Tin-Can is built on a simple idea: we should not know more about you than we have to. The sections below expand on the asterisk from our home page, spell out a short policy in plain language, and then walk through what we store and why.
Zero data retention*
On the home page we say we aim to store the minimum. Here is the asterisk: in the app, identities are system-generated user and device IDs—not your real name, email, or phone. What another person sees is the display name and label you set yourself, and you can change those whenever you like.
Messages and keys are designed to exist on your devices, not in our long-term memory. Delivery needs a little temporary plumbing; after that, we are not in the business of building a history we do not need. Optionally you can give us an email for password recovery only—the app does not use or show that address for anything else. That is the spirit of “zero*.”
Privacy in brief
1. Data ownership
You own your data. It lives on your device. We do not keep a copy of your conversation content in order to “help” you later—we are not a vault of your past chats.
2. Transient transmission
When you send a message, it passes through our systems only for the duration of delivery. After the other side’s device has what it needs, the encrypted material is not something we need to keep sitting on disk or in RAM.
3. No metadata logging
We do not run analytics that track who talks to whom, when, or how often for marketing. We are not in the ad business, and we do not use your traffic patterns to profile you.
4. Encryption
Messages are encrypted on your device before they touch the network. We are not in a position to read your text even if we wanted to spin a story that we do.
How we treat your data
Email and username
You can sign in with an email or a username—your choice. We only keep that credential so you can log in securely. The only advantage to using email is the ability to reset a forgotten password. Neither your email nor your username appears inside the app as part of the messaging experience; they are for login authentication only.
User ID, device ID, display name, and device type
User ID and device ID are system-generated identifiers (they are not related to your Email or Username choice). We use them so devices can find each other and pass messages without tying everything to a piece of personal information you would rather keep private.
Display name is the friendly label other people see—it is whatever you want it to be, and you can change it whenever you like.
Device type starts as a simple, generic label so everyone has a little context about who is in the room (for example, which gadget is which). You can edit that label anytime, too, if you would rather call it “work phone” or “tablet” or "rabbit hole".
Camera and files
The camera is there for a few things that all happen when you are using the feature: scanning QR codes to connect or sync with another person or device, and taking a new photo to send. File access is only so you can pick something from your device to share. We do not browse your library in the background, we do not keep copies of camera frames, QR data, or files on our servers, and the app does not use the camera or your files for anything else. On the wire, what you send travels as part of the encrypted flow you expect from Tin-Can.
What we call “your data”
Everything in the detailed sections above is the full list of what we store, and we only keep it in the leanest form we need to make the app work. It is not for sale, not for ads, and not given to other companies. None of it is distributed outside Tin-Can. Ever. If we can run the service with less, we will.