Last updated: May 24, 2026
Stitch Messaging ("Stitch," "we," "us," or "our") is committed to protecting your privacy and handling your personal information with care and transparency. This Privacy Policy explains what information we collect when you use the Stitch platform, why we collect it, how we use and protect it, who we may share it with, and the meaningful choices and rights you have regarding your information. By creating an account or using Stitch in any way, you agree to the collection and use of information as described in this Privacy Policy. If you do not agree with our practices, please do not use Stitch. This Privacy Policy applies to all users of the Stitch platform globally. Where applicable law in your jurisdiction requires additional or different disclosures or protections, we provide those in region-specific sections below or in our Terms of Service. We encourage you to read this policy in full.
We collect the following categories of information when you use Stitch: ACCOUNT INFORMATION When you register, we collect your display name, username, and email address. Stitch does not currently use phone-number registration or phone-number discovery, and we do not collect your phone number for account discovery. PROFILE INFORMATION Your display name, username, profile photo, and any bio or status text you choose to add. This information is shown inside Stitch according to the app's profile and privacy controls. MESSAGES & CONTENT Messages, voice notes, photos, videos, links, GIFs, files, polls, and other chat content are protected with standard encryption in transit and encryption at rest on our infrastructure. Stitch is not currently end-to-end encrypted. We process and store message content as needed to deliver messages, sync supported clients, display conversation history to participants, support deletion and disappearing-message features, investigate reports, debug the service, enforce our rules, and comply with lawful requests. DISAPPEARING MESSAGES When a chat has disappearing messages enabled, new eligible messages and media sent after the setting is turned on are assigned an expiration time of 24 hours, 7 days, or 90 days. After expiration, Stitch attempts to remove those messages from active conversation storage. Disappearing messages do not prevent screenshots, copies, forwards, downloads, screen recordings, notifications, local device backups, or report evidence submitted before expiration. REPORT EVIDENCE When you submit a report, your device may send Stitch a limited evidence packet for moderation review. This may include your report reason, account and conversation identifiers, timestamps, message IDs, message types, media/file metadata, and normally the last 5 recent messages from the reported user in that chat. STORIES Stories you post, including photos, videos, text, and links, are stored for the story feature and are intended to expire after 24 hours. Story viewer lists are visible to the story owner during that period. GROUPS & MENTIONS For group chats, we process group membership, roles, admin-only messaging settings, invite links, and @mention metadata so groups can function correctly and notifications can respect user settings. CALL LOGS We store call metadata such as caller and recipient identifiers, call type, start time, duration, and outcome so we can display call history and support callbacks. We do not record or store call audio or video. Call media is transmitted using standard real-time transport security and may be routed transiently through media infrastructure to connect participants. USAGE, DEVICE, AND NOTIFICATION DATA We collect limited technical data such as error logs, crash reports, feature usage patterns, device type, operating system, browser type, IP address, push tokens, browser push subscriptions, and notification preferences. We use this to operate Stitch, deliver notifications, prevent abuse, debug issues, and improve reliability.
We use the information we collect solely to operate, maintain, and improve the Stitch platform. Specifically, we use your information to: • Provide, operate, and deliver the Stitch messaging service, including transmitting your messages, enabling calls, and displaying your stories to contacts • Authenticate your identity when you log in or perform sensitive account actions, and protect your account from unauthorised access • Send you account-related communications such as email verification links or codes, password reset links, and important service notices • Send message, call, group, and mention notifications according to your notification settings and device/browser permissions • Detect, investigate, prevent, and take action against fraud, abuse, spam, harassment, and violations of our Terms of Service and Community Guidelines • Monitor and improve platform performance, fix bugs, and develop new features based on aggregated and anonymised usage patterns • Comply with applicable legal obligations, including responding to lawful requests from government authorities where required • Respond to your support requests, bug reports, and other inquiries submitted through the app or by email We do not use private message content for advertising or profiling. The Stitch web app displays third-party ads in limited app surfaces; the native mobile apps are intended to remain ad-free. We do not sell your personal information.
We do not sell your personal information. We share information only in the limited circumstances described below: WITH OTHER USERS Your username, display name, profile photo, messages, reactions, call history entries, stories, group activity, and other content you choose to share are visible to the people who can access the relevant chat, group, story, profile, or call. SERVICE PROVIDERS We use service providers to operate Stitch, including cloud hosting, authentication, storage, push notification, call/media infrastructure, security, support, GIF/search integrations, analytics, and web advertising where the web app displays ads. These providers may process data only as needed to provide their services to Stitch, subject to their terms and privacy practices. LEGAL REQUIREMENTS & SAFETY We may disclose account information, metadata, stored content, report evidence, or other data if required by valid legal process, or when we believe disclosure is reasonably necessary to comply with law, protect someone's safety, prevent fraud or abuse, enforce our Terms, or protect Stitch's rights and security. Because Stitch currently uses standard encryption and not end-to-end encryption, message content may be available to Stitch in the limited circumstances described in this policy. BUSINESS TRANSFERS If Stitch is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction. We will provide notice where required by law.
Stitch uses standard encryption to protect data in transit and at rest. Data sent between your device and Stitch services is protected using HTTPS/TLS where applicable. Stored message content and media are protected by encryption at rest provided by our infrastructure and storage providers. Stitch is not currently end-to-end encrypted. This means Stitch systems and authorized personnel may be able to access stored content for limited operational, safety, support, debugging, abuse investigation, and legal compliance purposes. We do not use private message content for advertising or profiling. Voice and video calls use standard real-time transport security, including WebRTC/LiveKit transport protections such as TLS and DTLS-SRTP where applicable. Stitch does not record or store call audio or video, but live call media may be processed transiently by media infrastructure to connect participants. If you submit a report, you authorize Stitch to receive and review the report evidence submitted from your device. Report evidence is used for safety review, enforcement, appeals, and legal compliance where required.
We retain information for as long as needed to provide Stitch, comply with legal obligations, resolve disputes, enforce our agreements, prevent abuse, and maintain security. - Messages and chat media: retained while needed to provide messaging, delivery, sync, conversation history, deletion features, disappearing-message timers, moderation, and legal compliance. They may be deleted when users delete content, when disappearing-message timers expire, when accounts are deleted, or under other product deletion flows. - Disappearing messages: eligible new messages and media are scheduled for removal after the selected timer of 24 hours, 7 days, or 90 days, subject to normal technical limits such as offline devices, local copies, screenshots, notifications, backups, and report evidence. - Stories: intended to expire after 24 hours. - Call metadata: retained while your account is active to power call history and callbacks; deleted upon account deletion unless retention is required for safety, security, or legal reasons. - Account and profile data: retained until account deletion or until you update/remove the data. - Usage, device, and technical data: retained as needed for security, fraud prevention, debugging, analytics, and legal compliance. - Backups: deleted data may remain in backups for a limited period before being overwritten according to backup cycles.
In the interest of full transparency — and in accordance with the requirements of GDPR, CCPA, and other applicable privacy laws — the following is a precise breakdown of every category of personal data Stitch collects, the specific purpose for collecting it, who it is shared with, and how long it is retained: IDENTIFIERS (Account Data) What: Display name, username, and email address Why: To create and authenticate your account, verify your email address, send security communications, and enable other users to find you by username Shared with: Your username and display name are visible to contacts you communicate with. Your email is never shared with other users. Retention: Until account deletion PROFILE CONTENT What: Profile photo, display name, bio or status text Why: To allow your contacts to identify you within the app and to display your profile when others view it Shared with: Visible according to your privacy settings and block controls. People you block should not see profile photo updates, online/last-seen signals, or stories from you. Retention: Until updated or account deleted MESSAGE METADATA What: Who sent a message to whom, timestamp, message type (text, image, voice note, etc.), delivery status, and read receipt status Why: To route and deliver messages, display delivery and read status, and maintain your conversation history Shared with: The message sender and recipient(s) only Note: Message content is protected with standard encryption in transit and at rest. Authorized personnel may review stored content under documented internal controls for the limited purposes described in Section 5. Retention: Metadata retained while your account is active; deleted upon account deletion CALL LOGS What: The identifiers of the caller and recipient, call type (voice or video), start time, call duration, and outcome (answered, missed, or cancelled) Why: To display your call history in the Calls tab and allow you to call back Shared with: The other participant in the call only Note: Stitch does not record or store call audio or video; live media may be processed transiently by call infrastructure to connect participants. Retention: While your account is active; deleted upon account deletion STORY DATA What: The story content (photo, video, text, or link), the timestamp, and the list of contacts who viewed it Why: To display your stories to contacts and show you viewer counts and lists Shared with: Story content visible to eligible contacts, excluding people you hide stories from or fully block; viewer lists visible only to you Retention: Automatically deleted 24 hours after posting GROUP & MENTION METADATA What: Group membership, admin roles, group messaging permissions, mention targets, and related timestamps Why: To route group messages, enforce group settings, show mentions, open tagged profiles, and respect mention notification preferences Shared with: Relevant group members as needed for group functionality Retention: While the group or your account remains active, unless deleted earlier through product flows TECHNICAL & DEVICE DATA What: IP address, device type and model, operating system and version, browser type and version, session identifiers Why: To maintain account security, detect unauthorised access, prevent fraud and abuse, and debug technical issues Shared with: Not shared with any third party Retention: Up to 90 days, then permanently purged NOTIFICATION TOKENS & PREFERENCES What: Mobile push tokens, browser push subscriptions, and notification preferences for messages, groups, and mentions Why: To deliver notifications you enable and suppress notifications you disable Shared with: Push notification providers only as necessary to deliver the notification Retention: Until disabled, replaced, expired, or your account is deleted USAGE DATA (Aggregated & Anonymised) What: Which features are used, frequency of use, error and crash reports, performance metrics Why: To improve Stitch, prioritise bug fixes, and understand how features are used at an aggregate level Note: This data is aggregated and cannot be linked back to your individual account or identity Shared with: Not shared with third parties Retention: Up to 90 days WHAT WE DO NOT COLLECT • We do not collect your device contacts list or phone book • We do not collect your GPS location or precise geolocation data • We do not read message content for advertising, profiling, or algorithmic ranking; access is limited to the documented purposes in Section 5 (debugging, abuse investigation, legal compliance) • We do not collect financial information of any kind • We do not build advertising profiles based on your behaviour or content • We do not track your activity across other websites, apps, or services outside of Stitch
The Stitch web application displays advertisements provided by Adsterra in limited app surfaces such as chats list, stories, calls, contacts, or settings. The native iOS and Android apps are intended to remain ad-free. Adsterra and related ad scripts may use cookies or similar technologies to deliver and measure ads according to their own policies. Stitch does not provide private message content to advertisers and does not use private message content for ad targeting. Ads should not appear inside an open private conversation.
Depending on your location and applicable law, you may have the following rights regarding your personal information. We are committed to facilitating the exercise of these rights promptly and without unnecessary barriers. RIGHT TO ACCESS You can view most of your account information directly within the Stitch app under Settings → My Profile. For a more comprehensive export of data we hold about you, contact us at support@stitchmessaging.com. RIGHT TO CORRECTION You can update your display name, username, profile photo, and bio at any time through Settings → Edit Profile. For other corrections, contact our support team. RIGHT TO DELETION You can delete your account at any time through Settings → Deactivate Account. Initiating account deletion triggers the permanent deletion of your personal data from our systems in accordance with the retention schedule described in Section 6. PRIVACY CONTROLS WITHIN THE APP Stitch gives you direct, immediate control over key privacy settings without needing to contact us: • Who can see your last seen / online status (Everyone / Contacts Only / Nobody) • Whether read receipts are shown to others • Which specific users are blocked from messaging, calling, or viewing your stories • Which users are hidden from your stories specifically • Whether you receive group message and group mention notifications CALIFORNIA RESIDENTS California residents have rights under the CCPA and CPRA, including the right to know, the right to delete, the right to correct, and the right to opt out of the sale of personal information. See Section 15 of our Terms of Service for full details. Contact support@stitchmessaging.com with the subject "CCPA Privacy Request" to exercise these rights. EU/EEA/UK RESIDENTS If you are located in the EU, EEA, or UK, you have extensive rights under GDPR and UK GDPR, including rights of access, rectification, erasure, restriction, portability, and objection. See Section 17 of our Terms of Service for full details. Contact support@stitchmessaging.com to exercise any of these rights. We will respond within 30 days.
Stitch is not intended for or directed at children under the age of 13. We do not knowingly collect, solicit, or retain personal information from children under the age of 13. During account registration, we require users to confirm their date of birth, and we deny account creation to anyone who indicates they are under 13 years old. If we become aware — through any means — that a child under 13 has created an account or provided us with personal information without verified parental consent, we will take prompt steps to terminate the account and delete the associated personal information from our systems. In the European Union and certain other jurisdictions, the minimum age for digital services may be higher than 13 — up to 16 depending on national law. Please refer to the regional sections in our Terms of Service for details applicable to your country. If you are a parent or guardian and believe that a child under the applicable minimum age in your jurisdiction is using Stitch without your knowledge or consent, please contact us immediately at support@stitchmessaging.com. We will investigate and take appropriate action as quickly as possible.
We take security seriously and use reasonable technical and organizational safeguards, including: - Standard encryption in transit using HTTPS/TLS where applicable - Encryption at rest provided by our infrastructure and storage providers - Access controls and Firestore security rules for database reads and writes - Password handling through authentication providers designed not to store plain-text passwords - Monitoring, debugging, and abuse-prevention workflows - Email verification and account-protection features No system is perfectly secure. You are responsible for protecting your device, account credentials, and any content you choose to share. If you believe your account has been compromised or you discover a vulnerability, contact support@stitchmessaging.com.
Stitch uses cookies, local storage, IndexedDB, and similar browser storage technologies for login sessions, cached app state, notifications, media handling, security, debugging, and performance. The web app may also load third-party advertising scripts that use cookies or similar technologies to deliver and measure ads. You can clear cookies and local storage in your browser settings. Doing so may log you out, clear cached app data, and disable some web features until you sign in again.
Stitch operates as a global service, which means your information may be stored, processed, and transferred to countries other than your own. Some of these countries may have data protection laws that differ from those in your home country. When we transfer personal data internationally — particularly transfers from the EU, EEA, or UK to countries that the European Commission has not recognised as providing an adequate level of data protection — we rely on appropriate and legally recognised safeguards to protect your information. These safeguards include Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent mechanisms recognised by the UK Information Commissioner's Office. By using Stitch, you understand and acknowledge that your information may be transferred to and processed in countries outside your own jurisdiction. We take our responsibility to protect that information seriously regardless of where it is processed, and we ensure that any international transfer is governed by appropriate contractual protections. If you have questions about international data transfers or wish to obtain a copy of the safeguards we rely on, please contact us at support@stitchmessaging.com.
We may update this Privacy Policy from time to time to reflect changes in our data practices, the services we offer, applicable legal requirements, or other legitimate reasons. When we make changes that we consider material — meaning changes that meaningfully affect how we handle your personal information or your rights — we will notify you through the app or via your registered email address at least 7 days before the changes take effect. For changes that are less significant, such as clarifications or formatting updates that do not alter our actual data practices, we may update the policy without providing advance notice, though the "Last Updated" date at the top of this page will always be revised to reflect the most recent change. Your continued use of Stitch after any changes to this Privacy Policy have taken effect constitutes your acceptance of the updated policy. If you do not agree with any material changes, you should stop using Stitch and delete your account before the changes take effect. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.
If you have any questions, concerns, or requests related to this Privacy Policy or to the way Stitch handles your personal information, we want to hear from you. Transparency and accountability are core to how we operate, and we take all privacy inquiries seriously. To contact us about privacy: Email: support@stitchmessaging.com Subject line: "Privacy Request" — please include this in your subject line so your inquiry reaches the right team When submitting a privacy request, please include your registered email address or Stitch username so we can locate your account and respond accurately. For formal rights requests (such as data access, erasure, or portability requests under GDPR or CCPA), we may ask you to verify your identity before processing the request to protect your account security. We aim to respond to all privacy inquiries within 30 days of receipt. In complex cases, particularly those involving formal GDPR rights requests, we may take up to an additional 60 days, and we will notify you of any extension and the reason for it within the initial 30-day window.