Scratch that

Privacy

Last updated 16 July 2026

We can't read your messages and we can't see your photos. Not "won't" — can't. Here is exactly how that works.

No data reaches us

Scratch that has no accounts, no sign-in, no analytics, and no third-party SDKs. We don't run a server that your messages pass through. There is no profile of you anywhere, because there is nothing collecting one.

The words you send

A text card travels inside your iMessage thread, carried by Apple's Messages — end-to-end encrypted by iMessage the same way any of your messages are. The line is encoded in the message itself; it never touches a server of ours.

Photos behind the foil

When you hide a photo, it is encrypted on your phone with AES-256 before it leaves the device. Only the encrypted result is uploaded — to Apple's CloudKit, in a public database record with no name attached to it.

Sealing

A card can be sealed shut until a moment you choose. The seal is enforced on the device; we are not told what you sealed, to whom, or when.

Reporting a photo

If someone sends you a photo you want gone, you can report it from inside the card. Reporting flags the encrypted cloud record for removal — we act on the report without ever being able to view the photo itself.

What is stored, and where

No third parties

We don't sell, share, or hand your data to anyone. There is no advertising, no tracking, and no analytics partner — there is no data to give.

Children

Scratch that is not directed at children under 13, and we knowingly collect no personal data from anyone.

Your rights

Because we hold no personal data about you, there is nothing for us to export or delete on request. Under the GDPR you keep every right regardless — and if you'd like to reach a human about any of this, email us below.

Changes

If this policy changes, the date at the top changes with it. Material changes will be reflected here before they take effect.

Contact

Mindact Solutions AB, Sweden — mathias@mindact.ai

‹ back