Messages are stored locally in an encrypted database on your device. They are transmitted directly between devices using WiFi Aware ‐ either directly to the recipient or relayed through other Bridgelink devices in the mesh. All messages are end-to-end encrypted using ECDH key exchange before transmission. Relay nodes that carry your messages cannot read them. No messages are sent to or stored on any external server.

Contacts are stored locally on your device. Bridgelink does not access your phone's system contacts. Contacts are added manually through the in-app pairing process, which requires both parties to be physically nearby and to verify a 6-digit PIN. Contact data never leaves your device to any server.

Android requires the Location permission to be granted before an app can use WiFi Aware or scan for nearby WiFi devices. Bridgelink uses this permission solely to enable peer discovery through WiFi Aware. Bridgelink does not read, record, store, or transmit your GPS coordinates or physical location at any point. Your location is never determined, stored, or shared by Bridgelink.

The camera permission is used exclusively for the optional Intruder Detection feature. When this feature is enabled, a silent front-camera photo is taken after a configurable number of failed unlock attempts. These photos are stored locally on your device only, with a maximum of 50 photos (older ones are automatically deleted). Photos are never transmitted anywhere. The feature is opt-in and can be disabled at any time in Settings.

Bridgelink supports optional fingerprint and biometric authentication as an app lock method. Biometric data is processed entirely by the Android operating system and the device's secure hardware (TEE/StrongBox). Bridgelink never has access to your actual biometric data ‐ it only receives a pass/fail result from the system. Your fingerprint or face data is never stored or transmitted by Bridgelink.

During the pairing process, each device advertises a randomly generated 3-word name (e.g., "apple-bridge-cloud") from a 2048-word list. This temporary name is used only for the duration of the pairing session and has no persistent link to your identity. Your chosen display name is only revealed after mutual PIN verification. No persistent device identifiers (such as IMEI or MAC address) are exposed to other users.

Your cryptographic identity keys are generated on your device and stored locally, encrypted using AES-256-GCM via the Android Keystore. The master encryption key never leaves the device's secure hardware. Your identity keys are never uploaded to any server. If you use the backup feature, your keys are included in an encrypted backup file stored to a location of your choosing (such as local storage or a file sharing app) ‐ Bridgelink does not upload backups anywhere automatically.

Bug reports are submitted voluntarily through the Bug Report page on this website ‐ not from within the app itself. The app makes no internet connections and sends nothing automatically. If you choose to submit a report, it is an entirely manual action you take on the website.

A bug report may include: your device model and Android version, the Bridgelink app version, a description of the issue you provide, and any diagnostic log data you choose to include. Reports do not include your messages, contact list, display name, encryption keys, or any personal communication data.

Bug reports do not require any identifying information. You may optionally provide an email address if you would like a follow-up response, but this is entirely at your discretion. If no email is provided, the report is anonymous.

Bug report data is stored securely and used solely for the purpose of identifying and fixing issues with the application. It is not shared with third parties, sold, or used for any purpose other than improving Bridgelink.

Bridgelink is not directed at children under the age of 13. Bridgelink's architecture is privacy-first by design ‐ there are no accounts, no servers, and no user data retained anywhere. This means there is no account to suspend or data to delete on a per-user basis. If you are a parent or guardian with a concern, we want to hear from you. If there is anything we can technically do to help that does not compromise the privacy principles the application is built on, we will consider it.

No. Bridgelink enforces in-person, face-to-face contact addition. To add someone as a contact, both devices must be physically within WiFi Aware range (approximately 5 metres) at the same time. During discovery, neither party sees the other's chosen name ‐ only a randomly generated three-word code (e.g. "piper-day-seven") chosen from a pool of over 8.5 billion combinations. Usernames are only revealed after both parties confirm a matching 6-digit PIN. There is no way for a stranger to reach someone on Bridgelink without physically meeting them and completing this mutual verification step. There are no search directories, no user IDs to guess, and no way to initiate contact remotely.

Bridgelink includes automatic detection of suspicious usernames and group names. If a username or group name appears to contain advertising-style content, the app flags it with a visible warning before the user proceeds. The user must explicitly acknowledge the warning and confirm in person before accepting. This directly prevents the "billboard" attack pattern where a bad actor advertises to unsuspecting nearby users.

Group messages from people who are not in your contacts are handled carefully. Unknown senders are displayed only as an anonymised identifier (a truncated cryptographic hash) rather than any name they have given themselves ‐ so they cannot self-identify as someone you trust. Crucially, their messages are not shown to you at all: because you have never exchanged encryption keys with them, the app has no way to decrypt their content, and nothing is displayed.

To read messages from any group member you have not yet met, you must add them as a contact in the normal way ‐ meeting in person, within physical proximity, and completing the same mutual key exchange and PIN verification used for individual contacts. Only after that exchange does the app hold the keys needed to decrypt their messages, and only then can you read their messages.

Messages from unknown senders are also rate-limited: no single unknown sender can send more than 25 messages to you in a 24-hour period, and the combined total from all unknown senders is capped. Any group member can additionally be ignored, hiding any future messages from them without notifying them.

Bridgelink includes a full app lock system. The app can be locked with a PIN (hashed using PBKDF2-SHA256 with 100,000 iterations), fingerprint or face biometric, a time-based authenticator code (TOTP), or any combination of these as two-factor authentication. Failed unlock attempts trigger escalating lockouts and, if enabled, a silent front-camera photograph of whoever is attempting access. A separate duress PIN can be set: entering it on the lock screen immediately and silently wipes all messages, contacts, and encryption keys, leaving the app appearing empty rather than alerting the person coercing access.

All contacts and messages are stored locally on the device. A parent or guardian with access to the device can review contacts and message history directly in the app. Because everything is local and there is no external account, there is no separate parental dashboard or remote management capability ‐ control is exercised through access to the device itself. The app lock feature means the device owner can also restrict access to the app with a PIN or biometric.