Hop is built so the network carries your messages without being able to read them. This is how that works in practice, and what we do and don't hold.
Product privacy overview · last updated 2026-06-24. A formal policy accompanies general availability; this describes how the system is designed to handle data.
Every message payload is encrypted to the destination's key (X25519 + ChaCha20-Poly1305) before it leaves your device. Relays, including our hosted backbone, carry ciphertext they cannot read. Only the recipient can open it. We never see, store, or process the contents of your messages.
A node is an Ed25519 keypair; its public key is its address. There is no required account, phone number, or email at the protocol layer. Human-readable names and contacts are an application concern, kept by the app, not part of the network.
When you use the optional cloud backbone, it stores sealed bundles (ciphertext) and their routing envelope so a message can wait for an offline recipient and bridge across regions. Held messages are evicted on their lifetime/TTL and purged on delivery. The backbone relays what it's given; it does not decrypt it.
Billing is metered on the sealed envelope, counts and bytes, never content: active devices, data carried, internet egress, and mailbox storage. Active-device counts use pseudonymous addresses, deduplicated within a billing period and not linked to any personal identity. We never open a payload to meter it.
The backbone stores data regionally, near where it's used, and supports a declared home region to pin a user's data to a jurisdiction where that's required. Locality is detected from usage for performance; legal residency is only ever set by explicit declaration, never inferred.
You can run the SDK fully peer-to-peer with no backbone at all, or operate your own private backbone, in which case the data never touches our infrastructure and these backbone practices are yours to set.
Questions about data handling: privacy@hopme.sh.