Privacy Policy

SemaFore is a product of Attomus Limited (“Attomus”, “we”, “us”). This policy explains what personal data SemaFore collects, why it collects it, how it is protected, and the rights you have under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Attomus Limited is the data controller for personal data processed through SemaFore. Registered in England and Wales, company number 06517654. ICO registration reference ZA718457. 23 Berkeley Square, Mayfair, London W1J 6HE. hello@attomus.com

Where your data lives

SemaFore is built on a deliberate principle: personal data processed by the service stays inside the Attomus boundary, with only narrow technical exceptions. Our server infrastructure runs from our own datacentres in Coventry, United Kingdom. The databases that hold your account information, organisation membership, and audit log entries, the object storage that holds your encrypted file ciphertext, and the queues that relay encrypted message ciphertext between your devices all reside in those datacentres under our direct operational control.

We do not share personal data with third parties for their commercial purposes, and we do not sell, rent, or licence personal data.

Three narrow technical exceptions to the in-boundary rule exist — mobile push notification delivery, SMS one-time passcode delivery, and (for organisations on a paid plan) payment processing. Each is described in detail in “When data flows outside the Attomus boundary” below. Outside those specific exceptions, your personal data does not leave the United Kingdom and does not leave Attomus.

Attomus is a UK company. SemaFore’s customers are predominantly UK organisations. Our infrastructure decisions reflect that.

The architecture and what it means for your data

SemaFore is designed so that message content never exists in plaintext on any Attomus-operated system. Every message is encrypted on the sender’s device before transmission using the Signal Protocol (X3DH key agreement and Double Ratchet forward secrecy). The server routes ciphertext. It holds no decryption keys and has no mechanism to read message content.

This is not a policy commitment. It is an architectural constraint. Attomus cannot read your messages. Neither can anyone who operates the SemaFore server infrastructure on your behalf.

What this policy covers is the data that does pass through our systems in plaintext: account identifiers, platform activity metadata, and the technical records necessary to operate a reliable messaging service.

What we collect and why

Account and identity data

Phone number. Required to create an account. Used to issue one-time passcodes (OTP) for authentication. Stored as the primary account identifier within your organisation’s namespace. We do not use phone numbers for marketing.

Organisation name and identifier. Required to create an organisation on the platform. Used to scope all data and access controls within your deployment.

Display name. Provided by the user during sign-up. Shown to other members of your organisation within the platform. You can change your display name at any time within the application.

Contact email address. Optionally provided during organisation setup. Held against the organisation record for future administrative correspondence. SemaFore does not currently send transactional emails; if email-based communications are introduced in future, this policy will be updated before that change is enabled.

Legal basis: Performance of a contract (providing the SemaFore service).

Device and session data

Device identifier. A platform-generated identifier assigned when a mobile device registers with your organisation. Used to route encrypted messages to the correct device and to manage device revocation. Not a hardware identifier — it is generated by the SemaFore application.

Push notification token. Issued by Apple (APNs) or Google (Firebase Cloud Messaging) for your registered device. Used to deliver wake-up signals when a new message is queued for your device. The push payload does not contain decrypted message content. It includes routing identifiers — organisation, thread, sender reference — that the operating system uses to display the notification and route you into the correct in-app location. Message text and file contents are never transmitted via push.

Session JWT. A signed token issued on successful authentication. Valid for a fixed period. Contains your organisation ID, role, and device ID. The token itself is not retained server-side beyond issuance; we log authentication events (see below) but not the issued token.

Two-factor authentication data. Admin users may enrol in time-based one-time password (TOTP) two-factor authentication. The TOTP secret is encrypted at rest. Recovery codes are stored only as hashes. We store timestamps for enrolment and last verification events to support account security and auditability.

Legal basis: Legitimate interests (operating a secure, reliable messaging service).

Use of your device’s contact picker

The SemaFore mobile applications offer an in-app feature to select a single phone number from your device’s contact picker when inviting someone to your organisation. This uses the operating system’s native contact picker, which returns only the phone number you explicitly select. Attomus does not receive your address book contents, does not import contacts in bulk, and does not store contact data on our systems beyond the single phone number used to send the specific invitation you chose to issue.

Platform activity metadata

The SemaFore server maintains an audit log of platform events. Logged entries include:

• Authentication events (login, logout, OTP request)
• Device registration and revocation
• User management actions (member added, role changed, member removed)
• Group creation and membership changes
• Broadcast sends (sender identity, timestamp, recipient count — not content)
• File transfer events (file reference ID, timestamp — not file content)

These records are accessible to your organisation’s administrators via the portal. They are used to support platform governance, security review, and compliance obligations. They do not include message content, file content, or any decrypted material.

Legal basis: Performance of a contract (delivering the platform’s governance features to organisation administrators) and Legitimate interests (platform security and integrity).

Technical operational data

Standard server logs (IP addresses, request timestamps, HTTP status codes) are retained for up to 30 days for infrastructure security and abuse prevention. These logs are not linked to user identities in routine operation.

Legal basis: Legitimate interests (infrastructure security and abuse prevention).

Billing data (paid organisations only)

If your organisation moves from evaluation access to a paid plan, billing data — organisation name, billing email address, payment method details, subscription status — is processed through our payments processor (see “Third-party processors” below). Attomus retains a subscription record keyed to your organisation ID; payment method details are held by the processor and never reach Attomus systems.

Legal basis: Performance of a contract.

What we do not collect

• Message content. Ever. See the architecture section above.
• File content. Files are encrypted client-side before upload. The server stores ciphertext.
• Location data.
• Contact lists or address book entries. See the contact-picker section above for the only narrow exception, which is mediated by the operating system rather than by SemaFore.
• Browsing history from other websites or apps.
• Any data from children under the age of 13. SemaFore is rated 13+ on App Store and Google Play. We do not knowingly collect personal data from anyone under 13. The 13+ threshold is the UK GDPR age of consent for information society services. Users aged 13 to 17 join SemaFore by invitation from an organisation administrator; that administrator is responsible for ensuring any required parental or guardian consent is in place under their local rules.

When data flows outside the Attomus boundary

The defining principle of SemaFore is that personal data does not leave Attomus’s UK infrastructure. The exceptions to this rule are listed below, organised by category. Each is genuinely narrow: either it is unavoidable because of how mobile platforms work, or it is a specialist service whose scope is tightly defined.

Mobile platform infrastructure

Push notifications on iOS go through Apple Push Notification Service. Push notifications on Android go through Google Firebase Cloud Messaging. These are platform-level services operated by the makers of your phone’s operating system; using them is unavoidable for any mobile app, in the same sense that you cannot make a mobile phone call without your mobile carrier. We treat APNs and FCM as platform infrastructure rather than as commercial third-party relationships of Attomus.

The data sent to these services is limited to what is necessary to route a notification: a device push token issued by Apple or Google to your device, plus routing identifiers (organisation, thread, sender reference). Message text and file contents are never transmitted via push.

Specialist external services

Three specific service functions are delivered through external providers. Each has a tightly bounded scope; outside those bounds, no data flows to them.

SMS one-time passcode delivery. When you request a sign-in code, the SMS itself is delivered through a specialist SMS gateway. The gateway receives your phone number and the SMS body for the duration of delivery only; nothing else is transmitted, and no further data flows after the message is delivered. We currently use Twilio (United States). Migration to a UK-based SMS provider is in active plan; this section will be updated when that migration ships.

Payment processing for organisations on a paid plan. Free-tier and trial organisations have no data flowing to payment infrastructure at all. Organisations on a paid plan have billing data — organisation name, billing email address, payment method details — processed by our payments provider. We currently use Stripe (United States, with EU/UK processing routed via Stripe Payments Europe Ltd, Ireland). Migration to GoCardless (United Kingdom) is in active plan; this section will be updated when it ships.

Cloudflare’s role

SemaFore’s public static web pages are hosted on Cloudflare Pages. These pages do not contain message content, file content, or operational service data. Cloudflare also provides edge protection for public SemaFore hostnames, including DDoS resilience and TLS termination.

In these roles, Cloudflare sees network metadata — IP addresses, request paths, response codes — needed to serve pages and protect traffic. Cloudflare does not have access to message content, file plaintext, or decryption keys. Message and file content is encrypted on user devices before transmission and remains encrypted at rest and in flight.

Encrypted file storage

Encrypted file ciphertext is stored on Attomus-controlled S3-compatible object storage running on Attomus-owned hardware in the Coventry datacentre pair. File contents are encrypted on your device before upload, and the encryption keys never leave devices. The storage backend holds opaque encrypted blobs that it has no mechanism to decrypt.

What this means in summary

Beyond the categories above and the cookie-less visitor analytics described below, no personal data is shared with any third party. We do not sell, rent, or licence personal data for any commercial purpose.

SemaFore does not send transactional or marketing emails. Account authentication uses SMS one-time passcodes, and in-app push notifications cover platform communications. We do not currently operate any email-delivery service for sending messages to our users.

Lawful basis for international transfers

Where personal data is transferred outside the United Kingdom — to Twilio, Apple, Google, Cloudflare, and Stripe in the United States — the lawful basis for the transfer is one or more of: the UK International Data Transfer Agreement, the EU Standard Contractual Clauses with the UK Addendum, or the UK Extension to the EU-US Data Privacy Framework. Stripe’s EU/UK processing is via Stripe Payments Europe Ltd, Ireland, an adequate-decision jurisdiction.

Data retention

Your rights under UK GDPR

You have the right to:

• Access the personal data Attomus holds about you.
• Rectification of inaccurate personal data.
• Erasure (“right to be forgotten”) — subject to our legal obligations to retain certain records, including billing records as noted above.
• Restriction of processing in specific circumstances.
• Data portability — receive your data in a structured, machine-readable format.
• Object to processing based on legitimate interests.

To exercise any of these rights, contact us at hello@attomus.com with “Data Rights — SemaFore” in the subject line. We will respond within 30 days. For complex requests, we may extend this by a further 60 days with notice. For your protection, we may ask for additional information to verify your identity before fulfilling a request — this protects against unauthorised disclosure of your data to someone else.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) if you believe we have not handled your data lawfully: ico.org.uk.

Security and breach notification

We follow industry-standard practices for the protection of the personal data we process: encryption of data in transit (TLS 1.2 or above for all client-server traffic), encryption of message content end-to-end on device, separation of message ciphertext from key material (we never hold both), role-based access controls within Attomus for any operational access to the production environment, and continuous audit logging of platform events.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, Attomus will notify the Information Commissioner’s Office within 72 hours of becoming aware of the breach, and will notify affected individuals without undue delay where the breach is likely to result in a high risk to those individuals.

Cookies and analytics

The SemaFore portal uses a single session cookie to maintain your authenticated session. This cookie is:

• Scoped to portal.semafore.io only.
• Marked HttpOnly and Secure (not accessible to JavaScript; transmitted over HTTPS only).
• Used only to maintain your portal session.
• Expires on logout or after 24 hours of inactivity.

The SemaFore mobile applications do not use cookies.

Contact form submissions are sent to an Attomus-operated form endpoint at forms.attomus.com. The endpoint forwards your message to Attomus for handling.

The semafore.io marketing website uses simple in-house, cookie-less analytics to understand aggregate site traffic. This runs inside the Attomus boundary.

If the contact form’s anti-spam challenge is enabled, it is provided by Cloudflare Turnstile. Turnstile receives only the data required to evaluate the abuse-challenge response.

Changes to this policy

If we make material changes to this policy, we will update the date below and, where appropriate, notify affected users by email or via the platform.

Contact

Questions or requests regarding this privacy policy:

Attomus Limited hello@attomus.com +44 20 3026 6250 23 Berkeley Square, Mayfair, London W1J 6HE

Last updated: May 2026