Ren Privacy Policy

Effective Date: March 5, 2026 · Last Updated: May 3, 2026 (clarified live-location is foreground-only, added Expo Push Notification Service to subprocessor list, refined date-plan encryption scope, removed reference to unshipped safety-number UI)

Ren ("we," "our," or "the app") is a private, end-to-end encrypted messaging application designed exclusively for couples. Your privacy is fundamental to our design. This policy explains what data we collect, how it is used, and your rights.


1. Data We Collect

1.1 Account Information

1.2 Messages & Media

1.3 Video Calls

1.4 Location Data

1.5 Locally Stored Data (On-Device Only)

The following data is stored exclusively on your device and is never transmitted to our servers:

1.6 Automatically Collected Data

1.7 Porter AI Assistant (On-Device)

Porter is an optional AI assistant that runs entirely on your device. It is powered by an open-source large language model (Gemma 4 E2B, Apache License 2.0) executed locally through the llama.rn runtime.

1.8 In-App Games (Cup Pong & Pool)

Ren includes two optional turn-based two-player games — Cup Pong and Pool — that you and your paired partner can play in the chat. These games are off by default and are enabled per-user via Settings → Chat → Games.

1.9 Data We Do NOT Collect


2. How We Use Your Data

We use the collected data solely to:

We do not use your data for advertising, profiling, analytics, or any purpose beyond the core messaging functionality.


3. End-to-End Encryption

Ren uses industry-standard cryptographic protocols:

Your encryption private key is generated on your device on first launch, stored in your device's secure keychain (iOS Keychain / Android EncryptedSharedPreferences), and never leaves your device. Your partner's public key and yours are combined via Diffie-Hellman to derive a shared AES key that only your two devices can compute.

What we cannot read

We have no ability to decrypt the following — the bytes that reach our servers are opaque ciphertext:

Each ciphertext is bound to your specific pair via AES-GCM Additional Authenticated Data, so even we cannot relay one of your ciphertexts into a different pair's chat.

What is not end-to-end encrypted

The following data is processed unencrypted because it is required for the service to function or by the platform itself:


4. Data Sharing

We do not sell, rent, or share your personal data with any third parties for advertising, marketing, or behavioral profiling.

4.1 Third-Party Service Providers (Subprocessors)

We use the following third-party service providers, each of which acts as our data processor (and, where applicable under the GDPR, as our subprocessor) and may use the limited information we share with them only to provide services to us:

4.2 Legal Process and Safety

We may disclose information when we believe in good faith that disclosure is required to: (a) comply with applicable law, valid legal process (such as a subpoena, warrant, or court order), or a governmental request; (b) protect the safety of our users or the public; (c) enforce these Terms or our Privacy Policy; or (d) detect, prevent, or address fraud, abuse, or technical or security issues.

Because text messages, photos, videos, video thumbnails, voice memos, shared notes, anniversary dates, live location coordinates, and video call signaling are end-to-end encrypted on your device, we are technically unable to provide the content of any of these in response to such requests — the bytes we hold are ciphertext that we have no key to decrypt. If compelled, we may be able to provide only limited unencrypted account metadata, such as phone numbers, registration timestamps, last-seen indicators, message timestamps and types, message reactions, call participant and status records, and game state. See Section 3 for the complete list of what is and is not encrypted.

4.3 Business Transfers

If K.Rise.Media LLC is involved in a merger, acquisition, financing or due-diligence process, reorganization, bankruptcy, receivership, or sale or transfer of all or a portion of our assets, your information may be transferred as part of that transaction. We will provide reasonable notice (such as via email, push notification, or in-app notice) before your information becomes subject to a different privacy policy.


5. Data Retention


6. Your Rights

You have the right to:

6.1 European Economic Area / United Kingdom Residents (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following additional rights under the General Data Protection Regulation (GDPR) and equivalent laws:

Data controller: K.Rise.Media LLC, Idaho, United States, contactable at k.rise.media@gmail.com. The lawful bases for our processing are (i) performance of the contract between you and us, (ii) your consent where applicable, and (iii) our legitimate interests in operating and securing the Service.

International transfers: Because our servers are operated by Google Firebase in the United States, your data is transferred outside the EEA/UK. We rely on Standard Contractual Clauses and the EU-US Data Privacy Framework (where applicable) executed with Google Cloud as the transfer mechanism.

6.2 California Residents (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

We do not sell personal information and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the CCPA. We do not knowingly collect or sell the personal information of consumers under 16 years of age.

Sensitive personal information. Under the CPRA, "sensitive personal information" includes precise geolocation. When you enable Live Location, we process your precise GPS coordinates as described in Section 1.4 solely to share them with your paired partner. We do not use sensitive personal information to infer characteristics about you and do not use it for any purpose that would trigger the right to limit its use under the CPRA.

"Do Not Track" signals. We do not track users across third-party websites or services and therefore do not respond to "Do Not Track" browser signals.

To exercise any of these rights, email k.rise.media@gmail.com with the subject line "CCPA Request" from the phone number or email address associated with your account so we can verify your identity. You may also designate an authorized agent to make a request on your behalf, subject to our verification of the agent's authority.

6.3 Other U.S. State Privacy Rights

If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, New Jersey, New Hampshire, Minnesota, Maryland, Rhode Island, Kentucky, or another U.S. state with a comprehensive consumer-privacy law, you may have rights generally similar to those described above for California — including the right to access, delete, and correct personal information, and the right to opt out of certain uses of personal information.

We extend the access, deletion, and correction rights described in Section 6 to all U.S. residents regardless of state. To exercise these rights, email k.rise.media@gmail.com from the phone number or email address associated with your account so we can verify your identity. We do not engage in "targeted advertising," "sale" of personal data, or "profiling in furtherance of decisions that produce legal or similarly significant effects," as those terms are defined under these laws.


7. Children's Privacy

Ren is not intended for use by anyone under the age of 13, and in the European Economic Area and United Kingdom not by anyone under the age of 16 (or such lower age as permitted by an EU member state, but in no event below 13). We do not knowingly collect personal information from children below these ages. If you believe a child below the applicable age has provided us with personal information, please contact us immediately at k.rise.media@gmail.com and we will take steps to delete that information promptly.


8. Security

We implement the following security measures:

No security system is perfect. While we take reasonable measures to protect your data, we cannot guarantee absolute security. You are responsible for keeping your device and your Ren account credentials secure.

8.1 Data Breach Notification

In the event of a data breach affecting your personal information, we will notify you and, where required, applicable supervisory or regulatory authorities, in accordance with applicable law (including the GDPR, CCPA/CPRA, and U.S. state breach-notification statutes). Notice may be provided by email, push notification, or in-app notice.


9. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide reasonable advance notice (such as via email, push notification, or in-app notice) before the changes take effect, and we will update the "Last Updated" date at the top of this policy. Your continued use of Ren after the changes take effect constitutes acceptance of the updated policy.


10. Contact Us

If you have questions about this Privacy Policy or your data, or to exercise any of the rights described above, contact us at:

Email: k.rise.media@gmail.com
Entity: K.Rise.Media LLC, a limited liability company organized under the laws of the State of Idaho, United States.