← Back to NowHere

Privacy

Frequently Asked Questions About Privacy

Everything you need to know about how NowHere treats location, messages, and the public ledger.

Does NowHere track my location?

No. Your location is used only by your device to filter which messages to show you. It never leaves your phone. We've built the system so location data is never transmitted to any server.

Can you read my messages?

No. Messages are stored in Apple's CloudKit using shared database zones that require recipient authentication via iCloud. Neither we nor Apple engineers can access message contents without the proper iCloud credentials. Only devices signed into authorized iCloud accounts can retrieve and decrypt messages.

Does the sender know if I saw their message?

No. There are no read receipts, delivery confirmations, or "seen by" lists. Senders have no way to know who successfully retrieved the message, who was in range, or who acted on it.

What information do you collect about me?

We collect:

  • A cryptographic hash of your email (for message discovery)
  • Aggregate, anonymized usage statistics
  • System performance metrics

We do not collect:

  • Your actual identity
  • Your location (current or historical)
  • Message contents
  • Whether you successfully retrieved any message
  • Social graph with real identities

What's the "public ledger" and why is it public?

The public ledger is a discovery index that helps your device determine whether a message is intended for you, without revealing who you are.

When someone shares a message with you, a ledger entry is created containing:

  • A cryptographic hash of your email (SHA-256)
  • A reference to the CloudKit share record

Your device periodically checks: "Is my email hash in this ledger?"

If yes, your device attempts to retrieve the message using the share reference. However, actual access requires iCloud authentication. CloudKit verifies: "Is this device signed into an iCloud account authorized for this share?"

If not authorized, the message cannot be retrieved—even though the device found the reference in the ledger.

In simple terms:

  • The ledger enables discovery: "Is there a message for me?"
  • CloudKit authentication controls access: "Can I actually get it?"
  • The ledger is "public" (world-readable) but meaningless without proper authentication
  • Hashes cannot be reversed to discover real identities

Think of it like a locked mailbox directory: Everyone can see which mailboxes exist (hashed names), but only the person with the right key (iCloud credentials) can open their specific mailbox.

Can you see who my contacts are?

We see only cryptographic hashes that represent potential message recipients in the ledger. We cannot reverse these hashes to discover actual email addresses or identities. Moreover, we cannot see who successfully retrieved messages—CloudKit authentication happens between the user's device and Apple's servers, invisible to us.

How is this different from "Find My Friends" or Life360?

Those apps upload everyone's real-time location to show you where people are. NowHere never collects anyone's location. Each device privately evaluates whether it's near a message's geographic bounds—the evaluation happens locally, without communicating position to anyone.

Additionally, NowHere doesn't even know who successfully received which messages. The ledger only enables discovery; CloudKit's iCloud authentication controls actual access.

What if someone finds my hashed email in the ledger?

The hash alone is useless. Even if someone discovers that a hash exists in the ledger and finds the corresponding share reference, they cannot retrieve the message without being signed into your specific iCloud account. CloudKit's authentication layer prevents unauthorized access.

Can law enforcement request my location data?

There is no location data to request. We don't collect it, don't store it, and have no technical ability to retrieve it. The system architecture makes this impossible.

Can law enforcement see who received a message?

We can see hashed identifiers in the public ledger (which shows potential recipients), but we cannot:

  • Reverse hashes to discover real identities without the original email list
  • Determine who successfully retrieved messages (authentication happens between devices and Apple)
  • Access message contents (encrypted in CloudKit, requires iCloud credentials)

The public ledger shows the topology of potential connections, but not actual delivery or engagement.

What about Apple? Can they see my messages?

Apple provides the CloudKit infrastructure and iCloud authentication. Messages are encrypted in CloudKit databases. While Apple has the technical infrastructure, their privacy policy and practices (especially in GDPR regions) protect against unauthorized access. We deliberately chose Apple's infrastructure for these privacy guarantees.

Location evaluation happens entirely on your device using iOS Core Location APIs—location data never reaches CloudKit servers.

How can I verify these privacy claims?

The app uses standard iOS and CloudKit APIs. Independent security researchers can:

  • Monitor network traffic to verify location is never transmitted
  • Observe that message retrieval requires iCloud authentication
  • Confirm the ledger contains only hashes and references, not actual data

We welcome security audits and will consider open-sourcing key privacy components in the future.

What if I'm signed into someone else's iCloud account?

Messages are delivered based on iMessage-enabled email addresses, not just the primary iCloud email.

How it works:

When you're signed into iCloud, you have multiple email addresses that can receive iMessages—visible in Settings → Messages → Send & Receive. These typically include:

  • Your primary iCloud email
  • Any additional emails you've verified and enabled for iMessage
  • The email you chose when using Sign in with Apple (real or relay)

Message delivery:

If someone sends a message selecting ANY of your iMessage-enabled emails as the recipient, and you have accepted the app to use them, your device will:

  1. Find the matching hash in the public ledger
  2. Retrieve the message from CloudKit
  3. Deliver it—because that email is associated with your signed-in iCloud account

Example scenarios:

Scenario 1: Multiple emails, one account

Scenario 2: Wrong iCloud account

  • You're temporarily signed into a friend's iCloud account
  • Someone sends a message to YOUR email (johannes@gmail.com)
  • The device checks the ledger using the friend's iMessage emails
  • No match found (your email isn't enabled on the friend's account)
  • Message not discovered or delivered

Scenario 3: Switching accounts

  • You receive messages on your work iPhone (signed into work iCloud)
  • You go home and sign into your personal iCloud on your iPad
  • If the sender used an email enabled on your personal account, you'll receive it there
  • If they used an email only enabled on your work account, you won't see it on the personal device

In short: Messages reach you if the recipient email the sender chose matches any of the iMessage-enabled emails for the iCloud account you're currently signed into—regardless of which specific email was used.

Can someone impersonate me to get my messages?

No. Retrieving a message requires:

  1. Finding your hashed email in the ledger (possible but reveals nothing)
  2. Being signed into your iCloud account (impossible without your credentials)

Apple's iCloud authentication is industry-standard and includes two-factor authentication protections.

Does the ledger create a "social graph" you can analyze?

The ledger creates a graph of potential connections (hashed identities pointing to share references), but:

  • Identities are hashed and cannot be reversed without the source emails
  • We cannot determine who actually retrieved messages
  • We cannot see message contents
  • We cannot determine engagement or behavior

It's a topology of possibilities, not a profile of actual social relationships.

Why not make it fully private instead of using a public ledger?

A fully private system would require each sender to directly notify each recipient through Apple's push notification system, revealing sender activity patterns. The public ledger enables discovery without creating direct sender→recipient notification patterns.

Additionally, devices can check the ledger periodically without revealing which messages they're interested in (since the check happens locally after downloading the entire relevant portion of the ledger).

Are messages end-to-end encrypted?

Messages are encrypted in transit and at rest within CloudKit. They can only be decrypted by devices with proper iCloud authentication. This provides strong privacy protection, though technically it's CloudKit-mediated encryption rather than traditional end-to-end encryption between sender and recipient devices.

What's your data retention policy?

  • Expired messages are automatically deleted from local devices
  • CloudKit may retain them per Apple's policies until explicitly removed
  • The public ledger retains hashed connection records to enable ongoing discovery
  • You can request complete account deletion, which removes all your data from our systems and stops future ledger entries

Are you GDPR compliant?

Yes. The architecture minimizes data collection and processing. We:

  • Don't track location
  • Don't profile users
  • Cannot determine message access or engagement
  • Use Apple's GDPR-compliant infrastructure
  • Provide data deletion functionality

Users have the right to access their data (primarily hashed ledger entries), correct it, and delete it.

Why should I trust you?

You shouldn't trust us—you should trust the architecture. We deliberately built a system where trust isn't required because we genuinely cannot access sensitive data:

  • Your location never reaches us
  • Your messages are encrypted and we can't decrypt them
  • We can't determine who retrieved what
  • The system works even if you assume we're untrustworthy

The privacy guarantees come from the technical architecture and Apple's authentication system, not from our promises.