Because Letro is built on a Trustless and Decentralized-first architecture, the concept of "data residency" differs from traditional centralized apps.
Letro supports individual and regional hosting to meet residency expectations in EU, US, Switzerland and GCC markets. A customer's selected preferences (such a their own private server) region determines where their primary service components store and process data.
Production Data Storage (By Region)
- Message Content: User Devices (Local). Letro does not store message content or file attachments on our servers. All user data is stored locally on your device in an encrypted SQLCipher database.
- Transit/Relay Nodes: Global Distribution (AWS/GCP/Edge). Encrypted blobs (messages in transit) are temporarily queued on relay servers located in US-East (N. Virginia), EU-West (Ireland), and Asia-Pacific (Singapore). These blobs are deleted immediately upon successful delivery.
- Metadata (Account Attributes): Minimal account metadata (e.g., ZK-IDs) is stored in a distributed ledger or highly available database in EU-Central (Frankfurt) to ensure strict GDPR compliance.
Backups & Logs
- Backups: Letro does not perform server-side backups of your messages.
- User Responsibility: Encrypted backups are generated locally on your device. You may choose to upload these to your personal cloud (i.e., iCloud, Google Drive), but Letro has no access to the keys required to decrypt them.
- Logs: We operate a "No-Log" policy for message traffic.
- Server Logs: Contain only connection timestamps and IP addresses (retained for 72 hours for DDoS protection), with no association to message IDs or user identities.
- Application Logs: On-device logs are stripped of PII (Personally Identifiable Information) and only transmitted to Letro if you explicitly trigger a "Send Debug Log" action for support.
Cross-Border Data Transfers
- When it happens: As a global communication tool, encrypted data packets move across borders to reach the recipient.
- Why it happens: To route messages through the lowest-latency relay node relative to the recipient.
- Protection: All data in transit is opaque to the network. We utilize Standard Contractual Clauses (SCCs) with our infrastructure providers to ensure data legality across EU/US borders.
Support Access Implications
- Access Control: Support staff cannot read your messages, view your contacts, or access your attachments.
- Technical Constraint: Because we do not hold your private keys, we possess no technical ability to decrypt user data, even if compelled by a subpoena or warrant. Support is limited to troubleshooting connectivity and metadata sync issues.
