hu-net is a trust layer for the open social web. We've designed it so the people building trust — you and the humans you meet — hold the data, not us. This policy describes what hu-net does and does not collect, how the app stores information on your device, and what (limited) role any servers play.
Every claim below can be verified by reading the source: github.com/thestumonkey/hu-net.
TL;DR
- hu-net does not sell or share your data with advertisers.
- Your private keys never leave your device's secure enclave.
- Messages are end-to-end encrypted using NIP-17 gift-wrap before they leave your device. Relays see only opaque wrappers.
- Location is sampled only during a handshake, signed locally, and stored as part of the attestation. It is not continuously tracked.
- If you delete your account in the app, we wipe local state immediately and request that any optional backend index forget you.
What hu-net stores on your device
| Data | Where it lives | Why |
|---|---|---|
| Nostr private key | iOS Keychain / Android Keystore (Secure Enclave / StrongBox) | Your identity. Signs attestations and decrypts your messages. Never exported or transmitted. |
| Bluesky session token (optional) | Same secure store | Lets the app post to and read from your Bluesky account if you link it. |
| Encrypted messages | Local SQLite database | Stored decrypted on-device for fast access; transmitted only as NIP-17 gift-wrap. |
| Trust graph | Local SQLite database | Records of handshakes you've performed and the connections that resulted. |
| Linked accounts | Local SQLite database | Handles of social accounts (Bluesky, X, GitHub, LinkedIn) you've associated with your profile. |
| Recovery state | Local SQLite database | Tracks any recovery vouches you've issued or received. |
| Feed-ranking weights | Secure store | Your personal tuning of the trust-weighted feed ranker. |
This data is wiped when you tap Delete Account in Profile → Settings, or when you uninstall the app (with the exception of iCloud Keychain entries if you've enabled iCloud Keychain sync — see "Your controls").
What hu-net transmits
- To Nostr relays (your choice): NIP-17 gift-wrapped events (kind 1059) and public profile updates, when you send messages or update your public profile. Message content is encrypted; the relay sees only an opaque wrapper.
- To Bluesky / AT Protocol (only if linked): OAuth-signed (DPoP) reads and writes against your own repo, when you fetch your feed or publish an identity claim.
- To the optional hu-net backend: authenticated requests for trust graph queries and explicitly-published handshake attestations. The mobile app runs in "serverless" mode by default — no backend calls.
- To Casdoor (only in non-serverless mode): a standard OIDC login flow. We receive a signed JWT we verify locally against Casdoor's published JWKS; we do not see your password.
We do not transmit:
- Your private keys, under any circumstances.
- Your background location.
- Your address book or device contacts.
- Telemetry, analytics, or advertising identifiers.
- Crash data, except via Sentry if you have explicitly opted in (off by default).
Location
hu-net uses your location only at the moment you perform a handshake, to embed signed GPS coordinates in the attestation. We request "When In Use" location permission and we never sample your location in the background. The coordinates become part of the attestation bundle, stored on your device and shared with the other party.
You can revoke location permission at any time in iOS / Android Settings. The app will still work; handshakes will simply not include GPS data.
Messages and end-to-end encryption
Direct messages and group chats use NIP-17 gift-wrap. The relays that route your messages see only kind-1059 wrapper events whose content is encrypted to the recipient. Even hu-net's developers, with full access to every relay log, could not read them.
This also means: if you lose your private key without performing social recovery, your past messages are unrecoverable. This is a deliberate trade-off in favour of confidentiality.
Your controls
- Delete account: Profile → Delete Account. Wipes the Nostr key, Bluesky session, message store, trust graph, and linked accounts. Where hu-net has published data to public Nostr relays, we also publish a NIP-09 deletion request; whether the relay honours it depends on the relay.
- Revoke a linked account: Profile → Connected → tap the account → Remove.
- Disable location: iOS / Android Settings → hu-net → Location → Never.
- Change relays: Profile → Advanced → Relays.
- Export your key: Profile → Advanced → Export private key.
If you have iCloud Keychain or Android backup enabled at the OS level, your Secure Enclave–stored key may be backed up by Apple or Google according to their respective policies. This is outside hu-net's control. To opt out, disable iCloud Keychain / Android backup for the hu-net app in OS Settings.
Children
hu-net is not directed at children under 13 (or under 16 in the EU/UK). We do not knowingly collect data from children. If you believe a child has used the app, please contact us and we will assist.
Changes to this policy
We will update this document when hu-net's data practices change. The "Last updated" date at the top reflects the most recent change. Material changes will be surfaced in-app on next launch.
Contact
Questions, concerns, or data requests: stu@theawesome.co.uk or GitHub Issues.