Privacy at Howdlo
Plain English, no lawyer-speak. Effective July 2, 2026.
Howdlo ("Hang Out, Write, Drop Lines Online") is a messaging app. Our business is hanging out — not advertising. We don't sell your data, we don't run ads, and we don't embed third-party trackers or analytics SDKs. This page describes exactly what we collect and why.
What we collect
Your email address
Used once per sign-in to send a one-time login code, and kept on your account so you can sign back in. Your user id is derived from it cryptographically — other users never see your email.
Your profile
Whatever you choose to add: a display name, an @username (with a public/private toggle), an avatar photo, and an optional phone number. The phone number is only used to match people who already saved you in their contacts; it is never shown publicly.
Your content
Messages (including photos and voice notes), Drops, polls, and collaborative sheets you post. Drops expire after 24 hours. Contacts you add manually (a name + phone) are stored for you alone — we never scrape your device's address book.
Device + anti-abuse data
A random device identifier stored on your device (so drafts and sessions survive reloads), and coarse hourly counters (which may include your IP address) used only for rate limiting and abuse prevention.
How your data moves
Encrypted in transit
Everything travels over HTTPS/WSS. Messages and media are stored on our servers so your history syncs across devices — Howdlo is not end-to-end encrypted today, and we won't pretend otherwise.
Calls and voice lounges are peer-to-peer
Voice/video call media flows directly between participants (WebRTC). Our servers only relay the small connection-setup signals and never store or inspect call audio or video.
Where it lives
Howdlo runs on Cloudflare (Workers, D1, R2, Durable Objects) — our hosting provider and only infrastructure processor. Login-code emails are delivered by Resend, our email provider, which sees your email address for that purpose only.
How long we keep it
Drops
Expire from every feed after 24 hours.
Messages
Stay in their conversation so participants keep their history — like email or SMS, messages you already delivered to others remain with those conversations even if you later delete your account. Messages you unsend or delete stop being visible to participants, but may be retained on our servers for a period of time for safety, compliance, legal, and operational purposes.
Sessions
Sign-in tokens last at most 60 days and can be revoked at any time (Sign out / Sign out all devices) — revocation takes effect immediately, server-side.
Your controls
Delete your account, in-app
You → Danger zone → Delete account. This immediately revokes every session and permanently removes your account, profile, contacts, Drops, and community memberships.
Block and report
Block anyone (their Drops and profile vanish from your feeds — they are never told) and report users or content; reports go to a moderation queue.
Share only what you want
The avatar, display name, and phone number are optional. Your @username can be set to private so only your contacts can find it.
Children
Howdlo is not directed to children under 13 (or the higher minimum age your country requires), and we don't knowingly keep accounts for them. If you believe a child is using Howdlo, contact us and we'll delete the account.
Changes + contact
If our data practices change, this page changes first and the effective date above moves. Questions, requests, or anything else: [email protected].
Howdlo — Hang out, write, drop lines online.