Privacy Policy

When you use the Service, we collect the following:

• Account information from Apple Sign In. When you sign in with your Apple ID, Apple provides us with your name and email address (which may be a private relay address if you choose Hide My Email). Apple also provides a stable user identifier we use to recognize your account.
• Profile information. Your display name and optional profile picture. You can change either at any time in the app.
• Availability and activity. When you mark yourself available, we store the activity type you chose (e.g. commuting, relaxing, or a custom label), the duration, and the time the window ends.
• Friend graph. The list of people you’re connected to, and pending invites you’ve sent or received.
• Call signaling records. Records of which call rooms you participated in and when you joined or left, used to place and end calls. Call audio itself is described in the next section.
• Device push tokens. The push notification tokens that Apple assigns to each of your devices (a standard APNs token and a PushKit VoIP token), so we can wake your device for incoming calls and other notifications.
• External-call status. A simple boolean indicating whether your device is currently on any phone, FaceTime, or third-party VoIP call, so we don’t interrupt you with a new call invitation. We do not learn which app the call is on.
• Product analytics. Through PostHog (described under sub-processors below), the iOS app records aggregated, bucketed product-usage events such as “availability created” or “call joined.” We use this data solely for product improvement, reliability monitoring, and understanding feature usage. We do not capture call audio, contact lists, or message content. We do not use analytics for advertising, and we do not sell analytics data to third parties.

Voice calls are transmitted through LiveKit’s globally-distributed media infrastructure and relayed in real time between participants. Your microphone audio is captured by your device, sent to LiveKit, and forwarded to the other participant.

We do not record your calls. We do not transcribe your calls. We do not store your call audio anywhere on our servers or sub-processors.Once a call ends, no audio data remains.

• We do not record or transcribe calls.
• We do not access your contacts or address book.
• We do not collect your location.
• We do not access your calendar.
• We do not access health or fitness data.
• We do not collect payment information.
• We do not use third-party advertising SDKs or tracking pixels.
• We do not fingerprint your device beyond what your operating system already does.

• To authenticate you and keep your account secure.
• To display your name and profile picture to friends you’re connected to.
• To deliver push notifications, including incoming-call wake-ups.
• To place voice calls and notify the other party.
• To improve the Service through aggregated product analytics.
• To comply with applicable laws and respond to lawful requests.

Other users on Telephone see only the information you choose to share with them:

• Your friends see your name and profile picture.
• Your friends see when you mark yourself available and the activity you chose.
• Your friends see when you are currently on a call, so they know not to interrupt you. If the call is with another mutual friend, that person also appears in their view of the active call.

That’s it. We do not sell your personal information. We do not share it with advertisers.

We rely on the following sub-processors to operate the Service. Each handles a specific piece of infrastructure and is bound by their own privacy and security commitments:

• Vercel (United States) — application hosting. Runtime request logs are retained for up to 24 hours.
• Neon (AWS US West 2, Oregon) — managed Postgres database. Stores your account, profile, availability, friend graph, and call signaling records.
• Cloudflare R2 (Western North America region) — stores profile pictures. Image URLs are randomly generated and not enumerable; profile pictures may be accessible to anyone who possesses the specific image URL.
• LiveKit Cloud (United States company, global edge network) — routes real-time call audio. Call media passes through LiveKit but is never recorded or stored.
• PostHog (United States, us.i.posthog.com) — product analytics events generated by the iOS app.
• Apple — Sign in with Apple, the Apple Push Notification service (APNs), and the PushKit VoIP push service.

• Account and profile. Retained while your account is active.
• Device push tokens. Retained until invalidated by Apple or until your device unregisters. Failed tokens are removed automatically.
• Refresh tokens. Stored hashed and rotated when used. Old tokens are revoked.
• Call signaling records. Retained while your account is active and deleted when your account is deleted, except where retention is required for security, fraud prevention, or legal compliance.
• Server logs. Up to 24 hours by default on Vercel.
• Analytics events. Retained by PostHog according to their default retention.

You may request deletion of your account at any time through our Support page. We will confirm receipt and complete the deletion within 30 days.

When we delete your account, we delete or anonymize the personal information associated with it, except where retention is required for security, fraud prevention, legal compliance, or legitimate operational purposes. Deleted accounts cannot be restored.

An in-app account deletion option is in development.

You can change your name or profile picture at any time in the iOS app’s settings. You can revoke notification permissions in iOS Settings › Notifications. You can revoke microphone permission in iOS Settings › Privacy › Microphone (the Service will not be able to place calls without it).

If you are located in the European Economic Area, United Kingdom, or another jurisdiction with similar laws, you may have additional rights including the right to access, correct, or restrict processing of your personal data. To exercise any of these rights, contact us through our Support page.

If you are a California resident, the California Consumer Privacy Act (“CCPA”) gives you certain rights regarding your personal information, including the right to know what categories of personal information we collect, the right to request access to that information, and the right to request deletion, subject to applicable legal exceptions. To exercise these rights, contact us through our Support page. We do not sell your personal information.

Telephone is operated from the United States. The information we collect is processed and stored on infrastructure located primarily in the United States, and routed through globally-distributed edge servers (in the case of real-time call audio). By using the Service from outside the United States, you consent to this transfer.

Telephone is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us so we can delete it.

We use HTTPS for all data in transit. Account data is stored in an encrypted-at-rest managed Postgres database. Authentication uses short-lived JSON Web Tokens with refresh-token rotation. We follow standard practices to protect your data, though no system is perfectly secure.

We may update this Privacy Policy from time to time. When we do, we’ll update the “Last updated” date at the top of this page. Material changes will be communicated through the app.

Questions about this policy or your data? Reach us through our Support page.