Privacy Policy

Welcome to Hopper. This Privacy Policy explains how Hopper ("we", "us", "our") handles information in connection with your use of the Hopper mobile application ("App") and related services (collectively, the "Service"). Hopper is a decentralized, infrastructure-free peer-to-peer mesh communication platform designed to enable users to communicate without reliance on the internet, cell towers, or cloud servers.

Our privacy architecture is built on a fundamental principle: your data belongs to you and stays on your device. We do not operate central servers that collect, store, or process your personal messages or communication history.

By using the Hopper application, you acknowledge and agree to the practices described in this document. This Policy is incorporated by reference into Hopper's Terms of Service.

Most messaging applications route your communications through central servers operated by the company, where data is stored, processed, and potentially accessible to the company and its partners. Hopper fundamentally rejects this model. Our Service is built on:

• Peer-to-peer (P2P) communication: All messages travel directly between devices on the local mesh network.
• Local-only storage: Your messages, contacts, and media are stored in an encrypted SQLite database on your device and nowhere else.
• No authentication servers: Hopper does not require you to create an account with an email or phone number. Your identity on the network is a locally chosen username.
• No telemetry servers: We do not collect crash logs, usage analytics, or behavioral data via any remote server.

Because Hopper operates without central servers, the concept of "data we collect" is substantially different from conventional applications.

Username

When you first launch Hopper, you choose a username (3–12 characters, letters, numbers, and underscores only). This username is stored locally on your device, broadcast over the local mesh network to announce your presence, visible to all nearby Hopper users, and never transmitted to any Hopper server or linked to any real-world identity.

Messages and Content

All messages you send or receive — including text, images, videos, audio recordings, voice messages, documents, reactions, and read receipts — are transmitted directly device-to-device, stored exclusively in a local SQLite database on your device, automatically purged after seven (7) days, permanently deleted when you clear data or uninstall the application, and never transmitted to or accessible by Hopper's infrastructure.

Media Files

Images, videos, audio files, and documents you receive are stored in the application's local documents directory. These files are subject to the same seven-day automatic cleanup cycle and user-initiated deletion.

Device Identifiers

To facilitate device discovery, Hopper reads: on iOS, identifierForVendor (reset on app reinstall, not an advertising ID); on Android, Android ID (reset on factory reset); and the device model name for display in the nearby users list. These are used exclusively for local peer identification and are never transmitted to Hopper servers.

Signal Strength & Proximity Data

Hopper reads RSSI values from Bluetooth and Wi-Fi connections to estimate proximity of nearby peers. This data is processed entirely on-device, used solely to display proximity indicators, and never transmitted off-device.

What We Do NOT Collect

• The content of your messages on any server
• Your GPS location, precise geographic coordinates, or location history
• Your contacts list, phone book, or social graph
• Your real name, email address, phone number, or any government-issued identifier
• Advertising identifiers (IDFA on iOS, GAID on Android)
• Financial information of any kind
• Browsing history or activity outside the Hopper application
• Behavioral analytics or usage patterns on any server

Hopper requests the following device permissions. Each permission is strictly necessary for the stated purpose and is not used for any other purpose:

Hopper's core innovation is its mesh networking capability: messages can be relayed through intermediary devices ("hops") to reach peers that are not in direct range.

How Message Routing Works

When a message cannot reach its intended recipient directly, Hopper may route it through one or more intermediary devices. These devices act as relay nodes, forwarding the message packet without the ability to read its content.

Encryption During Transit

Data Retained on Relay Devices

Intermediary relay devices do NOT permanently store forwarded message content. Message packets are held in memory only for the duration needed to forward them to the next hop. No message data from other users is written to the relay device's local database.

Broadcast Messages

Broadcast messages are transmitted to all nearby connected peers and are visible to all recipients within the mesh. You should not include sensitive personal information in broadcast messages.

SQLite Database (hopper.db)

Hopper maintains a local SQLite database with three primary tables:

• Messages Table: Message ID, content, sender/recipient identifiers, timestamps, message type, delivery status, hop count, local media file path, read status.
• Devices Table: Device ID, device name, connection type, signal strength, last seen timestamp, connection status. Records older than 7 days are automatically deleted.
• File Transfers Table: File name, local path, file size, file type, sender/recipient IDs, transfer status, and progress value.

Application Preferences

Stored in SharedPreferences (Android) / NSUserDefaults (iOS): username, showActivityStatus, allowComments, shareUsageData, allowPersonalizedAds (Hopper currently shows no ads), requireBiometric, enable2FA, sendEmailAlerts, and sendPushNotifications.

Media Directory

Received media files are stored in the application documents directory at /documents/, accessible only to the Hopper application and deleted on uninstall.

Cache

Hopper uses a local file cache (hopper_cache) with a 7-day stale period and a maximum of 1,000 cached objects. The cache can be cleared from Settings.

Automatic Retention Policy

All locally stored data — messages, device records, and file transfer records — are automatically deleted after seven (7) days from the date of creation or last activity. This cleanup occurs in the background to manage device storage.

User-Initiated Deletion

You may delete all locally stored data at any time by navigating to Settings > Clear All Data, or by uninstalling the application, which permanently deletes the database, media directory, and all preferences. There is no way for us to recover deleted data, as Hopper does not maintain any remote copies.

No Remote Data to Delete

Because Hopper does not store your personal data on any server, there is no remote data to request deletion of. Your data is always entirely under your control on your device.

Current Security Measures

• All data is stored in the application's private storage area, inaccessible to other applications on the device
• On iOS, application data benefits from Apple's built-in device encryption and Secure Enclave protections
• On Android, the application targets a minimum SDK of 21, with application-layer private storage
• Biometric authentication (Face ID, Touch ID, or fingerprint) can be enabled in Settings
• Two-factor authentication (2FA) setting is available in application settings
• Messages in transit use the underlying encryption of the Wi-Fi Direct / MultipeerConnectivity transport layer

End-to-End Encryption Roadmap

Security Limitations

• Physical proximity sharing: Because Hopper broadcasts your username and device ID to all nearby users, anyone running Hopper within range can see your username and that you are present in the area
• Broadcast messages: Messages sent to the broadcast channel are visible to all mesh participants in range
• Device logs: Standard OS crash logs and device analytics (managed by Apple or Google) may capture application errors independent of Hopper's design

Hopper does not knowingly collect personal information from children under the age of 13. The Service is not directed at children under 13. If you are a parent or guardian and believe your child under 13 has used Hopper, please contact us immediately. Because all data is stored locally on the device, the most effective remediation is to clear the application data or uninstall the application.

Users between the ages of 13 and 17 may use Hopper with parental or guardian consent. We encourage parents and guardians to review these Terms and this Privacy Policy with minors before allowing use.

Hopper integrates third-party open-source libraries and platform SDKs to deliver its functionality. While Hopper itself does not transmit data to external servers, some third-party components may have their own data handling behavior under certain conditions.

Platform Services

• Apple MultipeerConnectivity (iOS): Managed by Apple Inc. Peer-to-peer connections may be subject to Apple's Privacy Policy. No message content is transmitted to Apple servers.
• Android Wi-Fi Direct: Managed by Google LLC via the Android platform. Wi-Fi Direct connections are device-to-device and do not route through Google servers.

Key Open-Source Libraries

• flutter_local_notifications — displays local notifications on-device, no data transmitted externally
• sqflite — local SQLite database library, all data remains on-device
• flutter_cache_manager — local file caching, cache stored on-device
• flutter_blue_plus — BLE scanning and advertising, operates entirely on-device
• device_info_plus — reads device hardware identifiers locally, not transmitted externally

We do not integrate advertising SDKs, third-party analytics platforms, or social media SDKs into the Hopper application.

Right to Access

You have the right to know what personal data Hopper holds about you. Because all data is stored locally on your device, you can access it directly by reviewing your message history within the application.

Right to Deletion

You have the right to delete your personal data at any time by clearing all application data within Settings, or by uninstalling the application. No remote action is required because we hold no remote copies of your data.

Right to Portability

Hopper provides a data export function (available in Settings) that allows you to export your messages and device records as a structured JSON file.

EU/EEA Residents — GDPR

If you are located in the European Economic Area (EEA), you have rights under the GDPR including the right to access, rectify, restrict, port, and delete personal data, as well as the right to object to processing. The legal basis for any processing is your consent (Article 6(1)(a) GDPR) and the performance of our contractual obligations (Article 6(1)(b) GDPR).

California Residents — CCPA

If you are a California resident, the CCPA grants you the right to know what personal information is collected, the right to delete it, and the right to opt out of the sale of personal information. Hopper does not sell personal information to third parties.

Exercising Your Rights

To exercise any of these rights, contact us at privacy@hopper.app. Because Hopper holds no remote data about you, most requests can be fulfilled entirely by you using the in-app data management tools.

Hopper is available globally. Because Hopper does not operate central servers and does not transmit personal data to any infrastructure we control, there are no cross-border data transfers associated with using the Service. All data remains on your device in whatever country you are located.

Users are responsible for complying with local laws and regulations governing the use of peer-to-peer communication tools, encryption, and mesh networking technologies in their jurisdiction.

Hopper uses local push notifications to alert you to incoming messages. These notifications are generated and displayed entirely on-device using flutter_local_notifications. Notification content is not transmitted to Apple Push Notification Service (APNs) or Firebase Cloud Messaging (FCM) because Hopper does not use remote push notification infrastructure. On Android, Hopper maintains a low-priority foreground service notification to keep the mesh service alive in the background. This is a system requirement for background Bluetooth/Wi-Fi operations and does not involve data transmission.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, applicable law, or other factors. When we make material changes, we will:

• Update the "Effective Date" at the top of this document
• Notify users through an in-app alert or announcement where practicable
• Post the updated Policy on our website

Your continued use of the Service after the updated Policy becomes effective constitutes your acceptance of the revised terms.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data handling practices, please contact us: