Privacy Policy — The Murmur

Overview

The Murmur ("we", "our", or "us") operates as an anonymous Instagram comment platform accessible via our iOS application. We are committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and what rights you have regarding your data.

The core principle of The Murmur is anonymity by design. We built the system so that we cannot identify you even if compelled to — not because we promise to protect your identity, but because we technically cannot reveal it.

The short version: We do not collect your name, email, phone number, or any personal identifier. We never store your raw device ID. Your device becomes a one-way cryptographic hash before it ever reaches our database.

Information We Collect

Device Identifier (Hashed)

When you first open The Murmur, the app sends a device identifier string to our servers. We immediately apply a SHA-256 cryptographic hash combined with a server-side salt to this value before storing anything. We store only the resulting hash — never the original device ID. This hash is a one-way transformation; it cannot be reversed to obtain your original device ID.

This hashed value is used solely to:

Issue a JWT authentication token so you can use the app across sessions
Associate your anonymous comments and likes with a consistent (but untraceable) identity

Anonymous Username

We deterministically derive an anonymous display name from your device hash and your device's preferred language. Names follow the pattern Adjective + Animal + 4-digit number (e.g., GizliKurt4271, SilentEagle3840). This name is stored in our database and is visible to other users on comments you post.

Comments and Likes

Any comment you submit is stored in our database linked to your anonymous user ID (derived from the hash above). Likes you place on comments are similarly stored. Comments may contain up to 500 characters of text you choose to write.

Technical Logs

Our servers may generate standard HTTP access logs containing IP addresses, request paths, timestamps, and HTTP status codes. These logs are retained for a maximum of 30 days for security and debugging purposes and are then deleted.

How We Use Your Information

Data	Purpose
Hashed device ID	Authentication, user session continuity
Anonymous username	Display on comments so users can track replies
Comments	Display to other users on profile pages
Likes	Rank comments, power the weekly leaderboard
Server logs	Security monitoring, debugging, abuse prevention

We do not use your information for advertising, profiling, or sale to third parties.

Data Storage & Security

Our servers and database are hosted on cloud infrastructure. We implement the following security measures:

Device identifiers are irreversibly hashed and a server-side salt before storage
JWT tokens are signed with a secret key and expire after a defined period
Rate limiting is applied to all endpoints to prevent abuse
HTTP security headers are applied via Helmet.js

No security system is perfect. While we take reasonable precautions, we cannot guarantee absolute security of data transmitted over the internet.

Data Retention

Data Type	Retention Period
Hashed device ID & anonymous username	Until you request deletion or the account is inactive for 2 years
Comments (not deleted by user)	Indefinitely, or until account deletion is requested
Deleted comments	Soft-deleted (content cleared, record kept for integrity); fully purged after 90 days
Likes	Retained as long as the associated comment exists
Search cache	5 days
Server access logs	30 days

Your Rights

Because we store no personal data that can identify you, most traditional data-subject rights (access, rectification, portability) are technically difficult to exercise — we cannot find "your" record without knowing your hashed device ID.

However, you may:

Delete your comments — within the app, you can delete any comment you have posted. Deletion is soft at first, then permanently purged within 90 days.
Request account deletion — contact us at the address below with your anonymous username. We will delete all data associated with that username, including comments, likes, and the hashed device record.
Stop using the app — since no personal data is tied to your real identity, uninstalling the app is sufficient to stop any further data collection.

If you are located in the European Economic Area (EEA), UK, or California, you may have additional rights under GDPR, UK GDPR, or CCPA respectively. Contact us to exercise these rights.

Children's Privacy

The Murmur is not directed at children under the age of 13 (or 16 in the EEA). We do not knowingly collect any information from children. If you believe a child under the applicable age has used the app, please contact us and we will delete any associated data promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. Continued use of the app after changes constitutes acceptance of the revised policy. For significant changes, we will make reasonable efforts to notify users through the app.

Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, contact us at:

The Murmur
Email: privacy@themurmurapp.com