Your identity is known only to Candidfy.

Last updated: May 2026

This is the founding covenant. Your identity is never shared with message recipients, third parties, advertisers, or data brokers. This page describes how that commitment is implemented technically and operationally.

No ads. No data sales. No sharing with third parties for commercial purposes. Revenue comes only from users who pay for the service.

What we collect

We collect the minimum data required to operate the platform:

Account contact

Your email or phone number, used to verify your identity and deliver OTP codes. Stored encrypted (AES-256-GCM). Never stored in plaintext.

Message content

The raw message you write and the AI-rewritten version. The raw version is deleted immediately after AI processing. The rewrite is encrypted at rest and deleted 30 days after the recipient reads it.

Recipient contact

If you provide a recipient email or phone number, it is encrypted immediately on receipt and used only to deliver the PIN. Deleted after delivery confirmation.

Delivery logs

Basic delivery status (sent, delivered, opened). Pseudonymous only — no message content, no identity.

Session tokens

JWT access tokens (24-hour expiry) and refresh tokens (30-day expiry) to keep you logged in. Tokens are HMAC-signed and stored hashed.

What we do not collect

—Location data

—Device fingerprints

—Advertising identifiers

—Behavioural analytics

—Third-party tracking cookies

—Payment card data

—Recipient identity (no account required to read)

—Raw message content (deleted after rewrite)

How your data is protected

Encryption at rest

All message content, recipient contacts, and user account data is encrypted using AES-256-GCM with a dedicated encryption key. Databases encrypted at field level — not just at disk level.

Encryption in transit

All data in motion is transmitted over TLS 1.3. There is no unencrypted path between your browser, our servers, and our delivery partners.

Separated databases

Your identity (email/phone) and your messages live in entirely separate encrypted databases. They are never joined in production. A breach of one reveals nothing about the other.

Pseudonymous sender tokens

Messages in the database are associated with a pseudonymous HMAC-derived sender token — not your identity. The token cannot be reversed to reveal who you are without access to the identity database.

Dual-key identity disclosure

Linking a sender token to a real identity requires simultaneous authorisation from two independent Candidfy officers, and can only happen under a valid court order. No single person can identify a sender alone.

Deletion by design

Raw messages deleted after AI processing. Rewrites deleted 30 days after being read. We cannot disclose what no longer exists.

SMS messaging

If you provide a phone number, Candidfy uses it exclusively to deliver one-time PIN codes to message recipients, or OTP verification codes to account holders. We do not send marketing messages. Message and data rates may apply. Reply STOP to opt out. Reply HELP for assistance.

Service providers

We share data with the following service providers only to the extent required:

TwilioSMS and WhatsApp PIN delivery. Contact data transmitted for delivery purposes only.

SendGridEmail PIN and OTP delivery. Email address transmitted for delivery purposes only.

AnthropicAI message rewriting. Message content processed but not retained by Anthropic per their data processing agreement.

StripePayment processing for Pro subscriptions. Candidfy never sees or stores card data.

Railway / VercelInfrastructure hosting. Encrypted data at rest and in transit.

Cloudflare R2Encrypted audit log storage. Immutable, append-only.

Law enforcement

Sender identity is disclosed only under a valid court order, following legal review, requiring dual-key authorisation from two independent officers, with a permanent audit record of every disclosure. We publish aggregate transparency reports every six months. See our Transparency page for the full protocol.

Your rights

✓

Right of access — Request all data held about you. Response within 30 days.

✓

Right to deletion — Request complete account and data deletion. Processed within 30 days.

✓

Right to portability — Export all your data in JSON format.

✓

Right to opt out of SMS — Reply STOP to any message, or email privacy@candid.app.

✓

Right to block all Candidfy messages — Register at candid.app/optout — no account required.

✓

Right to object — Object to any processing not required for service delivery.

Contact

Privacy questions or data requests: privacy@candid.app
Account deletion: support@candid.app