Kacti

Privacy Policy

Last updated: May 13, 2026

1. Introduction

Welcome to Kacti ("we," "our," or "us"). Kacti is a local-first social mesh networking app. We designed it to minimize how much of your data ever leaves your device. This Privacy Policy explains what data exists, where it lives, and what control you have over it.

2. Information We Collect

Kacti is built on a local-first architecture — most of your data stays on your device and is never sent to our servers.

Stored locally on your device (Hive database):

Transmitted via Nostr relays (public, decentralized infrastructure we do not control):

Stored on our server (Firebase/Firestore):

We do not maintain user accounts, email addresses, or a central user database. We do not store your precise location on any server.

3. Location Data

Kacti accesses your device location to power the radar map and to anchor user-placed pins, beacons, announcements, and event overlays near you.

What we access (Android permissions):

What we do NOT access:

When we access your location:

How we use your location:

How we transmit / store your location:

How to revoke location access:

Revoking location will disable the radar map and prevent you from dropping geo-anchored pins, but the rest of the app continues to work.

4. How We Use Your Information

We do not sell, rent, or share your personal information with third parties for marketing purposes.

5. Encryption

Direct messages between two users are encrypted end-to-end using X25519 key exchange and AES-256-GCM authenticated encryption. Only you and the recipient can read DM content — we cannot decrypt it, and neither can the Nostr relays that carry the messages.

Your encryption keys are stored in your device's secure enclave (iOS Keychain / Android Keystore).

Limitations: Community broadcasts and Oasis presence data are not end-to-end encrypted, as they are intended to be visible to nearby users. Messages stored on your device (in the local Hive database) are not encrypted at rest — your device's own lock screen is the primary protection for local data.

6. Data Security

Because Kacti is local-first, your primary line of defense is your own device security (passcode, Face ID, etc.). Here is what we do:

7. Third-Party Services

We do not use Google Cloud AR services, Google Analytics, or any third-party advertising or tracking SDKs.

8. Your Rights & Data Deletion

You control most of your data directly:

Limitations on deletion:

If you have questions about your data, contact us at privacy@kacti.io and we will do our best to help within the limits of our decentralized architecture.

9. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of any material changes by updating the "Last updated" date above.

10. Contact Us

If you have any questions about this Privacy Policy, please contact us at privacy@kacti.io.