Privacy Policy

Last updated: April 28, 2026

This Privacy Policy explains what information Umbr collects, how it's used, and what choices you have. Umbr is operated by Aaratus Inc., a Delaware corporation, with a registered address at 2093 Philadelphia Pike #1549, Claymont, DE 19703, USA.

1. What we collect

Hashed device identifier

When you first open Umbr, we generate a SHA-256 hash of your iPhone's Identifier-for-Vendor (a value Apple gives every app, scoped to that app and your device). We never see or store the raw IDFV — only the hash. This is how Umbr tells your shares apart from someone else's, without ever knowing who you are.

Encrypted content

When you share a photo or video, your iPhone encrypts it with a one-time AES-256 key before uploading. Half the key is stored on our servers; the other half lives only in the share URL and never touches our systems. Even with full access to our database, we cannot decrypt your content. We've designed it so that we couldn't read it even if we wanted to.

Share metadata

Each share has a small record we use to deliver it to recipients: a random 10-character token, when it was created, when it expires, how many times it can be opened, how many times it has been opened, an optional label you set, and the encrypted blob's location. None of this includes your identity.

IP addresses

When your device or a recipient talks to our servers, we briefly log the IP address for rate-limiting and abuse prevention. IPs are stored in short-lived rate-limit records (1–60 minutes) and in CloudWatch access logs (rotated within 14 days). We do not link IP addresses to your device identity.

Push tokens (optional)

If you turn on "Notify when viewed," we receive a Firebase Cloud Messaging token from Apple via Google's notification infrastructure. We use it only to send you a notification when your own shares are viewed. You can turn it off at any time in Settings; we'll discard the token.

Crash diagnostics (optional)

If you opt in, anonymized crash and performance reports are sent to Apple and Google's diagnostic services to help us fix bugs. These never include your content, your contacts, or anything that could identify you.

2. What we do not collect

• The contents of your photos or videos (we can't — see "Encrypted content" above)
• Your name, email, phone number, or any login credentials
• Your contacts, photo library metadata, or location
• Your browsing history outside Umbr
• Advertising identifiers (we don't use any ad SDKs)
• Analytics events linked to your identity

3. How we use what we collect

• To deliver shares: serve recipients the encrypted blob and metadata they need to open a link.
• To prevent abuse: rate-limit requests, block repeat offenders, accept reports, cooperate with law enforcement when legally required.
• To send notifications you opted in to: e.g., "your Umbr was viewed."
• To run the service: bill our cloud providers, monitor uptime, fix bugs.

4. Where data is stored

Umbr's servers are hosted on Amazon Web Services in the us-east-1 region (Northern Virginia, USA). If you're in the European Union, the United Kingdom, or another country with cross-border data transfer requirements, transfers are covered by the EU–US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs) where applicable.

5. How long we keep data

• Default share lifetime: 1 hour to 6 months, set by the sender.
• Reported content: retained for 90 days after the report so we can review and, if applicable, comply with our reporting obligations under 18 U.S.C. § 2258A.
• Diagnostics & logs: rotated within 30 days.
• Push token records: until you disable notifications or delete your account, whichever comes first.

6. Third parties

• Amazon Web Services — hosting and storage for encrypted blobs and metadata.
• Apple — App Attest device verification, App Store distribution, push notification delivery (APNs).
• Google (Firebase) — push notification routing (FCM HTTP v1), crash diagnostics if opted in.

None of these companies receives the contents of your shares. We do not use advertising networks, analytics resellers, or data brokers.

7. Your choices and rights

• Delete your data anytime: open Umbr → Settings → Delete Account. This wipes every share you've created, every encrypted blob, your push token, and your device record from our servers.
• Turn off notifications: Settings → Notify when viewed.
• Revoke any share: open it from the Recent list and tap Revoke. The link stops working immediately and the encrypted blob is deleted.

If you're in the EU, UK, California, or another jurisdiction with privacy laws (GDPR, UK GDPR, CCPA/CPRA, etc.), you also have rights to access, correct, or delete personal data. Because Umbr collects so little, most of these are satisfied by Delete Account. For anything else, email contact@umbr.link and we'll respond within 30 days.

8. Children

Umbr is rated 17+ and is not directed at children under 17. We do not knowingly collect data from anyone under 17. If you believe a minor has used Umbr, contact us and we'll delete the associated records.

9. Security

End-to-end encryption is the foundation of Umbr's design. We also use Apple's App Attest to verify that requests come from genuine, unmodified copies of the Umbr app, and we apply rate limits, atomic database operations, and time-limited presigned URLs so that even valid tokens have very narrow windows of access.

That said, no system is perfectly secure. If we ever discover a security incident affecting user data, we'll notify affected users without undue delay, in compliance with applicable law.

10. Changes to this policy

If we make material changes, we'll post the updated policy here with a new "Last updated" date and, where significant, notify you in the app. Continued use of Umbr after a change means you accept the updated policy.

11. Contact

Questions, requests, or concerns: contact@umbr.link.

Aaratus Inc.
2093 Philadelphia Pike #1549
Claymont, DE 19703, USA