Privacy Policy

At Magus Labs LLC, privacy is not a feature—it is our foundational engineering principle. We build Zero-Knowledge software, meaning our systems are mathematically designed so that we cannot access, read, or sell your data.

This policy applies to all applications developed by Magus Labs LLC, including Opaque Vault and Whisper.

1. Zero Data Collection & Zero Logs

Magus Labs LLC operates on a strict Zero-Knowledge architecture. We do not require an email, phone number, or account creation to use our applications.

  • Opaque Vault: All files are encrypted locally on your device's physical hardware using AES-256 GCM encryption. Your Master Encryption Key (MEK) is derived from your personal PIN and is never transmitted off-device.
  • Whisper: Messages are End-to-End Encrypted (E2EE) client-side using the Double Ratchet Algorithm. Our cloud relay servers operate strictly in memory (RAM), forward only encrypted binary blobs, and retain zero logs. We do not know who you are, who you communicate with, or what you say.

2. Mandatory Android Permissions Explained

To facilitate offline functionality and peer-to-peer networking, our applications require specific hardware permissions. We only request these permissions to make the software function locally; data is never scraped or uploaded to our servers.

Whisper Networking Permissions

  • Location Services (ACCESS_FINE_LOCATION): Required by the Android OS to scan for local Wi-Fi Direct and mDNS peers. Hardware MAC addresses can theoretically infer location, so Android strictly mandates this permission for peer discovery. We do not access your GPS coordinates or track your physical location.
  • Bluetooth (BLUETOOTH_SCAN, ADVERTISE, CONNECT): Used strictly to discover and securely handshake with nearby Whisper users via Bluetooth Low Energy (BLE).
  • Nearby Devices (NEARBY_WIFI_DEVICES): Required on Android 13+ to facilitate local Wi-Fi subnet scanning without requiring full Location permissions where possible.
  • Foreground Service (ActiveSessionService): Used to keep secure socket connections alive while the app is backgrounded, allowing real-time message delivery.

Opaque & Whisper Media Permissions

  • Camera: Used strictly for capturing photos directly into encrypted memory. Photos bypass the public gallery entirely.
  • Storage / Media: Used solely to allow you to import files into the secure vault and export decrypted files back to your device.
  • Microphone (RECORD_AUDIO): Reserved for recording secure voice memos directly into the encrypted environment.

3. The Limitation of Liability (Lost PINs)

Because we utilize true client-side encryption, Magus Labs LLC has no backdoor to your data. If you forget your primary PIN and lose access to your BIP-39 recovery phrase (or Biometric recovery module), your data will be permanently mathematically unrecoverable. We cannot reset your PIN or restore your files.

Last Updated: May 2026
Contact: contact@maguslabsllc.com