Support

Email [email protected]. That single address routes everything — bugs, feature requests, GDPR data-subject requests, security disclosures, and general questions.

owned is a single-operator hobby project, so the response time is typically one to three business days. If a week passes without a reply, please re-send — it almost certainly means your first mail was caught in spam filtering on our side.

Vulnerability reports are taken seriously and get a same-day acknowledgement during weekdays. Please send them to the same address with [SECURITY] at the start of the subject line, e.g.:

Subject: [SECURITY] PQXDH bundle signature verify gap

For threats serious enough to warrant encrypted transit, mention that in the first message and we’ll exchange a PGP key or set up an owned-to-owned channel before any technical detail is shared.

Coordinated disclosure works the way you would expect: we ship a fix, you publish your write-up, and we credit you in the release notes if you want credit. Public disclosure before a fix lands is fine for already-public findings; please give us a reasonable window for novel issues.

If the app won’t unlock — Face ID rejected, biometric enrollment changed, device migrated, restore from backup — the 24-word recovery phrase you transcribed at onboarding is the recovery path. On the unlock screen, tap “Use recovery phrase” and enter the words. The phrase re-derives every key the app needs.

There is no operator-mediated recovery. The relay holds no key material, no escrow, and no way to reset your account; the security model depends on that. If the recovery phrase is lost as well as the device, the account is gone — please write the words down somewhere durable.

Access, erasure, portability, and the other rights spelled out in the privacy notice are exercised through the same support address. Please include your hex recipient token (Settings → account info in the app) so we can identify the rows tied to your install — we hold no other identifying data.

We don’t hold message content, the contact graph, or any plaintext on the server, so we can’t recover lost conversations, restore deleted media, or read a contact’s messages on your behalf. Those properties are the whole point of the security model.