Umbrella
EN

Privacy Policy

Last updated April 7, 2026 · Effective April 7, 2026

At Umbrella X we take your privacy seriously and we keep this document short enough to read in one sitting. We do not show advertising. We do not sell your data. We do not share it with data brokers. We collect the minimum amount of information needed to run a working messenger, and the content of your messages is end-to-end encrypted so we cannot read it even if we are asked to. This policy explains exactly what we collect, why, how long we keep it, and the rights you have. If anything below is unclear, write to privacy@umbrellax.io and we will explain.

1. Introduction

This Privacy Policy describes how Umbrella X handles personal data when you use our messenger application on iOS, Android, or any future client (Web, Windows, macOS), and when you visit our website at umbrellax.io. It covers data processed when you register an account, send and receive messages, browse our website, contact support, or otherwise interact with the Service. It does not cover third-party services you may reach through links from inside our app or website; those have their own privacy policies and we encourage you to read them.

The data controller is UmbrellaX LLP, a limited liability partnership registered in the Republic of Kazakhstan under business identification number 260440006927, with its registered office at Zheltoqsan St., 1-6, building 3, apt. 13, Oral, West Kazakhstan Region. Throughout this document we refer to UmbrellaX LLP as "Umbrella X", "we", "us", and "our". We refer to the messenger and the website together as the "Service". We refer to you as "you" or "the user". For privacy matters contact privacy@umbrellax.io. Our Data Protection Officer is reachable at dpo@umbrellax.io.

This Privacy Policy forms part of our Terms of Service. Practical, day-to-day questions about how things work ("how do I delete my account?", "how do I report abuse?", "what does end-to-end encryption mean?") are answered plainly on the FAQ.

2. The data we collect

We collect the smallest amount of data we need to run a working messenger. The list below is exhaustive. If something is not on this list, we do not collect it.

2.1 Account data

  1. Phone number. Required to register an account. We send an SMS verification code to confirm you control the number.
  2. Display name. Optional. You choose what other users see.
  3. Profile picture. Optional. You choose whether to upload one.
  4. Bio / status text. Optional. You write what you want.

2.2 Message metadata

To deliver messages we need a small amount of routing information for each message: sender identifier, recipient identifier, timestamp, message size, and delivery state (sent, delivered, read). We do not collect or store the content of your messages. Message content is end-to-end encrypted on your device with the Signal Protocol; our servers handle ciphertext that we cannot decrypt.

2.3 Device and technical data

  1. Push notification token. Issued by Apple Push Notification Service (APNs) or Firebase Cloud Messaging (FCM). Used to deliver "you have a new message" alerts to your device.
  2. App version and operating system. Used for compatibility and to prioritise security updates.
  3. Connection metadata. Your IP address and a session identifier are visible to our servers when you connect. We use them for security (rate limiting, abuse prevention) and we do not link them to a long-term advertising profile.

2.4 Things we explicitly do not collect

  1. Message content. End-to-end encrypted; we cannot read it.
  2. Plaintext address book contents. If we offer contact discovery in the future, it will use cryptographic hashing on your device so that we never see your contacts in cleartext.
  3. Precise GPS or location history.
  4. Browsing history.
  5. Advertising identifiers (IDFA, GAID).
  6. Biometric data.

3. Why we use each item of data

We use each piece of data for one or more of the purposes below. We do not reuse data for unrelated purposes.

  1. Phone number — to identify your account, send SMS codes, and prevent duplicate registrations.
  2. Display name, profile picture, bio — to show other users who they are talking to. You control all three.
  3. Message metadata — to route messages to the correct recipient and report delivery state back to the sender.
  4. Push tokens — to wake your device when a new message arrives. The push payload contains no message content.
  5. Connection metadata — to detect and stop abuse, spam, and brute force attacks.
  6. App version and operating system — to maintain compatibility and to identify which builds are vulnerable when we publish a security update.

We do not use your data for advertising and we do not sell your data to anyone, ever.

4. Legal basis for processing (EU/EEA users)

If you are in the European Union, the European Economic Area, or the United Kingdom, the General Data Protection Regulation (GDPR) requires us to identify a lawful basis for each kind of processing. Our bases are:

  1. Performance of a contract (Art. 6(1)(b) GDPR) — for everything required to operate the Service: processing your phone number, routing messages, delivering push notifications.
  2. Legitimate interests (Art. 6(1)(f) GDPR) — for fraud prevention, abuse detection, and the security of our platform. Our interest is keeping the Service safe; we have weighed it against your interests and we believe it does not override them.
  3. Legal obligation (Art. 6(1)(c) GDPR) — when we are required to retain or disclose data by a valid legal process in our jurisdiction.
  4. Consent (Art. 6(1)(a) GDPR) — for any optional features that go beyond the basic Service. We will ask you clearly and you can withdraw consent at any time.

5. How long we keep your data

  1. Account data (phone number, display name, profile picture, bio) — for as long as your account exists. When you delete your account it is removed within 30 days; see section 12 and the Account Deletion page.
  2. Message metadata — kept for up to 90 days for delivery and abuse prevention purposes, then aggregated or deleted.
  3. Connection logs (IP, session id) — 30 days, then deleted.
  4. Push tokens — until they expire or until you uninstall the app, whichever comes first.
  5. Backups — encrypted backups of operational systems are retained for up to 90 days for disaster recovery and then overwritten.
  6. Legal hold data — only when we are compelled by a valid court order to preserve specific data, and only for the duration required.

6. How we share data

We do not sell your data. We do not share your data for advertising. The only times we share data are:

  1. With infrastructure providers we use to run the Service: Apple Push Notification Service (for iOS push), Firebase Cloud Messaging (for Android push), and our hosting providers. These providers act as data processors under our instructions and only handle data necessary to deliver their service.
  2. With law enforcement, when we receive a legally valid request from a Kazakhstan court or another competent authority recognised under Kazakhstan law. We disclose only the data we are required to disclose, never more, and we challenge requests that are overbroad or improper. We cannot disclose message content because it is end-to-end encrypted and we do not have it.
  3. In a corporate transaction such as a merger or acquisition. The acquiring entity inherits the obligations of this Privacy Policy.

7. International transfers

The Service is operated from infrastructure located primarily within the Republic of Kazakhstan. Some technical traffic (push notifications, error reports) is processed by international providers in the European Union and the United States. When we transfer personal data outside your country we rely on appropriate safeguards, including the Standard Contractual Clauses approved by the European Commission and equivalent mechanisms recognised by Kazakhstan law.

8. Security

We protect your data with the following measures:

  1. End-to-end encryption of all message content using the Signal Protocol. Encryption keys never leave your device, so we cannot read your messages even if compelled to.
  2. Transport encryption with TLS 1.3 between your device and our servers, with strong cipher suites and perfect forward secrecy.
  3. Encryption at rest for stored metadata.
  4. Strict access controls: only a small number of engineers have production access, all access is logged and audited.
  5. Regular security review and a responsible disclosure programme. If you discover a vulnerability, please report it to security@umbrellax.io and we will respond promptly.

9. Your rights

Depending on where you live, you have some or all of the following rights over your personal data. We will honour all of these rights, regardless of jurisdiction, where it is technically possible to do so.

9.1 Rights under the GDPR (EU/EEA/UK)

  1. Right of access. You can ask us what personal data we hold about you and receive a copy.
  2. Right to rectification. If something we hold about you is wrong, you can correct it.
  3. Right to erasure ("right to be forgotten"). You can ask us to delete your data, subject to legal retention requirements.
  4. Right to restrict processing. You can ask us to limit how we use your data while a dispute is being resolved.
  5. Right to data portability. You can request your data in a machine-readable format.
  6. Right to object. You can object to processing based on legitimate interests.
  7. Right to withdraw consent. Where we rely on consent, you can withdraw it at any time without affecting prior processing.
  8. Right to lodge a complaint with a supervisory authority in your country of residence.

To exercise any of these rights, write to privacy@umbrellax.io. We respond within 30 days.

9.2 Rights under the CCPA / CPRA (California residents)

California residents have additional rights under the California Consumer Privacy Act:

  1. Right to know what personal information we collect, use, disclose, and (if applicable) sell.
  2. Right to delete personal information we have collected.
  3. Right to correct inaccurate personal information.
  4. Right to opt out of the sale or sharing of personal information. We do not sell or share your data, so this right has no practical effect for our users, but we are stating it explicitly so you know.
  5. Right to limit the use of sensitive personal information.
  6. Right to non-discrimination for exercising any of these rights.

To exercise these rights, write to privacy@umbrellax.io.

9.3 Rights under Kazakhstan law on Personal Data and Their Protection

Residents of the Republic of Kazakhstan have rights under Law No. 94-V of 21 May 2013 on Personal Data and Their Protection, including the right to access, correct, block, and destroy their personal data, and the right to revoke consent. To exercise these rights, write to privacy@umbrellax.io. The original Kazakhstan-language text of the Law prevails over any English translation we may provide.

10. Cookies and local storage

Our website at umbrellax.io uses two small items of local storage in your browser, both strictly functional, both stored on your device only, and neither ever sent to us or to any third party. The mobile application does not use cookies at all.

The two items are:

  1. theme — remembers whether you last chose light or dark mode, so the site does not flash the wrong colour on reload. Set only when you click the sun/moon icon in the header.
  2. lang — remembers your language preference on the landing page, so the site comes up in the language you picked last time. Set only when you pick a language from the dropdown.

We do not use Google Analytics, Plausible, Matomo, or any other analytics product. We do not use Facebook Pixel, TikTok Pixel, or any other advertising pixel. We do not use session replay or heatmap tools. We do not embed YouTube videos, Twitter timelines, Facebook buttons, Disqus comments, or any other third-party widget that sets cookies from a foreign domain. Our fonts are self-hosted. Because everything we store is strictly necessary to remember your own choices, consent under the GDPR and the ePrivacy Directive is not required, and we do not show a cookie banner. If you want to remove the two values anyway, open your browser's site data dialog for umbrellax.io and clear it; the website will continue to work normally and will simply forget your theme and language choice on the next visit.

11. Children

The Service is intended for users aged 13 and older. In the European Union, the minimum age may be higher (typically 16) under Article 8 of the GDPR. We do not knowingly collect personal data from children below the applicable minimum age. If we discover that an account belongs to a child below the applicable minimum age, we delete the account and the associated data without undue delay. If you are a parent or guardian and you believe a child has registered for the Service in violation of this policy, write to privacy@umbrellax.io.

12. Account deletion

You can delete your account at any time. The fastest way is from inside the app: open Settings → Account → Delete Account and follow the instructions. If you no longer have the app installed, you can send a deletion request from the web. Full step-by-step instructions for both methods, an exact list of what we remove, and what we retain briefly after deletion, are on the Account Deletion page. A shorter walk-through is also on the FAQ. After we receive and verify your request, we delete your profile and associated metadata within 30 days, subject to the retention exceptions described in section 5.

13. Changes and contact

We may update this Privacy Policy from time to time. If we make changes that meaningfully affect your rights or how we use your data, we will notify you in advance through the app and on our website, at least 30 days before the changes take effect. Older versions are kept on file and available on request from privacy@umbrellax.io.

For privacy questions, requests, or complaints, write to privacy@umbrellax.io or to our Data Protection Officer at dpo@umbrellax.io. For general support: support@umbrellax.io. Postal address: UmbrellaX LLP, Zheltoqsan St., 1-6, building 3, apt. 13, Oral, West Kazakhstan Region, Republic of Kazakhstan. If you are not satisfied with our response, you have the right to lodge a complaint with the data protection authority in your jurisdiction.