Privacy Policy

A username (it can be made up), a password that you choose, and a public name so your contacts can recognise you (it can also be made up). No email. No phone number. No data that links you to a real person.

For an exhaustive detail of all fields we store, how we protect them, and how long we keep them, see our Transparency Manifesto

The processing of your data is based on the following legal bases of the General Data Protection Regulation (GDPR)

• Execution of the contract ( Art. 6.1.b RGPD ): Your account data is necessary to provide you with the service.
• Legitimate interest ( Art. 6.1.f RGPD ): Anonymous measurement of visits to the presentation page (no cookies, no IP, no identification).
• Legal obligation ( Art. 6.1.c RGPD ): Preservation of records of payments for tax obligations.

Each type of data has a different retention period, detailed in our Transparency Manifesto

• Account data: until you delete your account.
• Sessions: maximum 24 hours.
• Connection signals: maximum 60 seconds, in memory only.
• Linking requests: maximum 3 days.
• Payment records: permanent (tax obligation). These records are completely anonymous: they only contain the amount and date of the payment, in order to issue the corresponding sales receipt. They do not include any data linking the payment to a specific user.

All our servers are located in Germany

Payments are processed through external payment gateways. These gateways may process transaction data in accordance with their own privacy policies. We do not receive or store any personal data from the payer — we only receive a confirmation and an amount.

On the landing page (not in the application) we perform anonymous visit measurement on our own servers hosted in Germany. No cookies, no IP address, no identifying anyone, and no sharing data with third parties.

Legal basis:

Right to object:

You can delete your account and all your associated technical data with a single click. No questions asked.

Under the GDPR and the Spanish LOPDGDD, you have the right to:

• Access: Know what data we have about you. Everything is detailed in the Transparency Manifesto; For your specific account, contact us.
• Correction: You can change your public name and password directly from the application.
• Deletion: Delete your account and all associated data with one click, from settings.
• Portability: Solo2 offers export of encrypted backups containing all your local data.
• Limitation of processing: In practice, the data we have about you is so minimal that there is hardly anything to limit. But if you request it, we will restrict any processing that is not strictly necessary to maintain the service.
• Objection: You can object to the treatment at any time. For anonymous analytics, simply disable JavaScript.

To exercise any of these rights, write to us at hola@menzuri.com

If you believe we have not adequately addressed your rights, you can file a complaint with the Data Protection Commission (DPC)

Solo2 uses cryptography proven by the academic community, not proprietary schemes. The primitives are the same as those that validate peer-reviewed publications and have been deployed for years on a global scale in other systems.

• X3DH (Extended Triple Diffie-Hellman) for the initial session establishment between two contacts: both derive a shared key without ever having exchanged any secret before.
• Double Ratchet for ongoing encryption of each conversation. Each message is encrypted with a different key, which is derived and deleted immediately after encrypting the next.
• ChaCha20-Poly1305 for the authenticated encryption of each individual message, within the Double Ratchet. Data at rest — your local vault and backups — is encrypted with AES-256-GCM. Both are widely deployed and validated authenticated ciphers (AEAD).
• Argon2id to derive, from your password, the key that wraps (encrypts) your master key. Resistant to attacks with specialized hardware (GPUs, ASICs).
• Curve25519 and Ed25519 for the encryption and signature key pairs. Modern elliptic curves, without suspicious "magic constants".

A key property offered by these primitives is forward secrecy: if a session key is compromised, previous messages remain unreadable. And the complementary property, post-compromise security: the conversation "self-heals" as soon as new messages are exchanged.

There is no master key, backdoor or recovery mechanism that allows us to read your messages. That includes the case of a court order: technically we cannot decrypt what we do not have.

A serious privacy policy is not just a list of what we do: it is also a clear list of what we will never do.

• We do not train AI models with your messages. It is not a voluntary promise: it is a consequence of all of the above. We do not have them at any time — the clause that sounds reassuring in other policies is intrinsically true here by construction.
• We do not sell advertising. Solo2 is a paid service, not monetized through ads. Your data is not our business model.
• We do not build profiles of use, behavior, location, contacts or interests. We also don't have a social graph that links some users to others.
• We do not share data with third parties for commercial purposes. The only exception is payment gateways, which receive only the transaction amount.
• We do not use tracking cookies, nor pixels, nor browser fingerprinting, nor external services like Google Analytics or Facebook Pixel.
• We do not log your IP address persistently. The connection needs a transient IP, but it is not saved associated with your account.

In application of Article 28 of the GDPR, the subprocessors currently involved in the provision of the service are as follows. If at any time a new subprocessor is incorporated, this list will be updated and we will communicate the change to users before it takes effect.

• Hetzner Online GmbH (Germany) — Server infrastructure with data centers in the European Union. Complies with GDPR and ISO 27001 certifications.
• Infomaniak (Switzerland) — Corporate email. Data hosted in Switzerland, a country with an adequacy decision from the European Commission.
• Payment gateways — Payment processing. They do not receive user personal data, only the amount and currency of the transaction.

When we receive a valid court order issued by a competent Spanish or European authority, we comply. The interesting question is not whether we would comply, but what we could effectively deliver.

Solo2's technical design drastically limits what we could provide to a subpoena. We do not have access to the content of messages (end-to-end encryption), we do not keep metadata of who talks to whom, we do not store connection histories and we do not keep IP addresses associated with accounts.

What we could deliver, if the case arose, are the minimum data associated with an account as described in the Transparency Manifesto: username and public name (both can be invented), a hash of the password, and a master key encrypted with that password which for us is an opaque blob.

This policy applies only to competent authorities in Spain and the European Union. We do not respond to requests from law enforcement in third countries without an intermediate European legal channel.