entering this PIN immediately and irrevocably wipes every HushDM vault item from your device, your iCloud backup container, and our servers. The wipe also disables push notifications and signs you out of every active session. There is no recovery after an Emergency PIN is entered, and there is no confirmation prompt — that is the point of the feature.
  • Decoy PIN. Entering your Decoy PIN unlocks a separate, isolated Decoy vault with its own albums and chats. The Decoy vault contains only content you explicitly place there; it is never populated with automatically-generated or fake content. HushDM never presents real content to a user who enters the Decoy PIN.

8. Messaging, moderation, and abuse reports

Messages sent between HushDM users are end-to-end encrypted. We cannot read them in transit or at rest. Because of that, HushDM does not automatically scan, filter, or moderate the content of your chats.

You control moderation through three mechanisms:

  • Block. You can block any contact from the chat or contact-info screen. A blocked user cannot send you any further messages or start a conversation with you.
  • Report. Long-press any incoming message and choose Report. The app uploads a plaintext copy of the reported message along with a category (spam, harassment, sexual content, violence, child sexual abuse, or other). We use that report solely to review the reported content.
  • Muted words. From Settings → Safety you can add keywords. Any incoming message containing a muted keyword is hidden on your device; the filter runs locally and never leaves your phone.

24-hour response commitment.Our team reviews abuse reports within 24 hours of submission. Depending on what we find we may remove the reporting target's account from HushDM, restrict their ability to send messages, or refer the matter to law enforcement where legally required. Reports involving child sexual abuse material are escalated immediately, preserved, and reported to the National Center for Missing & Exploited Children (NCMEC) or the equivalent authority in your jurisdiction.

HushDM does not tolerate harassment, threats of violence, non-consensual sexual content, or content that endangers minors. Using HushDM for those purposes will result in account termination.

9. Children

HushDM is not directed to children under 13, and we do not knowingly collect information from children. If you believe a child has given us information, contact us and we will delete it.

10. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the "Last updated" date and, where appropriate, notify you in-app before the change takes effect.

11. Contact

Questions or requests? Email [email protected].

Note: this document is a starting point written to match HushDM's actual behavior. Please have your legal counsel review and tailor it to your jurisdiction before relying on it publicly.