Privacy Policy
Summary — read this first
Panthera S.E.M.S ("Panthera", "we", "us") operates a zero-knowledge messenger. We cannot read your messages. We cannot retrieve them. We cannot recover your account, your password, or your encryption keys. This is not a limitation — it is the entire point of the product. If you lose your password, your data is gone. That is by design.
This document explains what data exists on our infrastructure, what does not, and what your rights and responsibilities are when using Panthera.
What we cannot see
- The content of your messages, attachments, voice notes or files.
- Your private keys or the symmetric session keys derived from them.
- Your password. It never leaves your device in plaintext.
- The contacts you communicate with in a way that can be linked back to your real identity.
- Any plaintext at any point in transit or at rest on our servers.
All content is end-to-end encrypted using XChaCha20-Poly1305 with keys derived through X3DH and the Double Ratchet protocol. Server-side we store only opaque ciphertext blobs and the minimal routing metadata required to deliver them.
What we do process
- Opaque ciphertext blobs — encrypted message payloads and encrypted attachments. We cannot decrypt them.
- Public identity material — your Ed25519 public identity key, signed prekey, and one-time prekeys, used only to allow other users to initiate encrypted sessions with you.
- Ephemeral delivery metadata — information strictly required to route ciphertext to the correct recipient device. Purged from delivery queues once acknowledged.
- Standard edge logs — short-lived operational logs (IP, request path, status code) held by our edge provider for abuse prevention and typically discarded within days. These logs contain no message content.
What we do not collect
- No phone number.
- No email address.
- No real name or username claim.
- No advertising identifiers, no third-party analytics SDKs, no fingerprinting.
- No social graph exports, address book uploads, or contact discovery.
No recovery, by design
Panthera has no password recovery, no account recovery, and no key escrow. There is no "forgot password" flow. There is no support process that can restore access to a lost account. If your password or device is lost, the associated account and all of its historical ciphertext become permanently undecryptable.
This is not a bug, an oversight, or something we intend to change. Any recovery mechanism would require us to hold key material we could be compelled to hand over. We have chosen not to.
Local storage on your device
Your device holds identity keys, session state, and cached ciphertext inside a sealed IndexedDB store, encrypted with a key derived from your password and held only in memory during an active session. When the app auto-locks or you sign out, the in-memory key is wiped.
Subprocessors and infrastructure
Panthera runs on edge compute and managed database infrastructure (currently Cloudflare Workers and a Postgres data layer accessed only through row-level-security-enforced APIs). These providers process only the opaque ciphertext, public keys, and routing metadata described above. They do not receive plaintext because plaintext does not exist on the wire.
Law enforcement and legal requests
We respond to valid legal process. Because we do not possess message content, keys, phone numbers, email addresses, real names, or contact graphs, the information we are able to produce is limited to the opaque, ciphertext-only data described in section 2 — data which is, by construction, unreadable without user-held keys we do not hold.
Your choices
- Uninstall the app to remove all local data from your device.
- Delete your account from within the app to remove your public prekey material and routing entry from our infrastructure. Historical ciphertext queued for other recipients remains encrypted and undecryptable.
- Configure your auto-lock timer to match your threat model.
Children
Panthera is not directed to children under 13 (or the equivalent minimum age under your local law). Do not use the service if you are under that age.
Changes to this policy
We may update this policy from time to time. Material changes will be reflected by a new "Effective" date at the top of this page. Continued use of the service after such changes constitutes acceptance.
Contact
Because we intentionally do not hold email addresses, all privacy-related contact is handled through the in-app contact channel on pantheraservice.app.
