Last updated: May 28, 2026.

What The Relay Can See

  • Source IP addresses for rate limiting and abuse control. The application uses them ephemerally and does not persist IPs in durable relay stores; hosting, CDN, or reverse-proxy logs may have their own retention.
  • Public identifiers needed to deliver data and validate access.
  • Contribution timestamps, upload times, fetch cadence, and other ordering metadata needed for sync.
  • Opt-in directory username claims and public profile fields.
  • Encrypted object metadata such as object identifiers, sizes, timing, and routing information needed for synchronization.
  • Authority, revocation, and migration metadata required to operate Connected access. The authority boundary is covered in the Security Model.
  • Billing subscription status and usage counters when hosted billing is configured.

What The Relay Cannot See

  • Message content. Object payloads and invite payloads are end-to-end encrypted; the relay stores ciphertext.
  • File or attachment plaintext. Chunks are encrypted before they reach the relay.
  • Private keys, mnemonic recovery material, or local device secrets. These do not leave the client.
  • Space membership as decrypted plaintext lists. The relay may see request-visible identifiers and encrypted-object metadata, but not decrypted space state.

Retention

  • Encrypted object chunks default to a 30-day TTL and are evicted earlier under blockstore pressure.
  • Encrypted object metadata records default to a 90-day TTL and are retained longer than chunks so clients can discover stale references and re-upload when needed.
  • Contribution indexes retain entries for 30 days.
  • DID invite inbox entries and code-invite blobs expire after 7 days.
  • Relay-mediated invite redemption handshakes are in memory only and expire after 1 hour.
  • Rate limiter state and live WebSocket subscription state are ephemeral.
  • Billing subscription and usage records are persisted when billing is enabled. Payment card and bank details are handled by Stripe, not by Envoy.
  • Envoy does not use analytics, telemetry beacons, tracking pixels, or product behavior profiling in the relay.

Data Rights

  • Deletion: deleting an identity makes associated encrypted relay data unreferenceable by that identity. Encrypted blobs then age out through TTL eviction. Remove or replace public directory claims before deleting the identity that signed them.
  • Portability: access and export happen through Envoy commands such as history, inbox, tasks, audit, provenance, and member inspection.
  • Access: the relay stores ciphertext plus the metadata listed above. Message plaintext is not available from the relay.
For privacy or deletion requests, contact [email protected] or [email protected].