ToThem

Privacy Policy

Effective date: 16 April 2026

Privacy Policy

Effective date: 16 April 2026

This Privacy Policy describes how Ilya Komichev (sole operator) ("ToThem", "we", "us", "our") collects, uses, stores, and shares personal information when you use the ToThem mobile application and the website at to-them.org (together, the "Service"). By using the Service you agree to the practices described here. If you do not agree, please do not use the Service.

1. Who we are and how to reach us

ToThem is a private messenger and social feed application. The data controller for the purposes of this Policy is Ilya Komichev (sole operator). You can reach us at ilya.komichev@gmail.com for any privacy-related question, request, or complaint. We aim to respond within seven days.

2. Information we collect

We collect only the data we need to operate the Service. Categories below match the App Store Privacy Nutrition Label declared for ToThem.

Contact information. When you create an account we ask for an identifier such as a phone number or an email address. We use it to authenticate you and to let other users find you if they already know that identifier.

User profile. Display name, profile photo, biography, and language preference are stored on our servers and shown to other users you communicate with.

User content. Messages you send in chats, posts you publish to your feed, photos, videos, audio recordings, and any attachments are uploaded to our servers so they can be delivered to recipients and remain available across your devices. Media files are stored on Cloudflare R2 object storage in encrypted form at rest. Message text is stored in our PostgreSQL database. We process this content to deliver it; we do not read it for advertising or profiling.

Contact list (optional). If you grant access, we hash phone numbers from your address book on the device and send only the hashes to our servers to discover which of your contacts already use ToThem. We do not store the original numbers and do not upload names.

Photo and camera access (on demand). When you attach media we request access to your photo library or camera. We process only the file you select. We do not scan the rest of your library.

Microphone access (on demand). When you record a voice message we request microphone access. The recording is uploaded only when you press send.

Push notification token. We receive an opaque token from Apple Push Notification Service so we can deliver notifications to your device. The token is rotated by Apple and is not used for any other purpose.

Device and diagnostic information. We collect non-identifying technical data: app version, operating system version, device model, language, crash logs, and aggregated performance metrics. This helps us reproduce bugs and improve stability.

Identifiers. We assign your account a random internal user ID. We do not collect the iOS Identifier for Advertisers (IDFA) and we do not show the App Tracking Transparency prompt because we do not track you across other apps and websites.

Logs. Our servers keep request logs (IP address, timestamp, endpoint, status code) for up to 30 days for security and abuse prevention.

We do not collect: precise location, health or fitness data, financial data, biometric identifiers, browsing history outside ToThem, or sensitive categories such as political opinions or religious beliefs.

3. How we use the data

We use the data to:

  • create and authenticate your account;
  • deliver your messages, posts, and media to recipients;
  • send push notifications you opt into;
  • show you which of your contacts use ToThem;
  • diagnose crashes and improve performance;
  • enforce our Terms of Service, prevent abuse, fraud, and spam;
  • comply with legal obligations.

We do not use your data for behavioral advertising. We do not sell or rent your personal information to third parties.

4. Legal bases (GDPR)

Where the GDPR applies, we rely on the following legal bases:

  • Performance of a contract (Article 6(1)(b)) for delivering the Service you signed up for.
  • Legitimate interests (Article 6(1)(f)) for security, abuse prevention, and product improvement.
  • Consent (Article 6(1)(a)) for optional features such as access to contacts, push notifications, and crash reporting where required.
  • Legal obligation (Article 6(1)(c)) when responding to lawful requests.

You may withdraw consent at any time. Withdrawal does not affect processing carried out before the withdrawal.

5. Sharing with third parties

We share data only with service providers strictly needed to run the Service:

  • Cloudflare, Inc. — object storage (R2) for media files and CDN.
  • Apple Inc. — push notification delivery (APNs).
  • Resend — transactional email (account verification, security alerts).
  • Fly.io — application hosting and PostgreSQL database hosting.

Each provider is bound by a data processing agreement and processes data only on our instructions. We do not share your messages, posts, or contact list with advertisers, data brokers, or analytics platforms.

We may disclose data to comply with a valid legal request or to protect the rights, property, or safety of users and the public. Where legally allowed, we will notify you before disclosure.

6. International transfers

Our infrastructure is located in the European Union (Amsterdam, Frankfurt). If your data is transferred outside your country, we rely on Standard Contractual Clauses or equivalent safeguards approved under applicable law.

7. Retention

We retain personal data only as long as needed:

  • Account profile and messages — until you delete your account, plus a 30-day grace period during which deletion can be undone.
  • Media files — until the message that references them is deleted, plus 30 days in encrypted backups.
  • Server logs — up to 30 days.
  • Crash reports — up to 90 days.
  • Records required by law (for example, tax-related billing data) — for the period required by the applicable jurisdiction.

After these periods data is irreversibly deleted from production systems. Backups are rotated within 90 days.

8. Security

We use TLS 1.2+ for all transport, encryption at rest for databases and media, scoped access tokens, role-based access control for support staff, and regular security reviews. No system is perfectly secure, and we cannot guarantee absolute security.

If we become aware of a personal data breach affecting you, we will notify you and the competent supervisory authority within the time required by applicable law.

9. Your rights

Depending on where you live you may have the following rights regarding your personal data:

  • Access — request a copy of the data we hold about you.
  • Rectification — correct inaccurate data.
  • Erasure — delete your account and the associated data (see Section 11).
  • Restriction — limit processing in certain situations.
  • Objection — object to processing based on legitimate interests.
  • Portability — receive your data in a machine-readable format.
  • Withdraw consent — at any time for processing based on consent.
  • Complaint — lodge a complaint with your local data protection authority. In the EU you can find your authority at edpb.europa.eu. Residents of California have rights under the CCPA, including the right to know, delete, correct, and to limit the use of sensitive personal information; we do not sell or "share" personal information for cross-context behavioral advertising.

To exercise any right, write to ilya.komichev@gmail.com. We may ask for proof of identity to prevent fraudulent requests. We will respond within 30 days.

10. Children

ToThem is not intended for children under 13. If you are between 13 and the age of digital consent in your country, you may use ToThem only with the consent of a parent or legal guardian. If we learn that we have collected personal data from a child under 13 we will delete it.

11. Account deletion

You can delete your account at any time:

  1. Open ToThem on your device.
  2. Go to Settings → Profile → Delete account.
  3. Confirm the action.

After confirmation your account enters a 30-day grace period. During this time you can sign back in to cancel deletion. After the grace period your profile, messages, posts, and media are removed from our systems. Backups are rotated within 90 days.

If you cannot access the app, write to ilya.komichev@gmail.com from the email or with the phone number associated with your account, and we will delete your account manually.

Public URL with these instructions: https://to-them.org/delete-account.

12. Changes to this Policy

We may update this Privacy Policy. The "Effective date" at the top reflects the latest version. If changes are material, we will notify you in the app and by email at least 14 days before they take effect.

13. Contact

Ilya Komichev (sole operator) ilya.komichev@gmail.com