Trust Center
Transparency is non-negotiable. Here's exactly how we handle your data and what we commit to.
Our Non-Negotiable Principles
These commitments guide every decision we make.
Metadata-Only, Always
We never inspect message content, browsing history, keystrokes, or any sensitive data. Only behavioral metadata.
No TLS Interception
We will never perform man-in-the-middle attacks on encrypted traffic. Your HTTPS stays secure.
Local-First Storage
All data lives on your device by default. Cloud backup requires explicit opt-in.
User-Controlled Exports
You decide what data to export and when. Sanitized exports remove personal identifiers.
Transparent About Limits
We clearly communicate what Android allows and what it doesn't. No overselling capabilities.
Data Storage Policy
Crystal clear about what we collect and what we don't.
What We NEVER Store
Message Content
Example: SMS, WhatsApp, Signal messages
Browsing Content
Example: Web page HTML, form data, search queries
Keystrokes
Example: Passwords, credit cards, personal notes
Screen Contents
Example: Screenshots, OCR data, visible text
Decrypted Traffic
Example: HTTPS response bodies, API payloads
What We DO Store (Metadata Only)
Network Metadata
Example: Destination IP, port, request count, timing
Permission Events
Example: When apps request camera, location, etc.
App Metadata
Example: Package name, version, install source
Behavioral Patterns
Example: Background activity frequency, wake locks
Data Retention & Purge Controls
You control how long data lives and can purge it anytime.
Retention Policies
Baseline Data
Rolling 30-day window by default. Older data is automatically aged out. You can extend to 90 days or shorten to 7 days in settings.
Incident Logs
Kept for 90 days by default. You can manually delete specific incidents or bulk-delete all older than X days.
Cloud Backups (Optional)
If you enable cloud sync, encrypted baselines are retained until you explicitly delete them or cancel your account. You can purge cloud data independently of local data.
Complete Purge
Privacy Center includes a "Delete All My Data" button that wipes everything: local database, cloud backups, and anonymized analytics IDs. Irreversible.
Sanitized Export Philosophy
Export your data for analysis without leaking personal identifiers.
How Exports Work
When you export data from Kekkai, we automatically sanitize it to remove personally identifiable information while preserving the security-relevant patterns.
What Gets Removed:
- Device serial numbers and hardware IDs
- Google account email addresses
- Specific IP addresses (replaced with subnet masks)
- Exact timestamps (bucketed to hourly ranges)
What Gets Preserved:
- App package names and versions
- Behavioral patterns and drift scores
- Domain categories (not full domains)
- Statistical summaries of network activity
Exports are JSON files that can be analyzed with standard tools. You can share these with security researchers without revealing your identity.
What We Won't Build
Clarity on what Kekkai will never do.
Remote VPN Servers
Kekkai's VPN is entirely local. We will never route your traffic through our servers or offer exit nodes in other countries. That's a different product category with different privacy implications.
TLS Man-in-the-Middle
We will never install a root certificate to intercept HTTPS traffic. Content inspection is fundamentally incompatible with our metadata-only commitment.
Cloud-Based Threat Intelligence
Some security apps send hashes of every app you install to cloud servers for reputation lookups. We don't do this. All analysis is local unless you explicitly opt into optional cloud features.
Frequently Asked Questions
Common questions about privacy, security, and functionality.