Back to SPEAQ

Privacy Policy

Last updated: May 10, 2026

Legal entity

QSR2go Operations B.V., trading as Plexaris
Amsterdam, the Netherlands
Chamber of Commerce (KvK): 62031619
Privacy contact: privacy@thespeaq.com

QSR2go Operations B.V. (h.o.d.n. Plexaris) is the controller for personal data processed in connection with SPEAQ. There is no formally appointed Data Protection Officer because the company remains under the GDPR article 37 thresholds. The CEO performs DPO-light duties.

Our Commitment

SPEAQ is built on a simple principle: your data is yours. We designed SPEAQ so that we cannot read your messages, listen to your calls, see your files, or access your wallet. This is not a policy choice - it is a technical guarantee.

What We Do Not Collect

  • Your real name, email address, or phone number
  • The content of your messages, calls, or files
  • Your contacts or address book
  • Your location or IP address (after initial connection)
  • Your wallet balance or transaction history
  • Your browsing activity within SPEAQ
  • Metadata about who you communicate with
  • Device identifiers that could be linked to your identity

What We Process

To operate the SPEAQ relay network, we process only the minimum amount of data needed to deliver your messages, and nothing that can be linked to your identity:

  • Encrypted message blobs (we cannot decrypt them)
  • Temporary routing information (deleted after delivery)

Encryption

Text messages are end-to-end encrypted with AES-256-GCM (NIST standard) and a Double Ratchet protocol providing forward secrecy. Key exchange uses FIPS 203 ML-KEM-768 (NIST post-quantum, via the @noble/post-quantum library) on both PWA and native, active since the 2026-04-25 audit upgrade. FIPS 204 ML-DSA-65 is active in PWA identity hardening, in the relay AUTH hybrid (with ECDSA P-256), and in SPEAQ Chain block dual-signing. FIPS 205 SPHINCS+ (SLH-DSA) is active in chain block dual-signing as a hash-based fallback. Voice and video media use WebRTC's DTLS-SRTP encryption; PWA signaling (SDP/ICE) is additionally encrypted with AES-256-GCM using a key derived from the Kyber-768 shared secret, making call signaling zero-knowledge against the relay.

Privacy-First Architecture

SPEAQ uses a sealed-sender relay system. The server facilitates message delivery without knowing who is communicating with whom. Messages are encrypted before leaving your device and can only be decrypted by the intended recipient.

Voice and Video Infrastructure

To enable real-time voice and video calls between devices on different networks, SPEAQ operates two relay servers: a TURN server (turn.thespeaq.com) that helps establish peer-to-peer connections, and a Selective Forwarding Unit (sfu.thespeaq.com) that routes encrypted media streams. Both servers:

  • Receive only encrypted media packets (DTLS-SRTP), which they cannot decrypt
  • See temporary IP addresses of participants while a call is active
  • Do not record, store, or analyze any call content
  • Hold no logs of who calls whom
  • Retain no data after a call ends

Call signaling itself (the messages that set up a call) is additionally encrypted with AES-256-GCM using a key derived from the Kyber-768 post-quantum shared secret, making the relay zero-knowledge against signaling content.

Data Storage

All your data - messages, files, contacts, wallet information - is stored locally on your device. We do not have access to this data. If you delete the app, your data is gone. We recommend using the encrypted backup feature to protect against device loss.

Q-Credits & Wallet

Your Q-Credit wallet operates entirely on your device. Private keys never leave your device. We cannot access, freeze, or confiscate your Q-Credits. Transactions are verified by the network, not by a central authority.

Third Parties

We do not sell, share, or provide your data to any third party. We do not use third-party analytics, advertising, or tracking services. There are no cookies, no pixels, no trackers.

Law Enforcement

Because of our zero-knowledge architecture, we have nothing to provide in response to legal requests. We cannot decrypt your messages. We do not know who you communicate with. We do not store your data. We will comply with valid legal processes, but the technical reality is that we have nothing useful to hand over.

Changes to This Policy

We will notify users of any material changes to this privacy policy through the app. The current version is always available at thespeaq.com/privacy.

Display name

The display name you choose during account creation is stored unencrypted on our relay so that your contacts can see who is messaging them. If you want to remain pseudonymous, do not enter identifying information (real name, location, employer) as your display name. The first-time setup screen will warn you about this.

Push notifications

Push notifications are opt-in. Before the iOS or Android system prompt appears, the app shows a short in-app explanation of what push is used for: incoming messages and calls. The push payload itself contains no message content, only a routing token.

Q-Credits wallet activation

The Q-Credits wallet is opt-in. You can use SPEAQ messenger fully without ever activating a wallet. When you choose to activate, an in-app consent screen explains that (1) the SPEAQ-chain ledger is public, (2) blockchain transactions are immutable, and (3) due to immutability, GDPR article 17 right-to-erasure cannot be retroactively applied to chain records. The wallet is created only after you give informed consent.

Contact

For privacy-related questions, contact us at privacy@thespeaq.com.

SPEAQ is developed by QSR2go Operations B.V., trading as Plexaris (KvK 62031619), Amsterdam, the Netherlands.

SPEAQ Freely.

© 2026 SPEAQ. All rights reserved.