Privacy Policy — Recto Phone
Last updated: 2026-05-18
Recto Phone is a public open-source application (Apache 2.0) that serves as an operator-phone-as-root-of-trust authenticator. This policy describes how data is handled by the Recto Phone app.
What data Recto Phone collects
Recto Phone collects no personally identifying information. Specifically:
- No name, email, or phone number is required to use the app.
- No analytics or telemetry is sent to any server controlled by the Recto Phone developers or any third party.
- No advertising identifiers are accessed.
- No third-party software development kits that collect user data are integrated into the app.
What data Recto Phone stores on your device
Recto Phone stores the following data locally on your device only:
- A cryptographic keypair (one per paired service). The private key is stored in your device’s Secure Enclave (iOS) or StrongBox keystore (Android). The private key never leaves your device and is never transmitted to any server, including the Recto developers.
- The URLs of bootloaders you have paired with.
- Per-pairing metadata required for signing operations (paired service identifier, public-facing branding the service supplied during pairing, the agent identities authorized to send you requests through that pairing).
- A local history of signing requests you have approved or denied (for your reference; never transmitted off-device).
You may delete any pairing at any time from within the app. Deleting a pairing destroys the associated keypair locally; the deletion is irreversible.
What data Recto Phone transmits
When you approve a signing request, Recto Phone transmits the following to the bootloader you paired with:
- A cryptographic signature over the request payload, signed by the private key stored in your device’s secure hardware.
- The pairing identifier (so the bootloader knows which paired device sent the response).
Recto Phone transmits nothing else. No analytics. No usage statistics. No location. No device-fingerprinting beacons.
The bootloader you paired with is operated by the service you chose to pair with, not by the Recto developers. The bootloader operator’s privacy policy governs what they do with the signed response after they receive it.
Biometric authentication
To approve a signing request, Recto Phone prompts you for biometric authentication (Face ID / Touch ID / fingerprint). This biometric verification is performed locally on your device by the operating system. Your biometric data never leaves your device. Recto Phone does not access, store, or transmit any biometric information.
Push notifications
Recto Phone can receive remote push notifications (Apple Push Notification service for iOS, Firebase Cloud Messaging for Android) to wake the app when a paired service sends you a new signing request. The notification payload contains only a wake-up signal — no signing request details are included in the push payload itself.
For Apple Push Notification service: an APNs device token is generated by iOS and shared with the paired bootloader, so the bootloader can address future requests to your device.
For Firebase Cloud Messaging (Android): an FCM token serves the same function as the APNs device token on iOS. Firebase Cloud Messaging is a Google service; Google’s privacy policy applies to the token-issuance step. The token itself contains no personally identifying information.
Open source
Recto Phone is open source under the Apache 2.0 license. The exact code running in the version you have installed is published at github.com/erikcheatham/Recto. You are welcome to audit any aspect of the data handling described in this policy.
Children’s privacy
Recto Phone is not directed at children under 13. The app collects no personally identifying information from anyone, so no special COPPA-related collection occurs.
Changes to this policy
If this policy is updated, the “Last updated” date at the top will be revised. Material changes will be announced via the GitHub repository’s CHANGELOG.md.
Contact
Privacy questions: open an issue at github.com/erikcheatham/Recto/issues.