Privacy
Last updated 16 July 2026
We can't read your messages and we can't see your photos. Not "won't" — can't. Here is exactly how that works.
No data reaches us
Scratch that has no accounts, no sign-in, no analytics, and no third-party SDKs. We don't run a server that your messages pass through. There is no profile of you anywhere, because there is nothing collecting one.
The words you send
A text card travels inside your iMessage thread, carried by Apple's Messages — end-to-end encrypted by iMessage the same way any of your messages are. The line is encoded in the message itself; it never touches a server of ours.
Photos behind the foil
When you hide a photo, it is encrypted on your phone with AES-256 before it leaves the device. Only the encrypted result is uploaded — to Apple's CloudKit, in a public database record with no name attached to it.
- The key that can decrypt the photo rides only inside the message you send, and nowhere else. It never touches the cloud. So only the person you sent the card to can open it.
- We cannot decrypt it. Apple cannot decrypt it. There is no copy of the key on any server.
- The encrypted photo auto-expires and is swept from the cloud within 30 days. Once your recipient has opened it, their own copy is kept privately on their device so the card keeps working.
Sealing
A card can be sealed shut until a moment you choose. The seal is enforced on the device; we are not told what you sealed, to whom, or when.
Reporting a photo
If someone sends you a photo you want gone, you can report it from inside the card. Reporting flags the encrypted cloud record for removal — we act on the report without ever being able to view the photo itself.
What is stored, and where
- On our servers: nothing. We don't have one for your content.
- In Apple's CloudKit: the encrypted photo blob, unreadable without the key, for up to 30 days.
- On your device: your drafts, and photos you've opened — protected by iOS file encryption, readable only when your phone is unlocked.
No third parties
We don't sell, share, or hand your data to anyone. There is no advertising, no tracking, and no analytics partner — there is no data to give.
Children
Scratch that is not directed at children under 13, and we knowingly collect no personal data from anyone.
Your rights
Because we hold no personal data about you, there is nothing for us to export or delete on request. Under the GDPR you keep every right regardless — and if you'd like to reach a human about any of this, email us below.
Changes
If this policy changes, the date at the top changes with it. Material changes will be reflected here before they take effect.
Contact
Mindact Solutions AB, Sweden — mathias@mindact.ai
‹ back