Ren Privacy Policy
Effective Date: March 5, 2026 · Last Updated: May 3, 2026 (clarified live-location is foreground-only, added Expo Push Notification Service to subprocessor list, refined date-plan encryption scope, removed reference to unshipped safety-number UI)
Ren ("we," "our," or "the app") is a private, end-to-end encrypted messaging application designed exclusively for couples. Your privacy is fundamental to our design. This policy explains what data we collect, how it is used, and your rights.
1. Data We Collect
1.1 Account Information
- Phone number: Used for account creation and partner pairing via Firebase Phone Authentication. Your phone number is stored in Firebase to enable pairing and message routing.
- Partner phone numbers: To pair with someone, you may provide your partner's phone number. We use it solely to identify and connect with their Ren account (or to send a one-time invitation if they are not yet a user). We do not market to non-users, share these numbers with third parties, or use them for any other purpose.
1.2 Messages & Media
- Text messages: All text messages are encrypted end-to-end using AES-256-GCM before leaving your device. We cannot read your messages. Encrypted message data is stored in Google Firebase Firestore.
- Photos & Videos: Photos and videos shared through the app are encrypted end-to-end on your device using AES-256-GCM before being uploaded to Firebase Cloud Storage. The bytes Firebase holds are opaque ciphertext — only you and your paired partner can decrypt them. Video thumbnails are encrypted the same way. Non-content metadata (view counts, send timestamps, media type) is stored unencrypted alongside the message record so the app can render the chat list, enforce view limits, and clean up expired media.
- Voice Memos: Voice memo audio recordings are encrypted end-to-end on your device before upload to Firebase Cloud Storage. The duration and waveform visualization are also encrypted as part of the message payload, so the loudness envelope of your recording does not leak to our servers.
- Reactions: When you react to a message with an emoji, that single emoji is stored unencrypted on the message record so it can be displayed to your partner without an extra round trip. The message you reacted to remains end-to-end encrypted; only the reaction emoji itself is visible to us.
- Message retention: Messages older than 6 months are automatically deleted from our servers.
1.3 Video Calls
- Video & audio streams: Video calls use peer-to-peer WebRTC connections. Your video and audio streams are transmitted directly to your partner and are not recorded, stored, or routed through our servers.
- Call signaling: Call setup data (offer/answer SDP and ICE connection candidates) is encrypted end-to-end with the same AES-256-GCM pair key used for messages before being temporarily stored in Firebase Firestore. The signaling content is deleted after the call ends.
- Call metadata: Call status (ringing, active, ended), participant phone numbers, and timestamps are stored unencrypted in Firebase to manage call state. This metadata is what lets us route incoming calls and clean up abandoned ringing docs.
1.4 Location Data
- Live location sharing: When you enable Live Location in Settings, your precise GPS coordinates are encrypted on your device with the pair AES-256-GCM key and stored in Firebase Firestore as ciphertext. Your paired partner's device decrypts and displays them in near real time. Updates are written approximately every 30 seconds while you are stationary, or whenever you move more than 20 metres.
- Foreground only: Live Location sharing operates only while the Ren app is open on your device. When you close the app, switch to another app, or your operating system suspends Ren, location updates stop. Re-opening the app resumes sharing if the toggle is still enabled. Ren does not request the background-location permission and does not run a background location task.
- Location data retention: Your location data is deleted immediately from Firebase when you disable Live Location sharing. Location data is ephemeral and is not retained for any other purpose.
1.5 Locally Stored Data (On-Device Only)
The following data is stored exclusively on your device and is never transmitted to our servers:
- App passcode (stored in encrypted device keychain via Secure Store)
- Encryption private keys (stored in encrypted device keychain via Secure Store)
- Partner nickname and photo
- Chat wallpaper preferences
- Dating and anniversary dates
- Dark mode and read receipt preferences
- Default view count settings
- Games on/off preference (Cup Pong / Pool toggle)
1.6 Automatically Collected Data
- Presence status: Online/offline status and last-seen timestamps are stored in Firebase to enable real-time presence indicators.
- Typing indicators: Temporary typing status is stored in Firebase and automatically cleared after 3 seconds of inactivity.
- Push notification tokens: To deliver push notifications to your device when your partner sends a message, taps a "thinking of you" heart, or initiates a call, we store a device-specific push token (issued by Apple Push Notification service or Firebase Cloud Messaging) associated with your phone number in Firebase Firestore. Push tokens contain no message content and are used solely to route notifications to your device.
- Push notification content: When your partner sends you a message, a push notification is delivered through Apple Push Notification service (iOS) or Firebase Cloud Messaging (Android). For users with no app passcode set, this notification carries the message text in the push payload over HTTPS so the banner can appear immediately on your lock screen without unlocking the app. For users who have set an app passcode, the push carries only an encrypted reference; the actual message body is fetched and decrypted from Firestore after you unlock. Push payloads are not retained by Apple or Google after delivery, but they do transit those services in their respective formats. If you want push notification content to also be encrypted in transit through the relay providers, enable an app passcode in Settings → App Passcode.
1.7 Porter AI Assistant (On-Device)
Porter is an optional AI assistant that runs entirely on your device. It is powered by an open-source large language model (Gemma 4 E2B, Apache License 2.0) executed locally through the llama.rn runtime.
- Model download: The first time you enable Porter, the model file (approximately 2.9 GB) is downloaded from hosted model storage to your device and cached locally. No account information is transmitted with the download request beyond what is required to retrieve the file.
- On-device inference: All prompts you type and all responses Porter generates are processed locally on your device's CPU/GPU. No prompts, conversations, or responses are sent to Ren, Anthropic, OpenAI, Google, or any other third-party inference service.
- Conversation storage: Porter conversations are held in memory only. They are not persisted to disk, not uploaded, and not shared with your partner. Closing the app or leaving the Porter tab clears the conversation.
- No training on your data: Your prompts are never used to train, fine-tune, or improve any AI model.
1.8 In-App Games (Cup Pong & Pool)
Ren includes two optional turn-based two-player games — Cup Pong and Pool — that you and your paired partner can play in the chat. These games are off by default and are enabled per-user via Settings → Chat → Games.
- Game state: When you start a game, a small JSON document containing the current board state (cup positions, ball positions, whose turn it is, turn number) is stored in Firebase Firestore so your partner's device can render the same board. This document contains no personal information beyond the two paired phone numbers — only game coordinates and turn metadata.
- Win / loss tally: A per-pair counter recording how many Cup Pong and Pool games each player has won is stored in Firebase Firestore (collection
gameStats). The counter holds only phone numbers and integer win counts.
- Game retention: Game state documents are automatically deleted from our servers when the game ends. Win / loss tallies persist for as long as you remain paired and are deleted when you delete your account.
- No game telemetry: We do not collect or transmit any analytics about how you play, your shot data, your reaction times, or your in-game behaviour. The game runs entirely in the app; only the minimal state needed to synchronize the next turn is written to Firestore.
1.9 Data We Do NOT Collect
- Contacts or address book
- Device identifiers or advertising IDs
- Usage analytics or behavioral tracking
- Browsing history
- Biometric data
- Porter AI prompts, responses, or conversation history
- In-game telemetry, shot data, or play patterns
2. How We Use Your Data
We use the collected data solely to:
- Authenticate your identity via phone number verification
- Enable you to send and receive encrypted messages with your paired partner
- Display real-time presence and typing indicators
- Store and deliver shared photos and videos between paired users
- Facilitate peer-to-peer video calls between paired users
- Share your live location with your paired partner when enabled
- Deliver push notifications for new messages, taps, and incoming calls
- Remind you of upcoming anniversaries (processed locally on-device)
- Deliver the Porter AI model file to your device on first use (inference itself runs entirely on-device)
- Synchronize turn-based game state (Cup Pong, Pool) and your win / loss tally between you and your paired partner
We do not use your data for advertising, profiling, analytics, or any purpose beyond the core messaging functionality.
3. End-to-End Encryption
Ren uses industry-standard cryptographic protocols:
- Key Exchange: X25519 Diffie-Hellman
- Encryption: AES-256-GCM (with pairId as Additional Authenticated Data)
- Key Derivation: HKDF with SHA-256
- Random Number Generation: Platform-native CSPRNG via
react-native-get-random-values
Your encryption private key is generated on your device on first launch, stored in your device's secure keychain (iOS Keychain / Android EncryptedSharedPreferences), and never leaves your device. Your partner's public key and yours are combined via Diffie-Hellman to derive a shared AES key that only your two devices can compute.
What we cannot read
We have no ability to decrypt the following — the bytes that reach our servers are opaque ciphertext:
- Text messages and quoted reply previews
- Photos, videos, and video thumbnails
- Voice memo audio, plus the duration and waveform visualization
- Shared note titles and contents
- Date-plan titles and descriptions
- Live location coordinates
- Video call signaling (SDP offers / answers and ICE candidates)
Each ciphertext is bound to your specific pair via AES-GCM Additional Authenticated Data, so even we cannot relay one of your ciphertexts into a different pair's chat.
What is not end-to-end encrypted
The following data is processed unencrypted because it is required for the service to function or by the platform itself:
- Phone numbers (used for routing and pairing)
- Message timestamps, edit timestamps, and read receipts
- Message types (text / media / audio / game)
- Reactions (single emoji per message)
- Online / offline presence and typing indicators
- Push notification tokens issued by Apple / Google / Expo
- Push notification payloads when no app passcode is set (see Section 1.6)
- Call status, participant phone numbers, and call timestamps
- Game state (Cup Pong / Pool board positions) and win / loss tallies
- Media metadata: view counts, view limits, and the source label ("camera" or "gallery")
- Date-plan scheduling metadata: scheduled date/time, end date, completion status, and creator phone number (only the title and description fields of a date plan are end-to-end encrypted)
4. Data Sharing
We do not sell, rent, or share your personal data with any third parties for advertising, marketing, or behavioral profiling.
4.1 Third-Party Service Providers (Subprocessors)
We use the following third-party service providers, each of which acts as our data processor (and, where applicable under the GDPR, as our subprocessor) and may use the limited information we share with them only to provide services to us:
- Google Firebase (Authentication, Firestore, Cloud Storage, Cloud Messaging, Cloud Functions): Subject to Google's Privacy Policy. Firebase processes your phone number for authentication and stores encrypted message data.
- RevenueCat (Subscription Management): Processes subscription status and purchase transactions. Subject to RevenueCat's Privacy Policy. RevenueCat receives an anonymous user ID (your Firebase Authentication UID, not your phone number) and subscription purchase data from the App Store or Google Play Store. RevenueCat does not receive your phone number, messages, or any personal content.
- Expo (Expo Push Notification Service): Operated by 650 Industries, Inc. ("Expo"). We use Expo's push notification relay to deliver most push notifications from our servers to your device, where the relay then hands the notification off to Apple Push Notification service (iOS) or, as a fallback path, Firebase Cloud Messaging (Android). Expo receives a push token (a relay-specific identifier), the notification title, and the notification body for each push. For users with no app passcode set, the message body is forwarded through the Expo relay in plaintext (over HTTPS). For users with an app passcode set, the relay sees only the title "Ren" and a generic placeholder; the actual message body is fetched and decrypted from Firestore on your device after you unlock. Subject to Expo's Privacy Policy.
- Apple Push Notification service / Google Firebase Cloud Messaging: Route push notifications to your device. Receive only the push token, notification title, and notification body delivered to them by Expo or, on Android for messaging pushes, by our Cloud Function directly.
4.2 Legal Process and Safety
We may disclose information when we believe in good faith that disclosure is required to: (a) comply with applicable law, valid legal process (such as a subpoena, warrant, or court order), or a governmental request; (b) protect the safety of our users or the public; (c) enforce these Terms or our Privacy Policy; or (d) detect, prevent, or address fraud, abuse, or technical or security issues.
Because text messages, photos, videos, video thumbnails, voice memos, shared notes, anniversary dates, live location coordinates, and video call signaling are end-to-end encrypted on your device, we are technically unable to provide the content of any of these in response to such requests — the bytes we hold are ciphertext that we have no key to decrypt. If compelled, we may be able to provide only limited unencrypted account metadata, such as phone numbers, registration timestamps, last-seen indicators, message timestamps and types, message reactions, call participant and status records, and game state. See Section 3 for the complete list of what is and is not encrypted.
4.3 Business Transfers
If K.Rise.Media LLC is involved in a merger, acquisition, financing or due-diligence process, reorganization, bankruptcy, receivership, or sale or transfer of all or a portion of our assets, your information may be transferred as part of that transaction. We will provide reasonable notice (such as via email, push notification, or in-app notice) before your information becomes subject to a different privacy policy.
5. Data Retention
- Messages: Automatically deleted after 6 months
- Media: Stored until the associated message is deleted
- Video call data: Call signaling data is deleted after the call ends. No video or audio is recorded or stored
- Location data: Deleted immediately when you disable Live Location sharing
- Game state: Deleted automatically when a Cup Pong or Pool game ends
- Win / loss tallies: Deleted when you delete your account
- Push tokens: Deleted when you delete your account or sign out
- Account data: Retained until you delete your account
- On-device data: Remains on your device until you sign out or uninstall the app
6. Your Rights
You have the right to:
- Access your data by viewing it within the app
- Delete your messages (messages are automatically purged after 6 months)
- Unpair from your partner at any time via Settings
- Sign out and remove locally stored data
- Delete your account directly within the app via Settings → Delete Account, which permanently removes all your data from our servers
6.1 European Economic Area / United Kingdom Residents (GDPR)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following additional rights under the General Data Protection Regulation (GDPR) and equivalent laws:
- Right of access — obtain confirmation of whether we process your data and a copy of that data
- Right to rectification — request correction of inaccurate personal data
- Right to erasure ("right to be forgotten") — request deletion of your personal data
- Right to restriction of processing — request we limit how we process your data
- Right to data portability — request a machine-readable copy of your data
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — where processing is based on consent, withdraw it at any time
- Right to lodge a complaint with your local data protection supervisory authority
Data controller: K.Rise.Media LLC, Idaho, United States, contactable at k.rise.media@gmail.com. The lawful bases for our processing are (i) performance of the contract between you and us, (ii) your consent where applicable, and (iii) our legitimate interests in operating and securing the Service.
International transfers: Because our servers are operated by Google Firebase in the United States, your data is transferred outside the EEA/UK. We rely on Standard Contractual Clauses and the EU-US Data Privacy Framework (where applicable) executed with Google Cloud as the transfer mechanism.
6.2 California Residents (CCPA / CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):
- Right to know what personal information we collect, use, and disclose
- Right to delete personal information we have collected from you
- Right to correct inaccurate personal information
- Right to opt out of sale or sharing of personal information
- Right to limit use of sensitive personal information
- Right to non-discrimination for exercising any of these rights
We do not sell personal information and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the CCPA. We do not knowingly collect or sell the personal information of consumers under 16 years of age.
Sensitive personal information. Under the CPRA, "sensitive personal information" includes precise geolocation. When you enable Live Location, we process your precise GPS coordinates as described in Section 1.4 solely to share them with your paired partner. We do not use sensitive personal information to infer characteristics about you and do not use it for any purpose that would trigger the right to limit its use under the CPRA.
"Do Not Track" signals. We do not track users across third-party websites or services and therefore do not respond to "Do Not Track" browser signals.
To exercise any of these rights, email k.rise.media@gmail.com with the subject line "CCPA Request" from the phone number or email address associated with your account so we can verify your identity. You may also designate an authorized agent to make a request on your behalf, subject to our verification of the agent's authority.
6.3 Other U.S. State Privacy Rights
If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, New Jersey, New Hampshire, Minnesota, Maryland, Rhode Island, Kentucky, or another U.S. state with a comprehensive consumer-privacy law, you may have rights generally similar to those described above for California — including the right to access, delete, and correct personal information, and the right to opt out of certain uses of personal information.
We extend the access, deletion, and correction rights described in Section 6 to all U.S. residents regardless of state. To exercise these rights, email k.rise.media@gmail.com from the phone number or email address associated with your account so we can verify your identity. We do not engage in "targeted advertising," "sale" of personal data, or "profiling in furtherance of decisions that produce legal or similarly significant effects," as those terms are defined under these laws.
7. Children's Privacy
Ren is not intended for use by anyone under the age of 13, and in the European Economic Area and United Kingdom not by anyone under the age of 16 (or such lower age as permitted by an EU member state, but in no event below 13). We do not knowingly collect personal information from children below these ages. If you believe a child below the applicable age has provided us with personal information, please contact us immediately at k.rise.media@gmail.com and we will take steps to delete that information promptly.
8. Security
We implement the following security measures:
- End-to-end encryption (AES-256-GCM) for messages, photos, videos, voice memos, shared notes, anniversary dates, live location, and video call signaling
- X25519 Diffie-Hellman key exchange with private keys generated on-device and never transmitted
- Ciphertexts cryptographically bound to your specific pair via AES-GCM Additional Authenticated Data, preventing cross-pair replay
- Sensitive credentials stored in device-native encrypted storage (iOS Keychain / Android EncryptedSharedPreferences)
- HTTPS for all network communication
- Optional app passcode lock with encrypted push notification delivery
- No plain-text storage of encryption keys, on the device or in our backend
No security system is perfect. While we take reasonable measures to protect your data, we cannot guarantee absolute security. You are responsible for keeping your device and your Ren account credentials secure.
8.1 Data Breach Notification
In the event of a data breach affecting your personal information, we will notify you and, where required, applicable supervisory or regulatory authorities, in accordance with applicable law (including the GDPR, CCPA/CPRA, and U.S. state breach-notification statutes). Notice may be provided by email, push notification, or in-app notice.
9. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will provide reasonable advance notice (such as via email, push notification, or in-app notice) before the changes take effect, and we will update the "Last Updated" date at the top of this policy. Your continued use of Ren after the changes take effect constitutes acceptance of the updated policy.
10. Contact Us
If you have questions about this Privacy Policy or your data, or to exercise any of the rights described above, contact us at:
Email: k.rise.media@gmail.com
Entity: K.Rise.Media LLC, a limited liability company organized under the laws of the State of Idaho, United States.