Convro is built on a fundamental principle: privacy is a human right, not a feature. This Privacy Policy explains how we protect that right through our zero-knowledge architecture, what minimal data we process to operate the Service, and what rights you have regarding your information.
Unlike traditional messaging services that collect extensive user data and metadata, Convro is architecturally designed to know as little as possible about you. We cannot read your messages. We cannot see who you communicate with. We cannot track when you are online. This is not a policy choice—it is a technical reality enforced by cryptography.
This Privacy Policy should be read in conjunction with our Terms of Service. By using Convro, you acknowledge that you have read and understood both documents.
The data controller responsible for processing activities described in this Privacy Policy is:
While Convro Ltd is incorporated in the United Kingdom, all technical infrastructure for data processing is located exclusively within the Swiss Confederation. This structure ensures that any data processing benefits from Switzerland's robust constitutional and statutory privacy protections.
Convro's data processing activities are governed by Swiss data protection law, which provides among the strongest privacy protections in the world.
Switzerland has received an adequacy decision from the European Commission, confirming that Swiss data protection law provides an adequate level of protection equivalent to that of the European Union. However, Convro's architecture goes far beyond minimum legal requirements—we have designed a system where privacy is protected by mathematics, not merely by policy.
Convro operates on a principle of radical data minimization. We collect only what is technically essential to route encrypted messages between users. The following table details the limited data elements we process:
| Data Element | Purpose | Retention | Accessible to Convro |
|---|---|---|---|
| Convro Virtual Number | Unique account identifier for message routing | Until account deletion | Yes (identifier only) |
| Public Cryptographic Keys | Enable end-to-end encryption key exchange | Until account deletion | Yes (public keys only) |
| Device ID (derived) | SHA-256 hash of Ed25519 public key for device identification | Until device deregistration | Yes (hash only) |
| Encrypted Message Payloads | Temporary storage for message delivery | Until delivered (max 30 days) | No (encrypted) |
| Encrypted Media Files | Temporary storage for media delivery | Until delivered (max 30 days) | No (encrypted) |
| Recipient Virtual Number (per message) | Message routing to correct recipient | Transient (routing only) | Yes (for routing) |
| Rounded Timestamp | Message ordering (5-minute precision with jitter) | Transient | Yes (imprecise) |
When you create a Convro account, the following occurs entirely on your device:
Only your public keys and derived Device ID are transmitted to our servers. Your private keys never leave your device under any circumstances.
Upon successful registration, our server assigns you a permanent Convro Virtual Number in the format +99 XXX XXX. This number:
The following data is explicitly never collected, stored, or processed by Convro. This is not merely a policy—our technical architecture makes collection of this data impossible.
Convro does not log, store, or process IP addresses of users connecting to our service. Our server infrastructure is configured to discard connection metadata immediately after processing. We cannot determine your physical location, internet service provider, or network identity.
Due to our implementation of Sealed Sender technology, our servers cannot determine who is communicating with whom. We see only the recipient of each message (necessary for routing); the sender's identity is cryptographically hidden and revealed only to the recipient upon decryption.
Convro does not implement any analytics, telemetry, crash reporting, or usage tracking systems. We do not use third-party analytics services such as Google Analytics, Firebase, Mixpanel, or similar tools. We have no visibility into how you use the application.
The minimal data we process is used exclusively for the following purposes:
Processing of Convro Virtual Numbers, public keys, and encrypted payloads is necessary to provide the core messaging functionality—routing encrypted messages from senders to recipients.
Public cryptographic keys are stored to enable the key exchange necessary for end-to-end encryption. When you send a message, your device retrieves the recipient's public keys to encrypt the message such that only the recipient can decrypt it.
Device IDs and associated public keys are stored to support operation across multiple devices registered to the same account. Each device maintains independent keys.
Encrypted message payloads and media files are temporarily stored on our servers until the recipient's device retrieves them. This temporary storage is essential for asynchronous messaging when the recipient is offline.
We do not process any data for: advertising, marketing, profiling, behavioral analysis, sale to third parties, or any purpose other than direct service provision.
Under the Swiss Federal Act on Data Protection (DSG), processing of personal data requires a legal basis. Our processing activities are based on:
Processing of your Convro Virtual Number, public keys, and encrypted message payloads is necessary for the performance of the contract between you and Convro (the Terms of Service). Without this processing, we cannot provide the messaging service.
Temporary storage of encrypted messages for delivery, and maintenance of service infrastructure, is based on our legitimate interest in providing a reliable messaging service and your legitimate interest in receiving messages sent to you.
Due to the minimal nature of our processing and the strong legal bases described above, we do not rely on consent as a legal basis for processing. This means you do not need to provide consent, and there is no consent to withdraw. Your privacy is protected by architecture, not by revocable permission.
Convro implements multiple layers of cryptographic protection through the proprietary Convro6Protocol (C6P). This section explains how these protections work to ensure your privacy.
All messages, media, and files transmitted through Convro are end-to-end encrypted. This means:
The Convro6Protocol employs the following cryptographic standards:
| Function | Algorithm | Standard |
|---|---|---|
| Key Derivation | HKDF-SHA256 | RFC 5869 |
| Authenticated Encryption | ChaCha20-Poly1305 / XChaCha20-Poly1305 | RFC 8439 |
| Digital Signatures | Ed25519 (EdDSA) | RFC 8032 |
| Key Agreement | X25519 (ECDH) | RFC 7748 |
| Session Binding | 63-byte AAD | Proprietary |
| Password Hashing | Argon2id | RFC 9106 |
Convro implements Sealed Sender technology, which cryptographically hides the identity of message senders from our servers. When you send a message:
The Convro6Protocol specification and client applications (iOS and Android) are open source. This enables independent security researchers, cryptographers, and the public to verify our privacy claims. We invite scrutiny because we have nothing to hide.
While many services claim end-to-end encryption for message content, they often still collect extensive metadata—data about your communications that can be just as revealing as the content itself. Convro implements comprehensive metadata protection.
| Metadata Type | Typical Messengers | Convro |
|---|---|---|
| Sender Identity | Visible to server | Hidden (Sealed Sender) |
| Recipient Identity | Visible to server | Visible (for routing) |
| Message Content | Encrypted | Encrypted (C6P) |
| Message Size | Variable (analyzable) | Fixed 64KB (padded) |
| Precise Timestamp | Exact time recorded | 5-minute precision + jitter |
| Social Graph | Full exposure | Recipient-only |
| IP Address | Logged | Not logged |
| Online Status | Tracked | Not tracked |
All messages transmitted through Convro are padded to a fixed size of 64 kilobytes, regardless of actual content length. This prevents traffic analysis attacks that could otherwise infer information about your communications based on message sizes (e.g., distinguishing a short text from a long document).
Message timestamps are deliberately imprecise:
Convro does not expose read receipts, typing indicators, or online/offline status. These features, while convenient, create significant privacy leaks that we have chosen to eliminate entirely.
Convro follows a strict data minimization approach to retention:
Your Convro Virtual Number and public cryptographic keys are retained for as long as your account exists. Upon account deletion, this data is permanently erased from our servers.
Encrypted messages and media files are stored on our servers only until they are delivered to the recipient's device. Once delivery is confirmed, the encrypted payload is deleted from our servers. Messages to offline recipients are retained for a maximum of 30 days, after which they are automatically deleted if undelivered.
Convro does not maintain any archives, backups, or historical records of messages. Once a message is delivered or expires, it exists only on the devices of the sender and recipient. We have no ability to recover deleted or expired messages.
Our servers do not maintain access logs, connection logs, or any other logs that could identify users or their activities. This is a deliberate architectural decision—logs that don't exist cannot be subpoenaed.
All Convro servers and data processing infrastructure are located exclusively within the Swiss Confederation. Switzerland was chosen for its:
Your data is not transferred to, processed in, or accessible from any country outside of Switzerland. We do not use cloud providers, content delivery networks, or other services that would result in your data leaving Swiss jurisdiction.
While Convro Ltd is incorporated in the United Kingdom for administrative purposes, this corporate structure does not affect the location of data processing. UK authorities have no direct access to data stored on Swiss servers, and any requests for data would be subject to the mutual legal assistance treaty (MLAT) process and Swiss legal standards.
Convro does not sell, rent, lease, trade, or otherwise share any user data with third parties for commercial purposes. We do not:
Convro does not integrate with or send data to third-party services such as:
Our Swiss server infrastructure is operated on dedicated hardware. We do not use shared cloud platforms where third parties could potentially access server data. All infrastructure administration is performed directly by Convro personnel.
Convro will comply with valid legal requests from Swiss authorities issued pursuant to Swiss law. However, due to our zero-knowledge architecture, we can provide only extremely limited information in response to any request.
In response to a valid Swiss legal process, we may be compelled to provide:
Due to our technical architecture, we cannot provide the following even if legally compelled:
Where legally permitted, Convro will notify users if their account data has been requested by legal authorities, allowing them to seek legal counsel or take other protective measures.
Convro does not implement, and will never implement, encryption backdoors, key escrow systems, or any mechanism that would allow us or any third party to access encrypted communications. We will resist any legal or governmental pressure to compromise the security of our encryption.
Under the Swiss Federal Act on Data Protection (DSG) and, where applicable, the EU General Data Protection Regulation (GDPR), you have certain rights regarding your personal data. However, due to our zero-knowledge architecture, the practical exercise of some rights is limited by the nature of our service.
You have the right to request confirmation of whether we process your personal data and to receive a copy of such data. In practice, we can confirm the existence of your account and provide your Convro Virtual Number and public keys. We cannot provide message content, metadata, or communication history because we do not have access to this information.
You have the right to request correction of inaccurate personal data. Since we do not collect personal information such as names, addresses, or contact details, there is typically nothing to correct. Your Convro Virtual Number is system-generated and cannot be changed.
You have the right to request deletion of your personal data. You can exercise this right immediately and completely through the Critical Data Wipe function in the application (see Section 15). This deletion is irreversible and comprehensive.
You have the right to receive your personal data in a portable format. We can provide your public keys and Convro Virtual Number upon request. Message content cannot be exported from our servers because we do not have access to it—messages exist only in encrypted form on your device.
You have the right to object to processing of your personal data. Since our processing is limited to what is technically necessary for service provision, objecting to processing is equivalent to discontinuing use of the service.
You have the right to lodge a complaint with a supervisory authority. The competent authority for Convro is:
To exercise any of the above rights, please contact us at KillTheBug@convro.eu. We will respond to valid requests within 30 days. Due to our privacy architecture, we may be unable to verify your identity through traditional means; we may request that you demonstrate control of the Convro account in question through cryptographic proof.
You may delete your Convro account at any time by uninstalling the application. Because we do not retain personal identifiers linking your account to you, and because message history exists only on your device, uninstalling effectively removes your presence from our systems.
For situations requiring immediate and comprehensive data destruction, Convro provides a Critical Data Wipe function accessible through application settings. Activation requires biometric confirmation (Face ID, fingerprint, or equivalent). This function immediately and irreversibly:
When you delete your account, messages you previously sent to other users remain on their devices (encrypted with their keys). We cannot remotely delete messages from recipients' devices. If you require complete message erasure, you should use the disappearing messages feature before sending sensitive content.
The Convro mobile application does not use cookies. The application stores the following data locally on your device:
This local data never leaves your device and is not accessible to Convro.
The Convro website (convro.eu) uses minimal functional cookies solely to:
We do not use analytics cookies, advertising cookies, or any third-party tracking cookies. No personal data is collected through cookies.
You can manage cookies through your browser settings. Blocking all cookies will not affect your use of the Convro mobile application, though some website features may not function correctly.
Convro is not intended for use by individuals under the age of sixteen (16). By using Convro, you represent that you are at least 16 years old.
We do not knowingly collect personal data from children under 16. Due to our privacy architecture, we cannot verify the age of users and do not collect information that would allow us to do so.
Parents and guardians are responsible for monitoring their children's use of electronic devices and online services. If you believe a child under 16 has created a Convro account, please contact us at KillTheBug@convro.eu.
Convro implements comprehensive technical security measures including:
Our organizational security measures include:
While we implement strong security measures, no system is perfectly secure. We cannot protect against:
If you discover a security vulnerability in Convro, please report it responsibly to KillTheBug@convro.eu with "[SECURITY]" in the subject line. We appreciate security researchers who work with us to protect our users.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make changes, we will update the "Effective Date" at the top of this policy.
For material changes that significantly affect how we process your data, we will provide notice through the Convro application or other appropriate means at least fourteen (14) days before the changes take effect.
Your continued use of Convro after any changes to this Privacy Policy constitutes your acceptance of the updated policy. If you do not agree with changes, you should discontinue use of the service and delete your account.
Previous versions of this Privacy Policy may be requested by contacting us at KillTheBug@convro.eu.
For any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact:
If you are not satisfied with our response, you have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) at the address provided in Section 14.6.
End of Privacy Policy
Last Updated: 13 January 2026 | Version 1.0
© 2026 Convro Ltd. All rights reserved.