Privacy Policy

Last updated: March 4, 2026

1. Introduction

Borgi ("we", "our", or "the app") is a Mastodon client for Android and iOS developed by Gelotto. This Privacy Policy explains how Borgi handles your information.

Borgi is a client application — it connects to Mastodon instances operated by third parties. We do not operate a Mastodon server and do not control the data policies of any Mastodon instance you choose to use.

2. Data We Collect

Borgi collects and stores the following data locally on your device:

• Authentication tokens — OAuth access tokens for your Mastodon accounts, stored in the platform's secure keychain (Android Keystore / iOS Keychain).
• Cached content — Timeline posts, notifications, and account data are cached in a local SQLite database to improve performance. This cache can be cleared at any time by signing out.
• App preferences — Theme, visibility defaults, and other settings stored in SharedPreferences.
• Push notification keys — ECDH key pairs generated on your device for encrypting push notifications. The private key never leaves your device.

3. Data We Do NOT Collect

• We do not collect personal information beyond what is necessary to connect to your Mastodon account.
• We do not track your browsing activity, reading habits, or interactions within the app for advertising purposes.
• We do not sell, rent, or share your data with third parties for marketing.

4. Third-Party Services

Borgi uses the following third-party services:

• Firebase Crashlytics — Collects anonymous crash reports to help us fix bugs. Crash reports may include device model, OS version, and stack traces. No personally identifiable information is included. Crashlytics is disabled in debug builds.
• Firebase Cloud Messaging (FCM) — Used to deliver push notifications to your device. FCM requires a device token managed by Google (Android) or Apple (iOS). We do not use FCM for tracking.
• Firebase Analytics — Used solely for anonymous screen-level usage metrics (e.g., which screens are visited). No personal data or content is tracked.
• Firebase Performance Monitoring — Collects anonymous performance metrics (app startup time, network latency) to help us improve the app.
• Mastodon instances — All posts, follows, interactions, and account data are sent to and stored by the Mastodon instance you choose. Refer to your instance's privacy policy for details.

5. Push Notification Data Flow

When push notifications are enabled:

• Your Mastodon instance encrypts the notification payload using a public key generated on your device.
• The encrypted payload is sent to our lightweight relay server (push.borgi.gelotto.io), which forwards it to FCM for delivery.
• The relay server does not store, log, or decrypt notification payloads. It acts as a stateless pass-through.
• Decryption happens on your device using the private key that never leaves your device.

6. Data Storage and Security

• Authentication tokens are stored in the platform's secure keychain.
• Cached content is stored in a local SQLite database on your device.
• All communication with Mastodon instances uses HTTPS.
• Push notification payloads are end-to-end encrypted.

7. Your Rights

• Delete your data — Signing out of Borgi removes all cached data and tokens for that account from your device. Uninstalling the app removes all local data.
• Account deletion — To delete your Mastodon account and all associated data, use your Mastodon instance's account deletion feature. Borgi does not store your data on any server.
• Disable push notifications — You can unsubscribe from push notifications in Borgi's settings at any time. This removes the push subscription from your Mastodon instance.

8. Children's Privacy

Borgi does not knowingly collect information from children under 13. Mastodon instances may have their own minimum age requirements.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of the app after changes constitutes acceptance of the updated policy.

10. Contact

If you have questions about this Privacy Policy, contact us at admin@gelotto.io.