← Back to teacups

Privacy Policy

Last updated: May 19, 2026

This policy explains what data teacups collects, why, and what happens to it. We're a product of Tilted Planet, Ltd., an Illinois corporation.

What We Collect

Location

• Your approximate location is used in real time to place you in a chat zone.
• The size of your chat zone adjusts dynamically based on the number of active users nearby. Fewer users means a wider area; more users means a tighter, more local group.
• We don't store your precise coordinates. Your chat zone identifier (a bucketed area, not your exact position) may be retained alongside abuse reports for trust and safety purposes.
• We don't store your location history.

Device Identifier

• We use Apple's DeviceCheck to remember if a device has been banned.
• This is a yes-or-no flag. It can't identify you or track you across apps.

Messages

• Text messages are relayed through our server in real time but are not permanently stored.
• They're deleted from memory after 4 hours of inactivity.

Photos & Videos

• Sending photos and videos requires Tea Tags (a paid in-app purchase). Receiving and viewing is free.
• Every upload is scanned by a commercial third-party content-moderation service (Hive AI) before delivery. The provider does not retain your media for model training. Uploads that fail moderation are dropped and not delivered.
• We compute a SHA-256 hash of every upload and compare it against a list of restricted hashes (including the National Center for Missing & Exploited Children (NCMEC) child sexual abuse material (CSAM) hash database where available). Matches are dropped and may be reported to authorities as required by law.
• Before delivery to other users, technical metadata is stripped from the file. This includes location coordinates (EXIF GPS), camera model and serial number, capture timestamp, and other embedded device information. The version other users see contains the image or video data only.
• The original (with metadata intact) is encrypted in transit and stored on Tigris object storage operated by Fly.io. Originals are accessible only to teacups platform participants and only for trust-and-safety purposes (abuse reports, case bundles, law-enforcement requests).
• Originals are retained for 90 days from upload. Originals attached to an open abuse report are retained for up to 2 years. Originals attached to an NCMEC escalation are preserved as required by law.
• Photos are compressed before sending. Videos are trimmed to 15 seconds and compressed.

Purchases

• All purchases are handled by Apple. We receive a receipt confirming the transaction but no payment details. We track balances and purchase expiry tied to your device.

Tea Balls

• Handle name, visibility status, and revocation status are stored server-side.
• Tied to your device attestation key, not to any personal identity.

Tea Parties & Tea Bags

• Tea Party messages exist in server memory only and are not persisted to any database unless there is a trust-and-safety issue, which may trigger encrypted data retention for up to two years.
• Tea Bags are stored in memory for the duration of the party and discarded when you leave or the party ends.

Subscriptions

• Subscription type and expiration date are stored via Apple receipt validation, tied to your device.
• No payment details are stored.

Home Teapot

• If you set a home teapot, the human-readable address is stored locally on your device only.
• Your home teapot coordinates are stored on our servers to enable the teleport-home feature. We do not store your street address.

Phone Number

• If you purchase a Teaspoon, you must verify your phone number via SMS.
• Your phone number is encrypted using AES-256-GCM before storage. We cannot read it in plain text.
• A one-way hash of your phone number is stored separately for rate limiting and to prevent abuse.
• Your encrypted phone number is only decrypted and shared with the other user if both of you mutually agree to reveal in a Private Teacup.
• We do not use your phone number for marketing, analytics, or any purpose other than Private Teacup reveal.

Support Tickets

• If you submit a support ticket, your category selection, subject, and message body are stored on our servers along with your device identifier. Support ticket data is retained until the ticket is resolved.

Push Notification Token

• If you allow notifications, Apple gives us a token to send you alerts.
• We only use it to tell you when someone nearby joins the chat or when you receive a Private Teacup request.
• We may also notify you of Tea Party activity or purchase expiry.
• We don't share it with anyone.

Apple Watch

• If you use the teacups Apple Watch companion app, it connects to the same server as the iPhone app.
• No additional data is collected. The same privacy protections apply.

Anonymous Usage Data

• We may collect and retain anonymous, aggregated statistical and usage data to better operate and evolve the service.
• This includes things like zone activity levels, feature usage patterns, and game participation rates.
• This data is not linked to any individual user and cannot be used to identify you.

What We Don't Collect

• Your name, email, or any account info. Tea Ball handles are chosen by you and not verified against any real identity.
• Your phone number — unless you voluntarily provide it for Private Teacups (encrypted).
• Your home street address (stored on-device only). Home coordinates are stored server-side for teleport functionality.
• Your contacts, photos, or files (unless you choose to send a photo or video in chat).
• Advertising IDs or tracking cookies.

Sharing Your Data

• We don't sell your data. Ever.
• We don't share your data with advertisers or data brokers.
• We don't share your personal information for cross-context behavioral advertising.
• When you nominate a message for the best-of feed, your chat zone's approximate center (not your precise location) may be sent to OpenStreetMap's geocoding service to determine a nearby city name. No identifying information is included in this request.
• When you report a message, the report content may be processed by a third-party AI service (Anthropic) to assess severity. No identifying information about you is included.
• Phone number verification is processed through a third-party SMS provider (Twilio). Your phone number is sent to Twilio solely for delivering the verification code.
• Photos and videos you upload are sent to a third-party content-moderation provider (Hive AI) for classification before delivery. Hive does not retain your media for model training. No identifying information about you is included.
• Photo and video originals are stored on Tigris object storage operated by Fly.io for trust-and-safety retention. Tigris is contractually bound to handle this data only as a processor on our behalf.
• When you enter a Magic Teacup, the destination's coordinates are used on your device only to look up the local weather (via Apple's WeatherKit) and place name (via Apple's CoreLocation). These lookups are performed by the iOS frameworks on your device and are not routed through our servers. Weather data is provided by Apple Weather and its data sources.

Sensitive Personal Information

• Under certain privacy laws, the following data we handle may be classified as sensitive personal information:
• Location data: your approximate position is used in real time to determine your chat zone. Zone identifiers (bucketed areas, not precise coordinates) may be stored with abuse reports.
• Message content: chat messages pass through our server in real time. Regular messages are deleted after 4 hours of inactivity. Message content may be retained in abuse reports or trust-and-safety investigations for up to 2 years.
• We only use sensitive personal information as necessary to provide the service — connecting you with nearby people and enforcing community safety. We do not use it for advertising, profiling, or any secondary purpose.

Data Retention

• Regular chat messages: deleted after 4 hours of inactivity.
• Photo and video originals: retained on Tigris object storage for 90 days from upload. Originals attached to an open abuse report or NCMEC escalation are retained for up to 2 years, or longer if required by law.
• Metadata-stripped photo and video versions delivered to other users: not permanently stored.
• Private Teacup messages: encrypted and retained for up to 2 years, then permanently deleted.
• Phone numbers (Private Teacups): encrypted and retained while your Teaspoon tokens or active Private Teacups exist.
• Abuse reports: chat zone identifier and message context retained for up to 2 years for trust and safety, then permanently deleted. No precise coordinates are stored.
• Ban records: retained indefinitely to enforce community safety.
• Tea Ball handles: retained while active. Revoked handles are retained to prevent re-registration.
• Tea Party messages and Tea Bags: deleted from memory when the party ends unless there is a trust-and-safety issue, which may trigger encrypted data retention for up to two years.
• Subscription records: retained while active, removed after expiration.
• Everything else: not stored in the first place.

Platform Participants

• Individuals granted operational roles (such as developer, debugger, moderator, or contractor) access teacups through a credential linked to their identity.
• For platform participants, we may log and monitor all activity conducted under that credential, including messages sent, features accessed, API calls made, and connection metadata.
• This monitoring data is retained for the duration of the participant's role and for a reasonable period afterward for audit and accountability purposes.
• If you are a platform participant, you consent to this monitoring as a condition of your operational access. This does not apply to regular users of the app.

Your Rights

• You have the right to know what personal information we collect and how we use it. This policy is our complete disclosure — we don't collect anything beyond what's described here.
• You have the right to request deletion of your data. However, teacups is designed to be anonymous — we don't collect your name, email, or any account credentials. This means we generally cannot verify that a particular person is associated with a particular session or device token.
• If you can demonstrate ownership of a specific device (for example, by providing your App Attest key identifier from the app's settings), we will make reasonable efforts to locate and delete associated data, including abuse reports, heat profiles, home zone selections, subscription records, and Tea Ball registrations.
• Ban records tied to a device may be retained even after a deletion request, as they serve a legitimate safety purpose.
• To submit a request, contact privacy@teacups.com with as much identifying detail as you can provide. We will respond within 45 days.
• We do not discriminate against users who exercise their privacy rights.

Do Not Sell or Share

• We do not sell your personal information.
• We do not share your personal information for cross-context behavioral advertising.
• Because we don't sell or share, there is nothing to opt out of — but if you have questions, contact privacy@teacups.com.

Region-Specific Requirements

• Depending on your location, additional legal terms may apply.
• These are presented in the app when applicable.
• Region-specific documents supplement but do not replace these global terms.

No Expectation of Privacy

teacups is a public forum. Messages can be read by anyone nearby. Anonymous does not mean private. Do not share anything you wouldn't want seen by strangers.

Children

teacups is for users 18 and older. We don't knowingly collect data from anyone under 18. If we find out someone under 18 is using the app, we'll remove their access.

Changes

We may update this policy. If we make significant changes, you'll see the updated policy in the app. Continuing to use teacups means you accept the changes.

Contact

Tilted Planet, Ltd.
privacy@teacups.com