Semafore

Privacy Policy

How Semafore collects, uses, and protects personal data.

Semafore is a product of Attomus Limited (“Attomus”, “we”, “us”). This policy explains what personal data Semafore collects, why it collects it, how it is protected, and the rights you have under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Attomus Limited is the data controller for personal data processed through Semafore. Registered in England and Wales, company number 06517654. ICO registration reference ZA718457. 23 Berkeley Square, Mayfair, London W1J 6HE. [email protected]

The architecture and what it means for your data

Semafore is designed so that message content never exists in plaintext on any Attomus-operated system. Every message is encrypted on the sender’s device before transmission using the Signal Protocol (X3DH key agreement and Double Ratchet forward secrecy). The server routes ciphertext. It holds no decryption keys and has no mechanism to read message content.

This is not a policy commitment. It is an architectural constraint. Attomus cannot read your messages. Neither can anyone who operates the Semafore server infrastructure on your behalf.

What this policy covers is the data that does pass through our systems in plaintext: account identifiers, platform activity metadata, and the technical records necessary to operate a reliable messaging service.

What we collect and why

Account and identity data

Phone number. Required to create an account. Used to issue one-time passcodes (OTP) for authentication. Stored as the primary account identifier within your organisation’s namespace. We do not use phone numbers for marketing.

Organisation name and identifier. Required to create an organisation on the platform. Used to scope all data and access controls within your deployment.

Display name. Provided by the user during sign-up. Shown to other members of your organisation within the platform.

Contact email address. Optionally provided during organisation setup. Used only for platform administration communications (account notices, billing correspondence). Not shared with other users or used for marketing without explicit consent.

Legal basis: Performance of a contract (providing the Semafore service).

Device and session data

Device identifier. A platform-generated identifier assigned when a mobile device registers with your organisation. Used to route encrypted messages to the correct device and to manage device revocation. Not a hardware identifier — it is generated by the Semafore application.

Push notification token. Issued by Apple (APNs) or Google (Firebase Cloud Messaging) for your registered device. Used exclusively to deliver a silent wake-up signal when a new message is queued for your device. The wake-up payload contains no message content — only a prompt for the device to reconnect and decrypt locally.

Session JWT. A signed token issued on successful authentication. Valid for a fixed period. Contains your organisation ID, role, and device ID. Not stored by the server beyond issuance.

Legal basis: Legitimate interests (operating a secure, reliable messaging service).

Platform activity metadata

The Semafore server maintains an audit log of platform events. Logged entries include:

  • Authentication events (login, logout, OTP request)
  • Device registration and revocation
  • User management actions (member added, role changed, member removed)
  • Group creation and membership changes
  • Broadcast sends (sender identity, timestamp, recipient count — not content)
  • File transfer events (file reference ID, timestamp — not file content)

These records are accessible to your organisation’s administrators via the portal. They are used to support platform governance, security review, and compliance obligations. They do not include message content, file content, or any decrypted material.

Legal basis: Legitimate interests (platform security and integrity; compliance support).

Technical operational data

Standard server logs (IP addresses, request timestamps, HTTP status codes) are retained for up to 30 days for infrastructure security and abuse prevention. These logs are not linked to user identities in routine operation.

Legal basis: Legitimate interests (infrastructure security and abuse prevention).

What we do not collect

  • Message content. Ever. See the architecture section above.
  • File content. Files are encrypted client-side before upload. The server stores ciphertext.
  • Location data.
  • Contacts, address book entries, or any data from outside the Semafore application.
  • Browsing history or cross-application tracking data.
  • Any data from children. Semafore is a business messaging platform and is not directed at individuals under 18.

Third-party processors

Attomus uses the following infrastructure providers to operate Semafore. Each is engaged as a data processor under a data processing agreement. They process personal data only as directed by Attomus and for no independent purpose.

Apple Push Notification Service (APNs). Used to deliver silent push wake-up signals to iOS devices. Receives device push tokens. Does not receive message content or account identifiers beyond what Apple requires to route the notification.

Google Firebase Cloud Messaging (FCM). Used to deliver silent push wake-up signals to Android devices. Receives device push tokens. Does not receive message content or account identifiers beyond what Google requires to route the notification.

Cloudflare. Used for application hosting, edge routing, and DDoS protection. Processes IP addresses and HTTP request metadata. Does not have access to message content.

Attomus does not sell, lease, or otherwise share personal data with third parties for their own commercial purposes.

Data retention

Data typeRetention period
Account and identity dataFor the life of the account. Deleted within 30 days of account or organisation deletion.
Device identifiers and push tokensFor the life of the device registration. Deleted on device revocation or organisation deletion.
Audit log entriesRetained for 12 months by default. Configurable per organisation (shorter only).
Message queue entriesDrained on delivery. Undelivered entries deleted after 7 days.
Server operational logs30 days.

Your rights under UK GDPR

You have the right to:

  • Access the personal data Attomus holds about you.
  • Rectification of inaccurate personal data.
  • Erasure (“right to be forgotten”) — subject to our legal obligations to retain certain records.
  • Restriction of processing in specific circumstances.
  • Data portability — receive your data in a structured, machine-readable format.
  • Object to processing based on legitimate interests.

To exercise any of these rights, contact us at [email protected] with “Data Rights — Semafore” in the subject line. We will respond within 30 days. For complex requests, we may extend this by a further 60 days with notice.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) if you believe we have not handled your data lawfully: ico.org.uk.

Cookies

The Semafore portal uses a single session cookie to maintain your authenticated session. This cookie is:

  • Scoped to portal.semafore.io only
  • Marked HttpOnly and Secure (not accessible to JavaScript; transmitted over HTTPS only)
  • Not used for tracking or analytics
  • Expires on logout or after 24 hours of inactivity

The Semafore mobile applications do not use cookies.

The semafore.io marketing website does not set any cookies on initial page load. No analytics, tracking pixels, or third-party scripts are loaded.

Changes to this policy

If we make material changes to this policy, we will update the date below and, where appropriate, notify affected users by email or via the platform.

Contact

Questions or requests regarding this privacy policy:

Attomus Limited [email protected] +44 20 3026 6250 23 Berkeley Square, Mayfair, London W1J 6HE

Last updated: April 2026