naloku
Back to naloku.com

Kōkua Privacy Policy

Privacy practices for the Kōkua messaging application.

Publisher
Naloku LLC, a Texas limited liability company
Product
Kōkua Messaging ("the App")
Version
1.2 — pending attorney review
Effective Date
[EFFECTIVE DATE: TBD — to be set on App Store / Play Store / F-Droid launch]
Last Updated
2026-05-07

1. Purpose and Scope

This Privacy Policy describes how Naloku LLC handles information in connection with the Kōkua Messaging application. The App is a privacy-first messaging application that operates primarily over peer-to-peer wireless transports between users' devices, with optional internet-based delivery paths. The App is designed so that user messages, contacts, and cryptographic keys are stored only on end-user devices and, where feasible, never transit infrastructure controlled by Naloku LLC.

This Policy applies to the App as distributed by Naloku LLC on the Apple App Store, the Google Play Store, and the F-Droid free and open-source software repository; to the optional ephemeral internet relay service operated by or on behalf of Naloku LLC (the "Relay"); to the optional public-channel directory described in Section 3.7; to the on-device subsystems described in Sections 3.2, 3.5, 3.6, and 3.8; and to direct communications between users and Naloku LLC.

This Policy does not apply to messages, contacts, or metadata stored on users' own devices; to operating-system-level services (the Apple Push Notification service, Google Firebase Cloud Messaging, mobile-OS system logs, iCloud and Google backups), each governed by their respective operators' privacy practices; to third-party networks the App may optionally interoperate with in future versions (such public-tier transports are not operational in the App's first release); or to any other software or service not distributed by Naloku LLC.

2. Framing: What This Policy Does and Does Not Promise

Naloku LLC makes no representation that use of the App, or of any communications network, is without risk. Wireless communication is inherently observable. Physical possession of a device by a third party is inherently adversarial to on-device privacy. Laws and legal processes vary by jurisdiction. The commitments in this Policy apply only to information handled by Naloku LLC itself and are conditioned on the technical architecture described below operating as designed.

Where this Policy uses the word "we" it refers to Naloku LLC. Where it uses the words "your device" it refers to the end-user mobile device on which the App is installed.

This Policy distinguishes four categories of data and the rules that apply to each:

  • (i) Message and content data — messages, contacts, cryptographic keys, conversation history, profile pictures, group memberships, voice-call audio, photos, files, link previews, and similar user-generated content. This category never transits Naloku LLC infrastructure and never leaves your device, except as you voluntarily direct (for example, by sending a message that the recipient's device receives).
  • (ii) Federated-learning updates — small differentially-private mathematical updates that some on-device learning subsystems exchange with nearby Kōkua devices over the App's private peer-to-peer transports. These never travel to a Naloku LLC server and never travel to any third-party server. See Section 3.8.
  • (iii) Aggregate advertising metrics — schema-locked, aggregate-only telemetry the App may transmit to a Naloku LLC relay endpoint when the advertising layer is active. Contains no user, contact, or message identifiers. See Section 3.8(c).
  • (iv) On-device coarse-location approximation ("Geographic Routing") — a region-scale value the App may compute on-device with your permission. The value never leaves your device. See Section 3.2.

3. Categories of Information

3.1 Information We Do Not Collect

By architectural design, Naloku LLC does not collect, receive, store, or have the technical ability to access the following:

  • (a) the plaintext content of any user-to-user message, voice call, group message, community-channel message, or file attachment;
  • (b) your Kōkua identity public key, private key, or any key material derived therefrom;
  • (c) your contacts, contact requests, group memberships, conversation history, or trust attestations (cryptographic statements that one user vouches for another);
  • (d) on-device records of which other Kōkua devices your device has encountered, on-device machine-learning model weights, and on-device availability profiles (the Geographic Routing value described in Section 3.2 is a separate category — see that section);
  • (e) call records, including participants, duration, direction, or outcome;
  • (f) your display name, profile picture, or Kōkua Network identifier, except to the limited extent any such value is voluntarily submitted through a support channel.

No account, telephone number, email address, or other persistent identifier is required to use the App, and Naloku LLC does not maintain any user-account database.

3.2 On-Device Geographic Routing — Used On-Device Only

Where you grant the operating system's approximate-location permission to the App, the App computes a coarse, region-scale approximation of your location on your device, and uses that value on-device to improve message routing, transport selection, and (where the advertising layer is active) on-device ad-relevance decisioning. The Geographic Routing value never leaves your device. Naloku LLC does not receive it. Our advertising partners do not receive it. No federated-learning update, aggregate-metrics beacon, or other off-device data path includes it. This commitment is enforced architecturally and by build-time gates.

You control Geographic Routing through two independent mechanisms: revoking the operating-system location permission for the App, and disabling Geographic Routing in the App's privacy settings. The on-device value is wiped by Emergency Erase and by the "Clear all learned data" control described in Section 5(c).

3.3 Information Handled by the Relay

The Relay is an optional internet-based service operated by Naloku LLC. The Relay performs two functions, described below.

Envelope routing. When you have the Relay enabled and a message cannot be delivered over a local transport, the App may transmit a sealed, end-to-end-encrypted envelope to the Relay for onward delivery. With respect to such envelopes, the Relay holds the envelope in volatile memory only, for a maximum of approximately thirty (30) minutes or until delivery, whichever is earlier, and never writes such envelopes to persistent storage. The Relay cannot decrypt the envelope or determine the identity of the sender (sealed-sender construction). The Relay observes a recipient identifier sufficient to route the envelope, the approximate size of the envelope, and the time at which the envelope is received and released. The Relay does not log the internet-protocol ("IP") address associated with envelope deposits or retrievals beyond the immediate request handling, and does not maintain per-user or per-recipient metadata databases. If the Apple Push Notification service or Google Firebase Cloud Messaging is used to wake a recipient's device, the Relay transmits only a minimal wake signal containing no message content and no sender identity.

Anonymous policy distribution. The App periodically fetches a small set of signed policy artifacts from the Relay (for example, an advertising blocklist and the consent-string format required by your region). These fetches are stateless from the Relay's perspective: every device that requests a given artifact receives the same response, no per-user or per-device identifier is required, and the Relay does not retain the connection IP address beyond the immediate request handling.

3.4 Direct Communications

If you contact Naloku LLC directly (for example, by emailing privacy@naloku.com), Naloku LLC will process the communication, any contact details you voluntarily provide, and any attachments you include, solely to respond to your request. Such communications are handled separately from the App and are not linked to any on-device data.

3.5 Advertising in Kōkua

The free tier of the App displays banner advertisements supplied by third-party advertising partners. Advertisements appear on conversation-adjacent surfaces only — settings, profile, archive, contact picker, empty states, and search results, plus the GIF search surface — and never inside chat threads, on call screens, in the compose area, in push notifications, or on read-receipt or typing-indicator surfaces. Advertisements are never full-screen.

Our advertising integration is configured in a non-personalized mode across every partner. We do not request the iOS Identifier for Advertisers, we do not read the Android Advertising ID, we do not enable behavioral profiling, cross-app tracking, audience signals, or conversion tracking, we do not pass user identifiers or device-stable identifiers to any partner, and we do not pass any signal derived from your communications, contacts, or Geographic Routing value to any partner. Advertisements are selected based on application context and the surface on which the advertisement appears, not on a profile of you. We do not use a third-party mediation SDK and we do not integrate any third-party attribution SDK.

When an advertisement is served, the partner from whom the advertisement is fetched necessarily observes the IP address of the device or its network's gateway, the device model, the operating-system version, the application version, and the locale, together with the impression and click events for advertisements served in your session. We do not pass any additional identifiers, behavioral information, or content of your communications to any partner beyond what is described here.

The current list of advertising partners is published inside the App at Settings → Privacy → Advertising partners and is updated as our partners change. Each partner's own privacy practices are described in that partner's published privacy policy.

When you subscribe to Kōkua Premium, advertisements are removed from the App entirely on the device on which the entitlement is active. Premium subscriptions are processed through Apple's App Store or Google's Play Store; Naloku LLC does not directly handle subscription payment information.

In jurisdictions that require user consent before serving advertisements (including but not limited to the European Union under the General Data Protection Regulation, the European Economic Area, the United Kingdom, and California under the California Consumer Privacy Act and California Privacy Rights Act), the App presents a consent flow before advertisements are served. You may withdraw consent at any time through Settings → Privacy.

The F-Droid build of the App is a separate build flavor configured at build time to exclude all advertising functionality and the in-App purchase implementation. Users who install from F-Droid see no advertisements.

3.6 On-Device Ad Decisioning

The App uses an on-device system to decide when, where, and how often to show advertisements within the surfaces described in Section 3.5. The signals it uses (including the screen you are currently viewing, the time of day, the duration of the current session, your past in-App ad interactions, and similar local context) never leave your device. Naloku LLC does not receive them; advertising partners do not receive them; no third party receives them. This system's local state is wiped by Emergency Erase and by the "Clear all learned data" control described in Section 5(c).

3.7 Public-Channel Directory (Optional)

The App supports community channels. Private channels remain end-to-end encrypted and are joined only by QR code or invitation; private channels do not appear in any directory and no metadata about them is shared with the Relay.

Public channels operate under different rules:

  • (a) Public-channel messages are not end-to-end encrypted in the same manner as private messages. Because anyone may join a public channel, message content is observable by every member of the channel. The end-to-end-encryption guarantees described elsewhere in this Policy apply to one-to-one messages, group messages, voice calls, and private-channel messages, and do not extend to public-channel messages.
  • (b) The creator of a public channel may opt in to listing the channel in a directory operated by the Relay. When the creator opts in, the following information is shared with the Relay: the channel identifier, the channel name and description, an aggregate member count, and the creator's identity public key together with the creator's signature over the listing. The creator may revoke the listing at any time, after which the Relay removes the directory entry.

Message content of public-channel messages does not leave member devices regardless of whether the creator has opted in to the directory.

3.8 Peer-to-Peer Learned Signals and Aggregate Metrics

The App includes on-device learning subsystems that improve message routing, transport selection, and (where the advertising layer is active) ad relevance over time. These subsystems share differentially-private aggregate updates with other Kōkua devices that you encounter through the App's private peer-to-peer transports, never with Naloku LLC servers and never with any third party. Strong mathematical noise is applied locally to every update before it leaves your device, in such a way that the contributions of any single user cannot be recovered from the resulting aggregate.

  • (a) Transport-learning updates. The App's mesh-routing and delivery-intelligence subsystems exchange differentially-private updates with nearby Kōkua devices to improve delivery success across the network. You can adjust your participation in this exchange in Settings → Kōkua Sense → Federated learning, including a setting that opts you out of contributing entirely. Setting this to off does not affect message delivery; the App falls back to its baseline routing logic.
  • (b) Ad-relevance updates. Where the advertising layer is active, the App's on-device ad-decisioning system (Section 3.6) participates in differentially-private update exchange with nearby Kōkua devices, on the same privacy-preserving terms described above. This workload is active only while the advertising layer is active. Subscribing to Kōkua Premium removes the advertising layer entirely, which also ends this workload on your device. F-Droid users do not see ads (Section 3.5) and accordingly do not run this workload.
  • (c) Aggregate ad-metrics beacon. Where the advertising layer is active, the App periodically transmits a schema-locked aggregate-metrics beacon to a Naloku LLC relay endpoint to support the operation and billing of the advertising layer. The beacon contains only aggregate fields (such as country code, surface, fill status, and broad price band) and the application version. The beacon contains no user, contact, message, or advertising identifier. The Relay does not retain the connection IP address beyond the immediate request handling. Beacons are batched on-device, transmitted at a low frequency, and the local buffer is wiped on Emergency Erase before flush.

3.9 Application Telemetry

Beyond the data flows described above — Section 3.3 (Relay envelope routing and policy distribution), Section 3.5 (advertising-partner observability), Section 3.7 (public-channel directory metadata), and Section 3.8 (peer-to-peer learned signals and the aggregate ad-metrics beacon) — the App does not transmit analytics, crash telemetry, feature-usage metrics, or advertising identifiers to Naloku LLC or to any third party. No additional telemetry channel exists.

4. Conditions Required for the Commitments in This Policy to Hold

The commitments in Sections 3 and 5 are conditioned on each of the following. If any such condition is not satisfied, specific commitments may be weakened or vitiated, and Naloku LLC makes no representation to the contrary:

  • (a) your device has not been physically seized, compromised, or accessed by an unauthorized party, and you have not disclosed your device passcode or biometric credentials to any such party;
  • (b) you have not affirmatively enabled iCloud, Google, or comparable third-party backup of App data; the App attempts to exclude its data container from such backups, but backup behavior is ultimately controlled by the operating system;
  • (c) you have not jailbroken, rooted, or otherwise modified your device, and have not installed third-party software that may bypass operating-system sandbox protections, secure-element key-storage protections, or system keychain access controls;
  • (d) the Apple Push Notification service, Google Firebase Cloud Messaging, the Apple CoreBluetooth and equivalent Android Bluetooth Low Energy frameworks, and other operating-system-provided frameworks operate in accordance with their published specifications;
  • (e) where the Relay is used, the Relay software operates as distributed and has not been modified by any party, including Naloku LLC, to log, retain, or forward information beyond what is described in Sections 3.3 and 3.7 (see Section 9 regarding compelled modifications);
  • (f) you have not affirmatively enabled any opt-in public-tier transport in a future version of the App where one becomes available, in which case the privacy characteristics of that transport apply and differ materially from the default private tier;
  • (g) the underlying cryptographic primitives (Curve25519 elliptic-curve Diffie–Hellman, Ed25519 digital signatures, AES-256-GCM authenticated encryption, HKDF-SHA256 key derivation, the Noise Protocol XX handshake pattern, and the ML-KEM-512 hybrid key-encapsulation mechanism used for post-quantum protection) remain secure against practical attack.

5. On-Device Storage and User Control

All user-generated data associated with the App is stored on your device under the protection of the device's operating system, the secure element used for cryptographic key storage (the Apple Secure Enclave or Android equivalent), and the system keychain. You retain the following controls:

  • (a) Emergency Erase, which permanently deletes all App data from the device, including messages, contacts, keys, on-device delivery-intelligence records and models, queued outbound messages, on-device ad-decisioning state, the Geographic Routing value, and all preferences;
  • (b) Configurable retention for outbound message queues, on-device peer-encounter records, call records, and related derived data;
  • (c) "Clear all learned data" in Settings → Kōkua Sense, which synchronously wipes the App's on-device learned state without affecting messages or contacts. The pre-trained baseline model included in the App's binary is not user data and is not affected; after the wipe, the App falls back to baseline behavior and re-accumulates learned state over time;
  • (d) Federated-learning controls. The transport-learning workload exposes a user control in Settings → Kōkua Sense → Federated learning, including an "off" position that opts your device out of contributing entirely (see Section 3.8(a));
  • (e) Geographic Routing controls. You may revoke the operating-system location permission for the App and may independently disable Geographic Routing in the App's privacy settings (see Section 3.2);
  • (f) Ghost Mode, which suspends outbound Bluetooth Low Energy advertising and certain operating-system-framework discovery behaviors;
  • (g) Duress Passcode, which triggers Emergency Erase in place of unlock;
  • (h) Transport controls, including pairing or unpairing the optional private long-range radio transport.

The App's Data Retention Schedule, published as a companion document, enumerates every category of on-device data, its default retention period, the user controls that apply, and the effect of Emergency Erase on each category.

6. Legal Bases for Processing (Users in the European Economic Area, United Kingdom, and Comparable Jurisdictions)

Where Naloku LLC processes any personal data within the meaning of the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") or the United Kingdom General Data Protection Regulation, the legal bases for such processing are as follows:

  • (a) Performance of a contract (Art. 6(1)(b) GDPR): operation of the Relay envelope routing for users who have enabled it, solely to deliver the encrypted envelope requested by you; processing of public-channel directory metadata for creators who have opted in, solely to enable the directory listing they requested;
  • (b) Legitimate interests (Art. 6(1)(f) GDPR): responding to direct communications; preventing abuse of the Relay; maintaining the security and integrity of the service; and aggregate (non-personalized) ad-metrics reporting required to operate and bill against the advertising network;
  • (c) Legal obligation (Art. 6(1)(c) GDPR): compliance with valid legal process, as described in the Law Enforcement Response Policy.

Where processing of advertising data falls within the consent regime of the GDPR, the ePrivacy Directive, or analogous laws, the legal basis is your consent (Art. 6(1)(a) GDPR), which you may give or withdraw through the consent flow described in Section 3.5.

Naloku LLC does not process special-category data within the meaning of Art. 9 GDPR. Naloku LLC does not engage in automated decision-making producing legal or similarly significant effects within the meaning of Art. 22 GDPR.

7. Rights of Users

You have, at all times and without dependency on Naloku LLC, the ability to access, export (via the App's signed evidence-export feature), and erase (via Emergency Erase or standard application deletion) all App data on your device. Because Naloku LLC does not maintain any user-account database or any durable store of user content, rights of access, rectification, erasure, restriction, portability, and objection, as defined under GDPR, the California Consumer Privacy Act, and analogous laws, are in substantially all cases satisfied by your own control over the device on which the App is installed.

You may nonetheless contact Naloku LLC at privacy@naloku.com to submit a rights request concerning any information Naloku LLC may hold as a result of direct communications (Section 3.4), Relay operation (Section 3.3), public-channel directory metadata (Section 3.7), or aggregate-metrics beacon data (Section 3.8(c)). Naloku LLC will respond within the timeframes required by applicable law.

Users in the European Economic Area and United Kingdom have the right to lodge a complaint with their national supervisory authority. Users in California have the right to be free from discrimination for exercising their rights under the California Consumer Privacy Act.

8. International Transfers

The Relay is operated in one or more regions. Where operation of the Relay requires transfer of encrypted envelopes across national borders, such transfers consist only of ciphertext as described in Section 3.3 and do not involve the transfer of personal data in any decryptable form. Public-channel directory metadata (Section 3.7) and policy-distribution data (Section 3.3) may transit national borders in connection with their respective operations; such transfers consist of voluntarily-published creator-supplied metadata, signed cryptographic material, and aggregate, non-personal data. For direct communications (Section 3.4), Naloku LLC relies on Standard Contractual Clauses or equivalent mechanisms where applicable.

9. Government Requests and Warrant Canary

Naloku LLC will respond to valid legal process as set out in the companion Law Enforcement Response Policy. Because Naloku LLC does not hold plaintext message content, identity keys, contact lists, or per-user metadata databases, the information available in response to any request is materially limited.

Naloku LLC publishes a warrant canary in each Transparency Report indicating that, as of the date of the report, Naloku LLC has not received any order that would require it to modify the App or the Relay to enable monitoring of user communications, nor any order compelling disclosure that it is not permitted to disclose. Absence of the canary from any future report should be interpreted in accordance with standard warrant-canary conventions.

10. Children

The App is not directed to children under the age of thirteen (13), or the equivalent minimum age in your jurisdiction. Naloku LLC does not knowingly process information from children under that age. Parental-supervision features are not offered in the current version of the App; their absence should not be interpreted as a representation that the App is suitable for minors.

11. Security

Naloku LLC implements and maintains commercially reasonable technical and organizational measures designed to protect information described in Sections 3.3, 3.4, 3.7, and 3.8(c). These include end-to-end encryption of all user-to-user traffic; sealed-sender construction at the Relay; memory-only Relay envelope architecture; multi-region Relay deployment; post-quantum hybrid key agreement for sensitive cryptographic exchanges; and continuous-integration enforcement of the architectural commitments described in this Policy. No system is perfectly secure, and the commitments in this Policy are conditioned as set forth in Section 4.

12. Changes to This Policy

Naloku LLC may modify this Policy from time to time. Material changes will be communicated through an in-App notice, through an update to the App accompanied by revised Policy text, or through publication on Naloku LLC's website at https://naloku.com, in each case not fewer than thirty (30) days before the change takes effect except where a shorter period is required by law. Continued use of the App following the effective date of a modification constitutes acceptance of the modified Policy.

13. Contact

Naloku LLC may be contacted regarding this Policy at:

  • Email: privacy@naloku.com
  • Postal address: Naloku LLC, 2801 Denton Tap Rd Apt 1523, Lewisville, TX 75067, United States

Naloku LLC has not designated a Data Protection Officer under GDPR Art. 37 because the criteria requiring designation are not met. Naloku LLC has not designated an EU/UK Article 27 representative because the App's processing is not within the threshold requiring such designation. Naloku LLC will reassess these determinations as the user base evolves.

End of Privacy Policy.

Built with care for accessibility — keyboard-navigable, dyslexia-friendly default font, opt-in OpenDyslexic, configurable text size, dark-mode aware, motion-respectful. Privacy approach.

v1.0 · 2026-05-07