Skip to the content.

Privacy Policy — Recto Phone

Last updated: 2026-05-18

Recto Phone is a public open-source application (Apache 2.0) that serves as an operator-phone-as-root-of-trust authenticator. This policy describes how data is handled by the Recto Phone app.


What data Recto Phone collects

Recto Phone collects no personally identifying information. Specifically:


What data Recto Phone stores on your device

Recto Phone stores the following data locally on your device only:

You may delete any pairing at any time from within the app. Deleting a pairing destroys the associated keypair locally; the deletion is irreversible.


What data Recto Phone transmits

When you approve a signing request, Recto Phone transmits the following to the bootloader you paired with:

Recto Phone transmits nothing else. No analytics. No usage statistics. No location. No device-fingerprinting beacons.

The bootloader you paired with is operated by the service you chose to pair with, not by the Recto developers. The bootloader operator’s privacy policy governs what they do with the signed response after they receive it.


Biometric authentication

To approve a signing request, Recto Phone prompts you for biometric authentication (Face ID / Touch ID / fingerprint). This biometric verification is performed locally on your device by the operating system. Your biometric data never leaves your device. Recto Phone does not access, store, or transmit any biometric information.


Push notifications

Recto Phone can receive remote push notifications (Apple Push Notification service for iOS, Firebase Cloud Messaging for Android) to wake the app when a paired service sends you a new signing request. The notification payload contains only a wake-up signal — no signing request details are included in the push payload itself.

For Apple Push Notification service: an APNs device token is generated by iOS and shared with the paired bootloader, so the bootloader can address future requests to your device.

For Firebase Cloud Messaging (Android): an FCM token serves the same function as the APNs device token on iOS. Firebase Cloud Messaging is a Google service; Google’s privacy policy applies to the token-issuance step. The token itself contains no personally identifying information.


Open source

Recto Phone is open source under the Apache 2.0 license. The exact code running in the version you have installed is published at github.com/erikcheatham/Recto. You are welcome to audit any aspect of the data handling described in this policy.


Children’s privacy

Recto Phone is not directed at children under 13. The app collects no personally identifying information from anyone, so no special COPPA-related collection occurs.


Changes to this policy

If this policy is updated, the “Last updated” date at the top will be revised. Material changes will be announced via the GitHub repository’s CHANGELOG.md.


Contact

Privacy questions: open an issue at github.com/erikcheatham/Recto/issues.