Legal

Privacy Policy

Effective April 25, 2026

How we protect your data — and what we structurally cannot see.

Boopr LLC (“boopr,” “we,” “us,” or “our”) operates the boopr mobile application (the “Service”). This Privacy Policy explains what information we collect, how we use it, what we cannot access due to end-to-end encryption, and your rights under applicable law. This Privacy Policy applies to users of the Service located in the United States. boopr is currently available only to users physically located in the United States and its territories. This Privacy Policy is governed by and complies with the laws of the United States, including applicable federal and state privacy laws.

Our core principle: We designed boopr so that we structurally cannot read your content. Your posts, profile information, and photos are end-to-end encrypted on your device before they reach our servers. We hold only encrypted ciphertext that we cannot decrypt. This is not a policy promise—it is a mathematical guarantee enforced by the architecture of the system for your content. Some operational metadata is necessarily visible to our servers, as described in Section 7 below.

1. Who We Are

Boopr LLC is responsible for processing your personal data under this Privacy Policy. You can reach us at:

Boopr LLC
2810 N Church St, PMB 748102
Wilmington, DE 19802-4447

Privacy inquiries and consumer rights requests: [email protected]
Legal inquiries: [email protected]
Security vulnerabilities: [email protected]
CSAM reports: [email protected] (subject: “CSAM Report”)
NCII reports: [email protected] (subject: “NCII Report”)

2. Scope of This Policy

This Privacy Policy applies to the boopr mobile application and all related services operated by Boopr LLC. boopr is available only to users located in the United States and its territories. By using boopr, you represent that you are physically located in the United States.

This Privacy Policy does not cover third-party services (such as Apple, Google, or their respective app stores) that you may interact with in connection with boopr. Those services are governed by their own privacy policies.

We practice strict data minimization. We collect only the data necessary to operate the Service and do not collect more information than is reasonably necessary and proportionate to the purposes described in this policy.

3. Information We Collect

We do not require an email address, phone number, real name, or any other personally identifying information to create an account. Below is an exhaustive list of the categories of information we collect, organized by both common language and the categories defined by the California Consumer Privacy Act (CCPA).

Notice at Collection (Cal. Civ. Code § 1798.100(b)). The categories of personal information we collect are listed in Sections 3.1 through 3.14 below. The categories of sensitive personal information we collect (and how that collection is structurally limited by end-to-end encryption) are described in Section 16. The purposes for which we collect each category are described in Section 8 (How We Use Your Information). Our retention period for each category is described in Section 10 (Data Retention). We do not sell or share personal information for cross-context behavioral advertising, and there is therefore no sale or sharing opt-out (see Section 15). We do not use sensitive personal information for purposes other than those permitted under California Code of Regulations title 11, § 7027(m).

3.1 Account Information

CCPA category: Identifiers. Source: Directly from you at registration.

When you create an account, we generate and store:

  • User ID: A randomly generated unique identifier (UUID) with no connection to your real-world identity
  • Cryptographic public keys: Your Ed25519 signing key and X25519 encryption key, used to verify your identity and enable end-to-end encryption
  • Encrypted profile blob: Your display name, bio, birthday (month and day only, no year), and avatar image are encrypted with keys you control before being stored on our servers. We store this data as opaque ciphertext and cannot read it.
  • Birthday (optional, in encrypted profile): You may choose to set a birthday (month and day only, no year) in your encrypted profile. This is shared with friends for client-side birthday reminders and is encrypted with keys we do not hold. boopr does not collect or store a date of birth at account registration; eligibility under our 13+ age requirement is established by your representation in the Terms of Service and the invite-only registration model.
  • Account status: Whether your account is active, restricted, banned, or scheduled for deletion
  • Last-active timestamp: Updated when your account makes API requests, so we can power the inactive-token cleanup and feature presence indicators visible to your friends
  • Employee flag: A flag indicating whether the account belongs to a member of the boopr team (controls access to employee-only features in development builds)
  • Founder and early adopter status: Whether you have been designated as a founder or early adopter (OG). These are non-purchasable status flags used for earned recognition in the app. For founding supporters, we also store a subscriber number indicating your position among early subscribers.
  • Lightweight client preferences: A small number of plaintext booleans that control client behavior, such as whether you have read receipts and typing indicators enabled in direct messages.
  • Account creation timestamp

3.2 Connection Metadata

CCPA category: Identifiers; Internet or other electronic network activity information. Source: Generated when you connect with friends.

When you connect with friends, we store:

  • That a connection exists between two user IDs, and its status (pending or accepted)
  • Which user initiated the connection request
  • When the connection was created
  • Encrypted key material shared between friends (which we cannot decrypt)

3.3 Encrypted Content

CCPA category: See Section 16 (Sensitive Personal Information). Source: Directly from you when you create content.

We store the following as encrypted ciphertext that we cannot and do not decrypt or read:

  • Posts: Text and photo posts encrypted with a random per-post symmetric key (XChaCha20-Poly1305), with that key wrapped individually to each intended recipient’s X25519 public key
  • Comments: Private replies encrypted to exactly two recipients (post author and commenter)
  • Reactions: Encrypted with the same keys as the content they react to
  • Boops: Lightweight interactions encrypted between sender and recipient
  • Photos and videos: All images and videos are encrypted on your device before upload, including thumbnails
  • Profile video: If you set an animated profile (boopr+), it is encrypted on your device before upload, including its thumbnail
  • Per-recipient key packets: Post decryption keys encrypted to each authorized friend’s public key

3.5 Device Information

CCPA category: Identifiers. Source: Collected from your device when you enable push notifications.

To deliver push notifications, we store:

  • Encrypted device token: Your device’s push notification token, encrypted at rest with AES-256-GCM (with your user ID and platform bound as additional authenticated data). Our server must decrypt this token to send push notifications to Apple or Google’s push services. The server holds the encryption key for this purpose.
  • Platform type: Whether you use iOS or Android
  • Notification authorization level (iOS): Whether the operating system has granted full or provisional notification permission. Used to avoid sending pushes that would be silently dropped.
  • Token registration and last-used timestamps

3.6 Session Information

CCPA category: Internet or other electronic network activity information; Identifiers. Source: Generated when you authenticate.

  • Hashed session tokens (we cannot reverse these to obtain the actual token)
  • Session creation and expiration timestamps
  • Encrypted device information: Basic device information (such as platform and app version) encrypted at rest on our servers, used to identify active sessions for security purposes
  • Hashed device fingerprint: A one-way hash of device characteristics used to detect suspicious session activity (e.g., the same account authenticating from many different devices in rapid succession). We cannot reverse this hash to identify your specific device.

3.7 Invite Chain Information

CCPA category: Identifiers. Source: Generated when you create or use invite codes.

boopr is invite-only. To maintain accountability, we store:

  • Which user ID invited which other user ID
  • Cryptographic signatures proving invite chain authenticity
  • Invite creation, usage, and expiration timestamps
  • Invite status (pending, used, expired, or revoked)
  • Your remaining invite count
  • Accountability records: Time-bounded accountability periods linking inviter and invitee (as described in our Terms of Service). These records include a full accountability period and a shared accountability period, both with defined end dates. These are retained for the duration of both accounts.

3.8 Subscription Information

CCPA category: Commercial information. Source: Received from Apple App Store or Google Play Store.

If you subscribe to boopr+, your payment is processed entirely by Apple (App Store) or Google (Play Store). We receive the following from Apple or Google:

  • Subscription status (active, expired, cancelled, or in grace period)
  • Subscription type (monthly or annual)
  • Original purchase date and expiration date
  • Transaction identifiers (opaque IDs assigned by Apple or Google)
  • Renewal status

We do not receive or store your payment method, billing name, billing address, or any financial information. All payment processing is handled by Apple or Google. For information about how they handle your payment data, refer to their respective privacy policies.

3.9 Screenshot Event Data

CCPA category: Internet or other electronic network activity information. Source: Generated automatically by the app.

When the app detects a screenshot in a protected context (a feed post, a profile, a comment thread, or a boop), an end-to-end encrypted notification may be sent to the other party. The server stores a record indicating that an event of a given context type occurred between two user IDs at a particular time, plus an opaque encrypted payload that we cannot decrypt. By using the Service, you consent to this screenshot detection functionality.

3.10 Server Logs

CCPA category: Internet or other electronic network activity information; geolocation data (approximate, IP-derived only). Source: Automatically collected from your device.

Our servers process IP addresses transiently for the purpose of enforcing rate limits and preventing abuse. Raw IP addresses are held only in memory (rate-limit buckets are cleared within 24 hours) and are never written to disk, database, or persistent logs. For abuse detection we store a keyed HMAC-SHA256 hash of the IP rather than the IP itself, and the salt used in that hash rotates monthly, so the resulting hashes cannot be correlated across months. We do not use IP addresses for tracking, profiling, or identification of users.

3.11 Abuse Detection Signals

CCPA category: Internet or other electronic network activity information. Source: Automatically derived from server activity.

To protect the platform from spam, brute-force attacks, and coordinated abuse, we maintain a structured abuse detection system separate from general server logs. This system stores:

  • Hashed IP addresses: One-way HMAC-SHA256 hashes of IP addresses keyed with a monthly-rotating salt (we cannot reverse these to obtain the original IP, and hashes from one month cannot be correlated with hashes from another).
  • Event type: The category of suspicious activity detected (e.g., excessive failed login attempts, rapid account creation)
  • Expiration: Abuse signal records are automatically deleted after their expiration period

3.13 Content Reports

CCPA category: Identifiers; Internet or other electronic network activity information. Source: Directly from you when you submit a report.

When you report a user or content, your device sends the following to our servers:

  • Reporter and reported user IDs
  • Content type: Whether the reported item is a post, profile, or boop
  • Content ID: The identifier of the specific reported item
  • Report reason: A category you select from a fixed list (harassment, spam, inappropriate content, impersonation, CSAM, NCII, or other)
  • Your written description: A description you write in your own words explaining what happened (up to 1,000 characters)
  • Report status and timestamps: When the report was submitted, its review status, and any reviewer notes

No encrypted content is decrypted or transmitted to our servers as part of the report process. We do not receive post content, images, videos, or any other E2E encrypted data when you submit a report. Your written description is the primary information we use to assess the situation.

Reports are rate-limited to 10 per hour per user. You cannot report the same content more than once. Self-reporting is not permitted.

3.14 Encrypted Client Data (Blocks, Mutes, Friend Groups)

CCPA category: Identifiers (encrypted); Internet or other electronic network activity information. Source: Directly from you, encrypted on your device before upload.

Your block list, mute list, friend groups, and saved places are encrypted on your device with a key derived from your profile key, and synced to our servers as opaque ciphertext for device recovery. We cannot decrypt or read these lists. We can see that an encrypted blob of a given category (e.g., “block_list”) exists for your account, along with its size and last-updated timestamp, but not its contents.

Blocking and muting are currently enforced on your device only: blocked or muted users do not appear in your feed, friend list, or notifications. Our servers do not reject friend requests, boops, or other API calls from blocked users. We may add server-side enforcement of blocks in the future; if we do, we will update this policy.

4. Information We Do Not Collect

We designed boopr to minimize data collection. We do not collect or store:

  • Email addresses
  • Phone numbers
  • Real names (your display name is encrypted; we cannot read it)
  • Contacts from your address book
  • Analytics or telemetry data
  • Advertising identifiers (IDFA, GAID)
  • Browsing or search history
  • Biometric data (see Section 19 for details on biometric authentication)
  • Cookies or tracking pixels (our landing site uses no cookies)

5. Information We Cannot Access

Due to end-to-end encryption, the following data exists on our servers only as ciphertext that we are mathematically unable to decrypt:

  • Post content: Each post is encrypted with a unique symmetric key, which is then encrypted individually to each authorized recipient’s public key
  • Comments: Encrypted to exactly two parties (post author and commenter); we cannot read them
  • Profile information: Your display name, bio, birthday (month and day only, no year), and avatar are encrypted with a key derived from your recovery phrase. Birthday reminders are generated entirely on your device—our servers never see your birthday.
  • Photos, videos, and thumbnails: Encrypted with XChaCha20-Poly1305 before upload; EXIF metadata is stripped client-side before encryption
  • Reactions and boops: Encrypted with content-specific or conversation-specific keys
  • Your private keys: Generated on your device and protected by hardware-backed security — Secure Enclave (iOS) or StrongBox/TEE (Android). Keys are wrapped with hardware-derived encryption keys and require the device to be unlocked. They never leave your device and are never transmitted to us.
  • Your recovery phrase: A 24-word mnemonic generated on your device. It is never transmitted to our servers. If you lose it, we cannot recover your account.
  • Block lists, mute lists, friend groups, and saved places: Encrypted on your device and synced to our servers as opaque ciphertext for device recovery (see Section 3.14). We cannot decrypt or read who you have blocked or muted, how you organize your friends, or which places you have saved. Blocking and muting are enforced on your device only.

6. Privacy Limitations

While we cannot read your content, we believe in full transparency about what our architecture does and does not protect. End-to-end encryption protects content but does not hide all metadata. The following are known limitations:

  • Social graph inference: Because encrypted posts are routed to specific recipients, the presence or absence of a shared post could theoretically allow an adversary with server access to infer friendship connections between user IDs. We mitigate this through rate limiting, pseudonymous identifiers (UUIDs with no personally identifiable information linkage), and the invite-only model.
  • EXIF metadata: Photo metadata (GPS coordinates, camera model, timestamps) is stripped client-side before encryption. Because images are encrypted before upload, our servers cannot independently verify that EXIF stripping occurred.

7. Metadata We Can Observe

While we cannot read your content, operating a communication service necessarily exposes certain metadata:

  • Timing metadata: When posts are sent and received
  • Connection graph: That a connection exists between two user IDs. An adversary with server access could determine who is connected to whom by analyzing which encrypted posts are routed to which users.
  • Activity patterns: When you use the app, based on API request timestamps, including last activity timestamp
  • Payload sizes: The size of encrypted payloads (though not their content)
  • Sender and recipient IDs: For content routing, we must know which user ID sent content and which should receive it
  • IP addresses: Processed transiently in memory for rate limiting and abuse prevention; never written to disk, database, or persistent logs. For abuse detection we store only a salted HMAC-SHA256 of the IP, with a monthly-rotating salt, not the IP itself
  • Invite chain relationships: Which user IDs invited which other user IDs
  • Delivery timestamps: When encrypted content is delivered to a recipient’s device
  • Post tag associations: When you tag a friend in a post, the association between tagger and tagged user IDs is stored as plaintext metadata for notification routing
  • WebSocket connection presence: When you are actively connected to boopr, your platform type, connection time, last ping time, and disconnection time. This provides more granular presence data than API request timestamps.
  • Notification preferences: Your per-category notification settings (e.g., whether you want notifications for new post reactions, friend requests, photo tags, location shares, etc.) and your notification delivery mode (normal vs. quiet, which controls iOS interruption-level selection)
  • Profile key version: The server stores a version number that increments when your profile encryption key is rotated (for example, when you remove a friend). This is an operational counter visible to the server, though it does not reveal the key itself or any profile content.
  • Trust level: An internal account trust score derived from metadata signals including the number of distinct reporters who have reported you, prior enforcement actions against your account, the enforcement history of the user who invited you, the depth of your invite chain, your recent post and message rates, your recent rate of filing reports against others, and your account age. Used for anti-abuse purposes and to inform moderation decisions.
  • Report metadata: That a report was filed, by whom, against whom, the content type and ID referenced, the reason selected, your written description, and the report’s review status. No encrypted content is included.
  • Encrypted client-data blobs: The presence, size, type label (e.g., block_list, mute_list, audiences), and last-updated timestamp of the encrypted client-data blobs you sync for device recovery (see Section 3.14). We cannot read the contents of these blobs.
  • Moderation action history: Records of warnings, restrictions, and bans issued against accounts
  • Screenshot event occurrence: That a screenshot event was detected between two users (the encrypted notification content is not accessible to us)

8. How We Use Your Information

We use the information we collect solely to operate the Service:

  • Deliver encrypted content: Route encrypted posts, comments, reactions, and boops to their intended recipients (uses: connection metadata, encrypted content blobs, sender/recipient IDs)
  • Send push notifications: Wake your device when new encrypted content arrives. Push payloads carry an event-type indicator (for example “new message,” “new boop”) plus a generic title and body chosen from a fixed list. They contain no message content, no sender identity, no photos, no ciphertext, and no per-message details. (uses: encrypted device tokens, platform type)
  • Authenticate users: Verify your identity through cryptographic signatures on each API request (uses: public keys, session tokens)
  • Enforce rate limits: Prevent spam, abuse, and brute-force attacks (uses: IP addresses, request timestamps)
  • Maintain invite accountability: Track invite chains so that abuse can be traced and addressed (uses: invite chain records, user IDs)
  • Process subscriptions: Verify boopr+ subscription status to enable premium features (uses: subscription status from Apple/Google)
  • Enforce blocks: Prevent blocked users from sending friend requests or boops to the user who blocked them (uses: block relationships)
  • Review reports and enforce community standards: Assess user-submitted reports to identify policy violations and take enforcement action (warn, restrict, or ban) based on report descriptions, metadata patterns, and account trust signals. No encrypted content is accessed or decrypted during this process. (uses: report metadata, account trust signals, invite chain records, recent post and message rates)
  • Comply with legal obligations: Respond to valid legal process, report child sexual abuse material (CSAM) to the National Center for Missing & Exploited Children (NCMEC) as required by federal law, and preserve data when required by law (uses: account metadata, encrypted content blobs, IP address logs)
  • Enforce age eligibility: Take action on accounts that we determine belong to users under 13 (see Section 17)

How We Do Not Use Information

We do not and structurally cannot:

  • Sell, rent, or share personal data with third parties for advertising or marketing
  • Build advertising profiles or user profiles of any kind
  • Use personal data for algorithmic content recommendation or targeted advertising
  • Perform behavioral analysis, tracking, or profiling
  • Use automated decision-making that produces legal or similarly significant effects
  • Train machine learning models on user content (we cannot read it)

9. How We Share Your Information

9.1 Third-Party Services

We use the following third-party services, and no others:

  • Apple Push Notification service (APNs): To deliver push notifications to iOS devices. We share your device token and a notification delivery event (timestamp). Push payloads carry only an event-type indicator and a generic title/body chosen from a fixed list, with no message content, sender identity, or per-message details. Apple can see that a notification of a given category was sent to a specific device and when.
  • Firebase Cloud Messaging (FCM): To deliver push notifications to Android devices. Same payload contents as APNs (event-type indicator plus generic title/body). Google can see that a notification of a given category was sent to a specific device and when.
  • Apple App Store / Google Play Store: To process boopr+ subscription payments. These platforms handle all billing. We receive only subscription status information (see Section 3.8). We do not share any user content, profile data, or usage information with Apple or Google for subscription processing.

9.2 Legal and Safety Disclosures

We may disclose information in the following circumstances:

  • NCMEC (National Center for Missing & Exploited Children): If we obtain actual knowledge of child sexual abuse material (CSAM) on our platform, we are required by federal law (18 U.S.C. 2258A) to report it to NCMEC. We may share account metadata and encrypted content blobs in connection with such reports. See Section 22 for details.
  • Law enforcement: In response to valid legal process (subpoena, court order, or search warrant) under the Electronic Communications Privacy Act (ECPA) and the Stored Communications Act (SCA), or in emergency situations involving imminent risk of death or serious physical injury under 18 U.S.C. 2702(b)(8). See Section 21 for details on what we can and cannot provide.

9.3 What We Do Not Do

We do not use any analytics services, advertising networks, crash reporting tools, A/B testing platforms, attribution services, customer data platforms, or any other third-party tracking technology.

9.4 No Sale or Sharing of Personal Information

We do not sell your personal information. We do not share your personal information with third parties for cross-context behavioral advertising or any other purpose beyond operating the Service as described in this policy. We do not use your information for targeted advertising. We do not offer financial incentives in exchange for personal information.

10. Data Retention

We retain data only as long as necessary to provide the Service or comply with legal obligations:

  • Account data (UUID, public keys, account status, creation date): Retained while your account is active. Upon account deletion, permanently removed within 30 days.
  • Encrypted profile: Retained while your account is active. Deleted within 30 days of account deletion.
  • Connection metadata: Retained while the connection exists and both accounts are active. Deleted within 30 days of account deletion or connection removal.
  • Encrypted posts: Retained until you delete the post or your account is deleted. Deleted within 30 days of account deletion.
  • Media attachments: Encrypted photo and video attachments on posts are retained until you delete them or your account is deleted. Deleted within 30 days of account deletion.
  • Expired sessions: Cleaned up within 7 days after expiration
  • Device tokens: Retained until updated, deregistered, or your account is deleted. Inactive tokens removed after 90 days of inactivity.
  • Invite chain records: Retained for the duration of your account for accountability purposes. Deleted within 30 days of account deletion.
  • Unused invite codes: Automatically expire after their expiration period
  • Subscription records: Retained while your account is active. Deleted along with the rest of your account data within 30 days of account deletion. Apple and Google retain their own transaction records under their respective policies and applicable financial record-keeping laws.
  • Content reports: Report metadata (reporter ID, reported user ID, content type, content ID, reason, your written description, review status, reviewer notes) is retained while the related accounts exist so that we can detect repeat patterns and process appeals. Reports related to CSAM are retained as required by law (see Section 22).
  • Encrypted client-data blobs (block list, mute list, friend groups, saved places): Retained while your account is active. Deleted within 30 days of account deletion.
  • Moderation action history: Records of warnings, restrictions, and bans are retained while your account exists. Currently, when an account is deleted, its enforcement-action records are deleted with it.
  • Screenshot event records: Retained while both accounts in the event are active. Deleted within 30 days of account deletion.
  • Abuse detection signals: Automatically deleted after their expiration period (which varies by event type)
  • Server logs (IP addresses): Raw IPs are not retained. They live only in memory for rate limiting (cleared within 24 hours) and are never written to disk, database, or persistent logs. Salted HMAC-SHA256 hashes used for abuse detection are subject to a TTL on the abuse-signal table and the underlying salt rotates monthly
  • Backups: Encrypted content may persist in server backups for up to 90 days after deletion but remains unreadable ciphertext that we cannot decrypt

Legal hold exception: Notwithstanding the retention periods above, we may retain data beyond the stated periods when required by law, including in response to valid legal process or government preservation requests under the Stored Communications Act (18 U.S.C. 2703(f)), which may require preservation for 90 days (renewable for an additional 90 days). We may also retain data related to NCMEC reports for a minimum of one year as required by the REPORT Act (Pub. L. 118-70, amending 18 U.S.C. 2258A).

11. Your Privacy Rights

You have the following rights with respect to your data on boopr, regardless of which state you reside in. Some rights are provided under specific state laws (such as the California Consumer Privacy Act, the Texas Data Privacy and Security Act, the Virginia Consumer Data Protection Act, and other state privacy laws), and we extend them to all users as a matter of good practice.

  • Right to know and access: You may request the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it. You can access all of your encrypted data through the app at any time—because your content is end-to-end encrypted, only you can decrypt and view it. See Sections 3, 8, and 9 for a complete disclosure.
  • Right to delete: You can delete your account through the app (Settings, scroll to the bottom and tap Delete Account) or by contacting us at [email protected]. For email requests, we will send a confirmation within 48 hours. We will process deletion requests within 30 days, permanently removing all of your data from our servers.
  • Right to correct: You may request correction of inaccurate personal information. You can update your encrypted profile at any time through the app.
  • Right to data portability: You may request your personal data in a structured, commonly used format. You can request a data export by contacting [email protected]. Exported data is limited to account metadata and encrypted blobs (we cannot provide decrypted content because we do not have your decryption keys). An in-app data export feature is in development.
  • Right to opt-out of sale or sharing: We do not sell or share your personal information for cross-context behavioral advertising. There is nothing to opt out of.
  • Right to limit use of sensitive personal information: We do not collect sensitive personal information in any accessible form. Encrypted content may contain sensitive personal information (such as the contents of communications), but we cannot access it due to end-to-end encryption. Your right to limit use is effectively satisfied by the architecture. See Section 16 for more details.
  • Right to non-discrimination: We will not discriminate against you for exercising any of your privacy rights.
  • Post deletion: You can delete individual posts and comments at any time through the app.
  • Block and mute: You can block or mute any user. Both lists are encrypted on your device and synced to our servers as opaque ciphertext for recovery; the other user is never notified, and we cannot read your block or mute lists. Enforcement is currently performed on your device.
  • Push notification control: You can disable push notifications at any time through your device settings or by unregistering your device token.

12. How to Exercise Your Rights

12.1 Submitting a Request

To exercise any of the rights described in Section 11, contact us at [email protected] or write to us at: Boopr LLC, 2810 N Church St, PMB 748102, Wilmington, DE 19802-4447.

12.2 Verification Process

To protect your privacy, we must verify your identity before fulfilling a consumer rights request.

  • Authenticated requests (logged-in users): If you submit a request while logged into your boopr account, we verify your identity through your active authenticated session.
  • Unauthenticated requests (email): If you submit a request via email, we will ask you to provide your account identifier (user UUID) and may ask you to verify ownership of the account through your device (for example, by initiating a verification action within the app). We will match the information you provide against our records.
  • Deletion requests: For account deletion requests, we may require heightened verification to confirm that you are the account owner.
  • If verification fails: If we are unable to verify your identity, we will inform you of the reason and explain what alternative steps are available.

12.3 Authorized Agents

You may designate an authorized agent to submit a privacy rights request on your behalf. If an authorized agent submits a request, we require:

  • A signed written authorization from you permitting the agent to act on your behalf, or a valid power of attorney
  • Verification of the agent’s identity
  • We may also require you to directly verify your identity with us, even when an authorized agent is acting on your behalf

Authorized agent requests should be submitted to [email protected] with the subject line “Authorized Agent Request.”

12.4 Response Timelines

We will respond to verifiable consumer rights requests within the timeframes required by applicable law:

  • General requests: Within 45 days of receiving a verifiable request. If we need additional time, we will notify you and may extend the response period by up to 45 additional days.
  • Account deletion requests: Processed within 30 days. For email requests, we will send a receipt confirmation within 48 hours.
  • Data export requests: Within 45 days of receiving a verifiable request.

13. Appeal Process

If we deny your privacy rights request (in whole or in part), you have the right to appeal our decision. To submit an appeal:

  • Send an email to [email protected] with the subject line “Privacy Rights Appeal”
  • Include a description of the request that was denied and the reason you believe the denial was incorrect
  • Reference the original request date and any correspondence

We will respond to appeals within 60 days. Our response will include a written explanation of our decision. If the appeal is denied, we will provide the reasons for the denial and information about how to contact your state attorney general if you wish to file a complaint.

14. CCPA Categories Disclosure

In the preceding 12 months, we have collected the following categories of personal information as defined by the California Consumer Privacy Act:

  • Identifiers: User ID (UUID), cryptographic public keys, device tokens (encrypted), IP addresses. We do not collect names, email addresses, phone numbers, or other traditional identifiers.
  • Internet or other electronic network activity information: API request timestamps, session metadata, screenshot event records, notification delivery timestamps. We do not track browsing history or search history.
  • Geolocation data: Approximate location derived from IP addresses only. Used for rate limiting and abuse prevention; not used for tracking or profiling.
  • Commercial information: Subscription status and type (from Apple/Google). We do not store payment or financial information.

Categories not collected: We do not collect professional or employment-related information, education information, biometric information (see Section 19), audio/visual information in accessible form (photos are E2E encrypted), or inferences (we do not build profiles or make predictions about users).

Sources: All information is collected either (a) directly from you (account creation, content posting) or (b) automatically from your device (IP address, platform type, usage timestamps). We do not collect personal information from third-party sources.

We have not sold or shared (for cross-context behavioral advertising) any personal information in the preceding 12 months. We have not knowingly sold or shared the personal information of consumers under 16 years of age.

15. Do Not Sell / Do Not Share

We do not sell your personal information to anyone, for any purpose. We do not share your personal information with third parties for cross-context behavioral advertising. We do not engage in targeted advertising. Because boopr does not engage in any of these practices, there is no sale or sharing to opt out of.

Not a data broker. boopr collects personal information only directly from registered users of the boopr service. boopr does not collect personal information from any consumer with whom it does not have a direct relationship, and does not sell personal information to third parties. boopr is not a “data broker” as defined in California Civil Code § 1798.99.80 and is not subject to data-broker registration requirements under that statute or analogous state laws.

16. Sensitive Personal Information

Under the California Consumer Privacy Act (as amended by the CPRA), “sensitive personal information” includes, among other things, the contents of a consumer’s mail, email, and text messages (unless the business is the intended recipient of the communication).

boopr stores end-to-end encrypted posts and other content that may contain sensitive personal information. However, due to our end-to-end encryption architecture, we cannot and do not access, read, or process the plaintext contents of this information. We hold only opaque ciphertext that we cannot decrypt.

We do not collect sensitive personal information in any accessible form. We do not collect Social Security numbers, driver’s license numbers, financial account credentials, racial or ethnic origin, religious beliefs, union membership, genetic data, biometric data (see Section 19), health data, or data concerning sex life or sexual orientation.

Your right to limit the use of sensitive personal information is effectively satisfied by our encryption architecture—we cannot use information we cannot access.

17. Children’s Privacy (COPPA Compliance)

boopr is not directed at and is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13, in compliance with the Children’s Online Privacy Protection Act (COPPA), 16 C.F.R. Part 312, including the 2025 COPPA amendments (effective April 22, 2026) which expand the definition of “personal information” to include biometric identifiers, government-issued identifiers, and photos, videos, and audio files containing a child’s image or voice.

Written information security program. boopr maintains a written information security program reasonably designed to protect personal information from unauthorized access, use, disclosure, alteration, or destruction. The program addresses administrative, technical, and physical safeguards proportionate to the sensitivity of the information we hold (which is structurally limited by end-to-end encryption — see Sections 5 and 20). The program is reviewed at least annually and updated as needed.

Written data retention policy. boopr maintains a written data retention policy that limits retention of personal information to the period reasonably necessary to provide the service, comply with legal obligations, and satisfy the specific purposes for which the information was collected. The per-category retention periods that implement that policy are disclosed in Section 10.

By creating an account, users represent that they are at least 13 years old, as described in our Terms of Service. Users between the ages of 13 and 17 must have the consent of a parent or legal guardian to use boopr.

Our invite-only registration model (requiring an existing user to provide an invite code) serves as a supplementary barrier to unsupervised child access.

If we discover or have reason to believe that a user is under 13, we will promptly terminate the account and, upon confirmation, delete all associated data within 30 days. Account data flows through the standard account-deletion path described in Section 10.

If you are a parent or guardian and believe that a child under 13 has created a boopr account, please contact us at [email protected] or [email protected]. We will investigate and respond within 48 hours.

We do not knowingly sell or share the personal information of users under 16 years of age.

State Minor-Protection Laws

Several US states have enacted laws imposing protections on minors (generally users under 18) using online services. boopr’s structural design choices satisfy or moot the substantive duties of most of these laws by removing the conditions that trigger them. Specifically:

  • No algorithmic or “addictive” feed. boopr’s feed is reverse-chronological and friend-graph-based, with no engagement-driven ranking, no recommendation system, and no infinite-scroll engagement loops. This moots the addictive-feed prohibition in the New York Stop Addictive Feeds Exploitation (SAFE) for Kids Act (N.Y. Gen. Bus. Law §§ 1500–1501) and California SB 976 (Bus. & Prof. Code §§ 27000–27007).
  • No advertising of any kind. See Section 18. This moots the targeted-advertising restrictions on minors in the California Consumer Privacy Act (Cal. Civ. Code § 1798.120(c)), the Maryland Online Data Privacy Act (Md. Code Comm. Law § 14-4607(b)), the New York Child Data Protection Act (N.Y. Gen. Bus. Law § 899-ff et seq.), the Connecticut Data Privacy Act (Conn. Gen. Stat. § 42-520(a)), the Virginia Consumer Data Protection Act, the New Jersey Data Protection Act, the Mississippi HB 1126 (2024), and analogous provisions in other state privacy laws.
  • No public discovery. boopr does not provide a public profile, public feed, search-by-name, hashtag, friend-of-friend recommendation, or any other discovery surface for minors or anyone else. Friend connections require direct friend-code exchange. This moots the public-search and unsolicited-contact concerns addressed by the Texas SCOPE Act (Tex. Bus. & Com. Code ch. 509) and the Utah Minor Protection in Social Media Act (Utah Code Ann. § 13-71).
  • No data sale, sharing, or profiling. See Sections 15 and 18. This moots the sale-of-minors’-data restrictions across all in-force state privacy laws.
  • Default-high-privacy posture for all accounts, regardless of age. Encrypted profile, friends-only feed, no public visibility, no third-party tracking, opt-in friend connections. This satisfies the data-protection-impact-assessment expectations and default-high-privacy duties of the Maryland Age-Appropriate Design Code Act (Md. Code Comm. Law §§ 14-4501–14-4509) and the California Age-Appropriate Design Code Act (Cal. Civ. Code § 1798.99.31, partially in force per NetChoice v. Bonta, 9th Cir. Mar. 2026).

Several state minor-protection laws impose additional configuration obligations on known minor accounts (such as the New York SAFE for Kids Act’s prohibition on push notifications to under-18 New York users between 12:00 a.m. and 6:00 a.m. local time absent verifiable parental consent, and the parental-supervisory-tool requirements in the Tennessee Protecting Children from Social Media Act, the Florida HB 3 provisions for users 14–15, and the Mississippi HB 1126 parental consent provisions). Where an applicable state law imposes such an obligation on a known minor account, we will implement the configuration before processing the account in a manner that would otherwise violate the law. Our compliance posture is state-of-residence-based: New York’s overnight-notification rule applies to New York users; Tennessee’s parental-tool requirements apply to Tennessee users; etc. The structural design commitments listed above apply globally and are not configurable.

Age determination. boopr establishes user age through the representation made at registration (you must affirm that you are at least 13) combined with the optional birthday field in your encrypted profile. Where a state-law obligation depends on having actual knowledge of a user’s minor status (for example, the New York Child Data Protection Act’s “strictly necessary” processing standard for users 13–17, or the Maryland Online Data Privacy Act’s “knew or should have known” standard for users under 18), we treat a user’s self-disclosed birthday as establishing actual knowledge for that user.

18. Do Not Track, Global Privacy Control, and Universal Opt-Out Mechanisms

boopr does not show advertising of any kind, ever. We do not run third-party ads. We do not run first-party ads. We do not personalize, target, or retarget. We do not sell, rent, or share personal information for cross-context behavioral advertising. We do not profile users for advertising or marketing purposes. We do not build advertising audiences from user data. We do not use cookies, tracking pixels, advertising identifiers, attribution SDKs, or any form of cross-site or cross-app tracking. These commitments are structural to the product, not configurable, and apply equally to free and subscriber accounts.

Because there is no tracking, data sale, sharing for cross-context behavioral advertising, profiling, or targeted advertising to disable, the Global Privacy Control (GPC) signal, Do Not Track (DNT) browser signals, and the Universal Opt-Out Mechanisms recognized under the privacy laws of California, Colorado, Connecticut, Delaware, Maryland, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, and Texas do not change our behavior—our default behavior already exceeds what these signals request. We treat any opt-out preference signal received in a frictionless, opt-out-honoring posture and interpret it as a request to confirm that none of the practices it covers apply to your account.

19. Biometric Information

boopr offers optional biometric authentication (Face ID, Touch ID, or fingerprint recognition) to secure access to the app. This feature can be enabled in Settings > Security > App Lock.

boopr does not collect, store, or process biometric data. Biometric authentication is performed entirely by your device’s operating system (iOS LocalAuthentication or Android BiometricPrompt). boopr receives only a confirmation of whether authentication succeeded or failed—no biometric template, scan, or identifier is ever transmitted to boopr or stored by boopr.

Biometric data never leaves your device and is never transmitted to our servers. For information about how your biometric data is handled by your device’s operating system, please refer to Apple’s Privacy Policy (for iOS) or Google’s Privacy Policy (for Android).

20. Data Security

Security is not an add-on feature—it is the foundation of boopr’s architecture. We implement reasonable security measures commensurate with the sensitivity of encrypted communications, and we protect your data through multiple layers:

  • End-to-end encryption for posts: Each post is encrypted with a randomly generated symmetric key (XChaCha20-Poly1305). That key is individually encrypted to each authorized recipient’s X25519 public key.
  • Profile encryption: Profile data is encrypted with a key deterministically derived from your recovery phrase, so it can be recovered on a new device without any cloud backup.
  • Image processing pipeline: Photos are re-encoded to JPEG (stripping EXIF metadata including GPS coordinates), resized, encrypted with XChaCha20-Poly1305, and the originals are deleted from memory—all on your device before upload.
  • Encryption at rest: Device tokens are encrypted with AES-256-GCM on our servers
  • Hashed secrets: Session tokens are cryptographically hashed before storage
  • Transport security: All communications use HTTPS/TLS
  • Rate limiting: All API endpoints are rate-limited to prevent brute-force and enumeration attacks
  • Generic error messages: API responses do not reveal whether specific accounts exist
  • Timing-safe comparisons: All secret comparisons use constant-time algorithms to prevent timing attacks
  • Parameterized queries: All database queries are parameterized to prevent SQL injection
  • No sensitive data in logs: Keys, tokens, decrypted content, and request bodies are never logged
  • Hardware-backed key storage: Private keys and recovery phrases are protected by your device’s Secure Enclave (iOS) or StrongBox/TEE (Android). Keys are additionally wrapped with hardware-derived encryption and require the device to be unlocked (After First Unlock enforcement). Optional biometric authentication adds another layer of protection.
  • Screenshot protection: Certain screens (posts, boop content) are blanked during screen capture. When a screenshot is detected, an E2E encrypted notification is sent to the other party.

No security system is perfect. While we implement extensive security measures and use well-audited, production-grade cryptographic libraries (we never implement our own cryptographic primitives), no system can guarantee absolute security. We are committed to regularly reviewing our cryptographic implementations and promptly addressing any vulnerabilities.

21. Law Enforcement and Legal Process

We may be compelled by valid legal process under the Electronic Communications Privacy Act (ECPA) and the Stored Communications Act (SCA)—such as a subpoena, court order, or search warrant—to disclose data we hold. We can disclose:

  • That an account associated with a specific user ID exists, and its current status (active, restricted, suspended, banned, or deleted)
  • Account creation date and last activity timestamp
  • Public cryptographic keys
  • Connection metadata (which user IDs are connected)
  • Timestamps of posts and the existence of post-tag associations (which tagger user ID tagged which tagged user ID)
  • Encrypted ciphertext blobs (which are useless without the user’s private keys)
  • Salted HMAC-SHA256 hashes of IP for abuse detection (raw IP addresses are not retained; the salt rotates monthly so hashes cannot be correlated across months)
  • Invite chain information, including the time-bounded full and shared accountability periods linking inviter and invitee
  • Subscription status (active, expired, cancelled, in grace period; monthly or annual; original purchase and expiration dates; opaque transaction identifiers received from Apple or Google)
  • Enforcement-action records on the account (warnings, restrictions, bans), the time of each action, and any internal reviewer notes
  • The fact that a screenshot event of a given context type (feed, profile, comment, boop, or DM) was detected between two user IDs at a given time, plus the encrypted notification payload (which we cannot decrypt)
  • The other operational metadata enumerated in Section 7 (such as encrypted device tokens, encrypted session device info, notification-preference settings, WebSocket presence records, encrypted client-data blob existence and size, and account trust-level signals)

We cannot provide post content, profile details, photos, comment text, reaction types, friend group names, block or mute lists, or any other encrypted information—because we cannot decrypt it. Our encryption architecture is not something we can bypass, disable, or circumvent in response to a legal request.

Emergency Disclosures

Under 18 U.S.C. § 2702(b)(8) (content) and § 2702(c)(4) (non-content), we may voluntarily disclose account metadata (not encrypted content) to law enforcement without a court order when we reasonably believe that an emergency involving imminent risk of death or serious physical injury to any person requires disclosure without delay.

Emergency Disclosure Requests must be submitted from a verified law-enforcement-domain email address to [email protected] with the subject line “Emergency Disclosure Request.” A valid request identifies the requesting agency and officer, describes the nature of the emergency, identifies the specific account(s) and data sought, and includes a senior-officer attestation to the existence of the emergency. Disclosure is at our discretion based on a good-faith review; we may decline if the emergency is not adequately substantiated or if the request appears to seek data unrelated to the emergency. Because user content is end-to-end encrypted with keys we do not hold, an emergency disclosure can produce only the account metadata enumerated in the list above. Every emergency disclosure request and our response is documented; we may notify the affected user when notification is not prohibited by law.

Right to Test and Challenge Demands

We treat every demand for user information — subpoena, court order, search warrant, preservation request, national security letter, or emergency disclosure request — as a legal compulsion to be tested for statutory and constitutional sufficiency. We produce only what the specific instrument legally requires. We may decline or move to quash demands that exceed statutory authority, that are overbroad, that are not supported by the level of process the law requires for the data sought (including content demands that, under Carpenter v. United States, 138 S. Ct. 2206 (2018), or any successor authority, require a search warrant rather than a subpoena or 18 U.S.C. § 2703(d) order), or that are otherwise legally deficient. We will provide notice to the affected user where notification is not prohibited by a 18 U.S.C. § 2705(b) non-disclosure order or other applicable legal process, and we will challenge non-disclosure orders that exceed the duration permitted under current Department of Justice policy (generally one year absent exceptional circumstances).

Data Preservation

We may be required to preserve account data for 90 days upon receipt of a government preservation request under 18 U.S.C. 2703(f). This preservation may be extended for an additional 90 days upon renewal. Preserved data includes metadata and encrypted content blobs (which remain undecryptable).

User Notification

We will notify affected users of law enforcement requests for their data unless prohibited by law from doing so, such as by a court order under 18 U.S.C. 2705. Where permitted, we will challenge overly broad or legally deficient requests, including non-disclosure orders that exceed the duration permitted under current Department of Justice policy (which generally caps prospective non-disclosure orders under 18 U.S.C. § 2705(b) at one year absent exceptional circumstances). When a non-disclosure period expires and notification is no longer prohibited by law, we will notify the affected user as soon as reasonably practicable.

22. Child Safety and CSAM Reporting

boopr has zero tolerance for child sexual abuse material (CSAM) and the sexual exploitation of minors. Under 18 U.S.C. 2258A, electronic communication service providers that obtain actual knowledge of apparent violations of federal child exploitation laws must report to the National Center for Missing & Exploited Children (NCMEC) as soon as reasonably possible.

What this means for your data: If we receive a report or otherwise obtain actual knowledge of CSAM on our platform, we may:

  • Report the matter to NCMEC via the CyberTipline, including relevant account metadata and encrypted content blobs
  • Preserve the reported content and associated metadata for a minimum of one year as required by the REPORT Act (Pub. L. 118-70)
  • Cooperate with law enforcement investigations into child exploitation
  • Immediately and permanently terminate the associated account without prior notice

Important: We will not notify the reported user about NCMEC reports, as notification could interfere with law enforcement investigations. This is an exception to our general user notification policy described in Section 21.

Due to our end-to-end encryption architecture, we cannot proactively scan, search, or monitor encrypted content for CSAM. We do not implement client-side scanning, server-side scanning, perceptual hashing, or any other content-inspection technology. We have not built and will not build a backdoor, master key, escrow mechanism, or equivalent capability that would allow us, our personnel, our vendors, or any third party to bypass the end-to-end encryption protecting user content. Our reporting obligation under 18 U.S.C. § 2258A is triggered only when we obtain actual knowledge through means that do not require decrypting user content (such as user reports or law enforcement notification), and 18 U.S.C. § 2258A(f) does not require us to monitor, affirmatively search, or weaken our encryption.

To report suspected CSAM or child exploitation, contact [email protected] (subject: “CSAM Report”) or report directly to the NCMEC CyberTipline at missingkids.org/gethelpnow/cybertipline.

23. Non-Consensual Intimate Imagery (NCII)

In compliance with the Take It Down Act (Pub. L. 119-12), boopr prohibits the distribution of non-consensual intimate imagery (NCII), including AI-generated or digitally altered intimate imagery depicting identifiable individuals.

Reporting NCII: If you are a victim of NCII distributed through boopr, you may submit a report through our web form at boopr.com/ncii-removal (preferred) or by email to [email protected] with the subject line “NCII Report.” We will respond to valid reports within 48 hours, in accordance with the TAKE IT DOWN Act (Pub. L. 119-12, codified at 47 U.S.C. § 223a). See our Terms of Service Section 7 for the full intake process and the elements a valid request must include.

How we handle NCII reports:

  • Report data (including your contact information and description of the imagery) is stored securely and accessed only by personnel responsible for processing the report
  • Report data is retained for as long as necessary to process the report and any related legal proceedings
  • Because content is end-to-end encrypted, we cannot scan or search encrypted content for NCII. Our response is limited to account-level action (suspension or termination) against reported accounts, or action against specifically identified posts or media if sufficient identifying information is provided.
  • Report data may be shared with law enforcement as required by law
  • Accounts found to be sharing NCII may be suspended or permanently terminated

24. Device Recovery and Key Management

When you create an account, boopr generates a 24-word recovery phrase on your device. This phrase is the master key to your identity and is stored securely in your device’s Keychain. You can view it at any time in Settings > Security > Recovery Phrase. It is never transmitted to our servers.

  • What recovery restores (free): Your identity keys, profile data, posts, friend groups, and block/mute lists are all recoverable from your recovery phrase at no cost.

PIN-Based Recovery (Planned)

We are developing an optional PIN-based recovery mechanism as an alternative to the 24-word recovery phrase. If enabled, this feature will store the following on our servers:

  • Encrypted vault: Your root key encrypted with a key derived from your PIN using a zero-knowledge protocol (OPAQUE). We cannot decrypt this vault or learn your PIN.
  • Vault salt: A random cryptographic salt used in key derivation
  • Recovery ID hash: A blind index used for unauthenticated vault lookup (we cannot reverse this to identify you)
  • Attempt tracking: A counter of failed PIN attempts and a maximum attempt limit. After the maximum number of failed attempts, the vault is permanently destroyed and cannot be recovered.
  • Vault status: Whether the vault is active, locked, or destroyed

PIN recovery is rate-limited to prevent brute-force attacks. The server never learns your PIN—all derivation happens using a zero-knowledge protocol.

If you lose your recovery phrase (and have not set up PIN recovery), we cannot recover your account. We do not have a copy of your recovery phrase and cannot derive it. There is no “forgot password” flow and no account recovery mechanism other than the recovery phrase or optional PIN recovery.

25. Data Breach Notification

In the event of a data breach affecting personal information, we will:

  • Notify affected users within 30 days of determining that a breach has occurred, through the app and, where possible, through push notification
  • Notify relevant state attorneys general as required by applicable state breach notification laws
  • Provide a clear description of the breach, including the types of data potentially affected, the steps we are taking in response, recommended actions you should take, and contact information for further inquiries

Because all user content is end-to-end encrypted, a server breach would expose only encrypted ciphertext, public keys, and metadata—not the content of your posts or profile. Encrypted content is not considered “personal information” for breach notification purposes under most state laws when the encryption key has not been compromised, and our servers do not hold your encryption keys. We would still notify you of any breach, even if the practical privacy impact is limited by our encryption architecture.

26. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes:

  • We will update the “Effective Date” at the top of this page
  • For material changes, we will provide notice through the app before the changes take effect and require you to affirmatively accept the updated Privacy Policy before continuing to use the Service
  • For non-material changes (such as formatting, clarifications, or corrections that do not alter the substance of the policy), the updated policy will take effect upon posting
  • We will maintain an archive of prior versions of this policy, available upon request

If you do not agree with a material change to this policy, you may delete your account at any time through the app (Settings, scroll to the bottom and tap Delete Account) or by contacting [email protected].

27. Contact Us

If you have questions about this Privacy Policy, want to exercise your privacy rights, or have concerns about how your data is handled, contact us at:

Boopr LLC
2810 N Church St, PMB 748102
Wilmington, DE 19802-4447

Privacy inquiries and consumer rights requests: [email protected]
Legal inquiries: [email protected]
Security vulnerabilities: [email protected]
CSAM reports: [email protected] (subject: “CSAM Report”)
NCII reports: [email protected] (subject: “NCII Report”)
Accessibility concerns: [email protected] (subject: “Accessibility”)

We aim to respond to all privacy-related inquiries within 30 days. For consumer rights requests, we will respond within the timeframes required by applicable law (generally 45 days). If you are not satisfied with our response, you may contact your state attorney general’s office.