PRIVACY POLICY.

Last updated: 29 June 2026

This Privacy Policy explains how UNDERWORLD handles data through the UNDERWORLD website, mobile application, relay infrastructure, beta access forms, support channels, Silent Witness features, and Custom Verified Tunnels.

UNDERWORLD is designed around a restricted-security model: collect less, store less, expose less, and avoid cloud trust wherever possible.

This Policy explains what UNDERWORLD collects, what it does not collect, how data is handled, and what limits still apply.

  1. WHO WE ARE

Data controller:
UNDERWORLD TECHNOLOGIES SRL

Registered address:
Via del Fiordaliso 137, Perugia, Italia

General and privacy contact:
info@underworldmessenger.com

Corporate, legal, organization, and Custom Verified Tunnel inquiries:
corporate@underworldmessenger.com

  1. CORE PRIVACY PRINCIPLES

UNDERWORLD is designed around the following privacy principles:

No contact-list upload.
No cloud message backups.
No server-side message recovery.
No plaintext relay.
No notification previews by default.
No public social graph.
No online status or last-seen tracking.
No typing indicators.
No cloud identity recovery.
No unnecessary server-side storage of private communication.
No intentional access to message plaintext by UNDERWORLD infrastructure.

UNDERWORLD is built to reduce what the app, relay, cloud, network, and infrastructure can know about users.

  1. WHAT UNDERWORLD DOES NOT COLLECT

UNDERWORLD is designed not to collect or store the following:

Your private message plaintext.
Your private cryptographic keys.
Your full contact list.
Your address book.
Your cloud backups.
Your notification message previews.
Your typing status.
Your online status.
Your last-seen status.
Your private conversation history on UNDERWORLD servers.
Your device-bound cryptographic identity for cloud recovery.
Your Blackout Mode plaintext capsules.
Your Silent Witness plaintext evidence content.
Your private attachments in readable form.

UNDERWORLD cannot recover messages, restore lost cryptographic identity, or decrypt private conversations if the required local keys are lost.

This is intentional.

A recovery system powerful enough to restore private identity can also become a breach path, coercion target, or seizure path.

  1. DATA PROCESSED BY THE APP

Depending on how UNDERWORLD is used, the app may process the following data locally on the user’s device:

Cryptographic identity material.
Public identity material.
Contact-specific cryptographic state.
Encrypted conversation data.
Encrypted voice messages.
Encrypted attachments.
Local app settings.
App Lock configuration.
Duress PIN configuration.
Security status indicators.
Active alarm events.
Silent Witness preparation data.
Blackout Mode encrypted capsules.
Recipient verification material.
Custom Verified Tunnel configuration.
Local routing state.
Local relay state.
Attachment metadata before sanitization.
Attachment metadata after sanitization.

Most of this data is designed to remain on the user’s device and is not uploaded to UNDERWORLD for cloud recovery.

  1. LOCAL CRYPTOGRAPHIC IDENTITY

UNDERWORLD uses device-bound cryptographic identity.

Identity material is generated and stored locally on the device. UNDERWORLD does not provide cloud-based identity recovery for private keys.

If the user loses the device or deletes the local identity material, UNDERWORLD cannot restore the same cryptographic identity from the server.

This privacy design reduces centralized risk but also removes convenience recovery.

  1. MESSAGE CONTENT

UNDERWORLD messages are designed to be encrypted before transmission.

The relay should handle ciphertext only. UNDERWORLD infrastructure is not designed to read message plaintext.

Message content may exist in readable form only on the sender’s device before encryption and on the recipient’s device after decryption.

UNDERWORLD does not intentionally store readable message content on its relay infrastructure.

  1. RELAY DATA

UNDERWORLD relay infrastructure may process limited technical data required to deliver encrypted payloads.

This may include:

Encrypted message payloads.
Delivery queue information.
Mailbox or routing identifiers.
Timestamps required for delivery operation.
Technical health information.
Relay availability state.
Abuse-prevention or rate-limiting signals.
Error states required for secure operation.

The relay is designed as ciphertext transport, not as a trusted message server.

Relay data is intended to be minimized and retained only for as long as necessary for delivery, security, debugging, abuse prevention, or legal compliance.

  1. TOR, I2P, AND ANONYMITY-NETWORK ROUTING

UNDERWORLD is designed to route communication through anonymity networks such as Tor and I2P where supported.

These routing systems are intended to reduce direct network exposure between the user and UNDERWORLD relay infrastructure.

However, no anonymity network can guarantee absolute protection against every form of traffic correlation, network surveillance, or endpoint compromise.

UNDERWORLD reduces exposure; it does not promise invisibility.

  1. BLACKOUT MODE

Blackout Mode allows users to prepare encrypted offline message capsules when the internet is unavailable, blocked, or unsafe.

Blackout Mode capsules are prepared locally.

If a user transfers a capsule through QR, file transfer, Wi-Fi, Bluetooth, physical handoff, or another local carrier, the carrier may handle the encrypted capsule but should not receive plaintext content.

Users are responsible for controlling the physical or local transfer path.

  1. SILENT WITNESS

Silent Witness is UNDERWORLD’s protected evidence and reporting layer.

It is designed to help users prepare, sanitize, encrypt, verify, and route sensitive material toward trusted public-interest destinations or Custom Verified Tunnels.

Silent Witness may process the following locally:

Evidence notes.
Files.
Images.
Voice material.
Encrypted evidence capsules.
Attachment metadata.
Destination verification material.
Endpoint fingerprints.
Channel or tunnel configuration.
Safety warnings.
Routing requirements.

UNDERWORLD does not act as a publisher, media organization, legal authority, investigation unit, or recipient organization.

UNDERWORLD protects the source-side communication process but does not control what a receiving organization does after receiving material.

  1. CUSTOM VERIFIED TUNNELS

Custom Verified Tunnels allow organizations to define secure intake paths inside Silent Witness.

A Custom Verified Tunnel may include:

Receiving endpoint.
Organization identity material.
Public keys or fingerprints.
Routing policy.
Destination verification rules.
Evidence-handling instructions.
Attachment restrictions.
Safety warnings.
Fail-closed requirements.
Channel lock conditions.

If an organization operates or receives through a Custom Verified Tunnel, that organization may separately process submitted material according to its own privacy policy, legal obligations, and internal procedures.

UNDERWORLD is not responsible for destination-side processing unless UNDERWORLD itself operates that destination.

For organization or Custom Verified Tunnel inquiries, contact:
corporate@underworldmessenger.com

  1. ATTACHMENT SANITIZATION

UNDERWORLD may process attachments locally to reduce metadata exposure.

This may include detecting or reducing:

GPS metadata.
Device identifiers.
Author fields.
Embedded thumbnails.
File paths.
Application metadata.
Editing history.
Risky MIME mismatches.
Oversized payload abuse.
Path-traversal attempts.
Malformed attachment packets.
Dangerous attachment patterns.
Metadata deception.

Attachment sanitization reduces risk but cannot guarantee removal of every possible hidden identifier in every file format.

  1. ACTIVE ATTACK ALARMS

UNDERWORLD may generate security warnings when suspicious conditions are detected.

These may include:

Packet injection attempts.
Replay behavior.
Authentication-tag failure.
Malformed encrypted packets.
Duplicate encrypted messages.
Relay message forgery.
Sender-binding failures.
Identity substitution signals.
Routing downgrade attempts.
Dangerous attachment behavior.
Screen overlay attacks.
Obscured-touch conditions.

Security alarms are designed to protect users and may be stored locally as part of app security state.

UNDERWORLD does not need message plaintext to detect many of these conditions.

  1. WEBSITE DATA

When users visit the UNDERWORLD website, standard technical data may be processed by hosting providers, security tools, or server infrastructure.

This may include:

IP address.
Browser type.
Device type.
Operating system.
Pages visited.
Date and time of access.
Referrer information.
Security logs.
Error logs.
Basic analytics data, if enabled.

UNDERWORLD should avoid invasive tracking and unnecessary analytics.

If cookies, analytics tools, advertising pixels, embedded media, or third-party scripts are used, they should be disclosed clearly in this Policy and in any required cookie notice.

  1. BETA ACCESS, CONTACT, AND SUPPORT FORMS

If users submit a beta request, organization inquiry, investor inquiry, support request, or security report, UNDERWORLD may collect the information voluntarily provided.

This may include:

Name.
Email address.
Organization.
Role.
Country or region.
Reason for request.
Message content.
Technical issue details.
Security report details.
Device or app version information.
Attachments submitted by the user.

Users should not submit highly sensitive material through ordinary website forms or unencrypted email unless specifically instructed through a verified secure channel.

  1. SECURITY REPORTS

Security researchers may contact UNDERWORLD through:
info@underworldmessenger.com

Reports may include vulnerability details, technical logs, proof-of-concept information, reproduction steps, screenshots, or other material voluntarily provided by the reporter.

UNDERWORLD may retain security reports as needed to investigate, fix, document, and prevent vulnerabilities.

  1. PURPOSES OF PROCESSING

UNDERWORLD may process data for the following purposes:

Providing encrypted communication functionality.
Routing encrypted payloads.
Maintaining relay availability.
Operating Silent Witness and Custom Verified Tunnels.
Supporting Blackout Mode functionality.
Protecting users from suspicious security events.
Preventing abuse, spam, and attacks.
Responding to beta requests.
Responding to support inquiries.
Responding to security reports.
Improving reliability and security.
Complying with legal obligations.
Protecting the rights, safety, and integrity of users and the service.

  1. LEGAL BASES FOR PROCESSING

Where applicable under GDPR or similar privacy laws, UNDERWORLD may process personal data under the following legal bases:

Performance of a contract, when processing is necessary to provide requested services.
Legitimate interests, such as security, abuse prevention, service reliability, and responding to inquiries.
Consent, where users voluntarily submit information or where consent is legally required.
Legal obligation, when processing is necessary to comply with applicable law.

  1. DATA SHARING

UNDERWORLD does not sell users’ personal data.

UNDERWORLD may share limited data only where necessary with:

Hosting providers.
Infrastructure providers.
Security service providers.
Email or support service providers.
Legal, compliance, or professional advisors.
Receiving organizations configured through Custom Verified Tunnels, when the user intentionally sends material to them.
Authorities, only where legally required and validly requested.

UNDERWORLD cannot provide private message plaintext or private cryptographic keys that it does not possess.

  1. THIRD-PARTY DESTINATIONS

Silent Witness may identify public-interest reporting destinations or allow Custom Verified Tunnels for organizations.

When users choose to send material to an external organization, that organization may process the received data according to its own rules, privacy policy, legal obligations, and security practices.

Users should review the receiving organization’s terms and policies where available.

  1. DATA RETENTION

UNDERWORLD follows a data-minimization approach.

Local app data remains on the user’s device until the user deletes it, resets the app, triggers applicable security controls, or removes the app.

Relay data is intended to be retained only as long as necessary for encrypted delivery, security, abuse prevention, debugging, or legal compliance.

Beta requests, support messages, partnership inquiries, and security reports may be retained as long as necessary to respond, maintain records, improve security, and meet legal obligations.

Exact retention periods may depend on infrastructure configuration, legal requirements, and operational needs.

  1. INTERNATIONAL DATA TRANSFERS

UNDERWORLD infrastructure, hosting providers, support tools, or receiving organizations may be located in different countries.

Where applicable, international transfers will be handled using appropriate safeguards required by law, such as contractual protections, adequacy decisions, or other lawful transfer mechanisms.

Users should understand that anonymity-network routing may also involve infrastructure located in multiple jurisdictions.

  1. SECURITY MEASURES

UNDERWORLD uses technical and organizational measures designed to protect data, including:

End-to-end encryption.
Device-bound identity.
Local key storage.
Anonymity-network routing.
Fail-closed delivery behavior.
Ciphertext-only relay design.
No cloud message recovery.
No contact-list upload.
No notification previews.
Attachment sanitization.
Active attack alarms.
App Lock.
Duress PIN support.
Release hardening.
Anti-leak validation.
Debug and release separation.
Secure logging controls.

No system can guarantee absolute security. UNDERWORLD is designed to reduce exposure and minimize trust, but users must still protect their devices, verify contacts, and follow safe operational practices.

  1. USER RIGHTS

Depending on the user’s location, users may have rights to:

Access personal data.
Correct personal data.
Delete personal data.
Restrict processing.
Object to processing.
Request data portability.
Withdraw consent where processing is based on consent.
File a complaint with a data protection authority.

Some requests may be limited where UNDERWORLD does not possess the requested data, such as private message plaintext, private keys, local-only identity material, or data stored only on the user’s device.

To exercise privacy rights, contact:
info@underworldmessenger.com

  1. CHILDREN

UNDERWORLD is not intended for children.

Users must meet the minimum age required by applicable law to use the service.

UNDERWORLD does not knowingly collect personal data from children.

  1. LAWFUL USE

UNDERWORLD is intended for lawful secure communication, journalism, human-rights work, legal support, public-interest reporting, diplomatic reporting, security incident reporting, and protection of sensitive communication.

UNDERWORLD is not designed for criminal coordination, threats, extortion, trafficking, terrorism, illegal markets, or harmful activity.

UNDERWORLD may take action to protect the service, users, partners, and the public from abuse.

  1. COMPROMISED DEVICES AND USER RESPONSIBILITY

UNDERWORLD cannot fully protect a device that is already compromised by advanced malware, spyware, hostile operating-system control, malicious firmware, compromised keyboards, hostile accessibility services, or external screen recording.

Users are responsible for maintaining device security, using strong device locks, avoiding untrusted software, verifying sensitive contacts, protecting local identity, and treating security warnings seriously.

  1. CHANGES TO THIS POLICY

UNDERWORLD may update this Privacy Policy as the service evolves.

When changes are made, the “Last updated” date will be revised.

Material changes may be communicated through the website, app, or other appropriate channels.

  1. CONTACT

For privacy questions:
info@underworldmessenger.com

For security reports:
info@underworldmessenger.com

For organization or Custom Verified Tunnel inquiries:
corporate@underworldmessenger.com

For legal and corporate inquiries:
corporate@underworldmessenger.com

UNDERWORLD’s privacy model is simple:

Collect less.
Store less.
Expose less.
Trust less.

Private communication should not depend on a cloud recovery system, a trusted relay, or unnecessary metadata collection.

That is the foundation of UNDERWORLD.