Effective date: [DATE]. Dead Letter is operated by [LEGAL NAME] ("we"). This policy describes what the app handles and what it never handles.
Dead Letter has no accounts, no profiles, no email sign-up, and no advertising or analytics SDKs. We never know who you are.
Letters you keep, seal, or burn are stored only on your device. Your first name, if you add one, is stored only on your device and is sent to our server only as a matching query when you ask to receive a letter; it is never stored on the server. The "Erase everything" control in settings deletes all local data.
When you release a letter, its text, the recipient's first name, and a random device identifier travel to our server. The text is screened by an automated safety filter; rejected letters are never stored. Accepted letters wait in a queue until one consenting reader receives them. After the reader confirms reading, the letter text is deleted from the server. A delivery record without the text (first name, dates, anonymous device identifiers) is retained for safety and abuse prevention.
If you ask for a Witness reading, the letter text is sent to a large language model API (Anthropic) for a one-time reflection and is processed transiently for that purpose.
The app generates a random identifier (UUID) so the exchange can match deliveries, receipts, blocks, and limits. It is never linked to your identity. Purchases are processed by Apple and RevenueCat; we receive anonymous purchase status only.
Reporting a letter removes it permanently and prevents that writer's letters from reaching you again. Report records are kept for safety review.
Dead Letter is rated 17+ and is intended for adults.
You can erase all local data in settings at any time. For deletion of server-side delivery records associated with your device identifier, contact us through Dead Letter Support from within the app so we can locate the identifier.