Proof of concept — demo environment, not production. No SLA, no emergency calling (no 911/112), data may be reset without notice. Calls will drop after ~50s as the app is in testing mode.
T9phone

What we store

Every field stored in the T9phone database, and an explicit list of what we never collect. No legalese — just the facts.

Account
Email address
Used for login, email verification, and password reset. Never shared.
Password
Stored as a bcrypt hash (cost 12). The plaintext is never written anywhere.
Nickname
6–12 letters. Determines your dial code. Visible to group members.
Account created
Timestamp of registration.
Failed logins
Count of consecutive failed login attempts. Cleared on successful login. Used to enforce a temporary lockout.
SIP credentials
SIP username
A random identifier used by your phone to register with the calling server.
SIP password
Stored AES-256-GCM encrypted. The plaintext exists only in memory during provisioning and is never logged.
Digest hash
An MD5 pre-image of username:realm:password, required by the SIP protocol for authentication. Not recoverable to the plaintext.
Groups
Group name & slug
The human-readable name and URL identifier.
Member cap
Maximum members allowed, set by the owner.
Membership
Which groups you belong to, your role (owner or member), and when you joined.
Active group
Your preferred group for resolving ambiguous dial codes. Optional.
Group audit log

Each group keeps an append-only log of membership events. Entries are stored only for groups you belong to and are deleted with the group.

Events recorded
Join, leave, kick, ban, unban, invite create/redeem/revoke/resend, nickname change, ownership transfer, member cap change.
Per entry
Event type, timestamp, actor (who did it), target (who it happened to).
Retention
Deleted when the group is deleted. Deleting your account removes you as actor/target but does not delete the group's log.
Invites
Token
Stored as a SHA-256 hash only. The plaintext token (in the invite URL) is never stored.
Invited email
If the owner addressed the invite to a specific email, that address is stored and enforced at redemption.
Use count
How many times a multi-use invite has been redeemed.
Expiry
Invite tokens expire after 7 days and are invalid after that.
Temporary tokens

These are stored only as hashes and deleted as soon as they are used.

Email verification
Hash of a one-time token emailed at registration. Expires after 24 hours.
Password reset
Hash of a one-time token emailed on reset request. Expires after 1 hour.
Sessions
Session store
Server-side, stored in Postgres. Your browser holds only an opaque session ID cookie.
Contents
Your user ID and CSRF token. Nothing else.
Expiry
Sessions expire after 30 days of inactivity.
What we never store
  • Call records — we do not log who called whom, when, or for how long.
  • Call audio — your voice never touches our server. Calls are routed peer-to-peer (see below).
  • IP addresses — your IP is not stored in the portal database. It may appear in transient server access logs managed by the hosting provider.
  • Device information — no user-agent strings, device IDs, or fingerprints are stored.
  • Location data — not collected at any point.
  • Presence or online status — we do not track when you are active.
  • Message content — T9phone has no messaging feature.
How calls are encrypted

T9phone uses ZRTP end-to-end encryption for all calls. ZRTP keys are negotiated directly between the two phones — T9phone's server handles SIP signalling only and is never in the audio path. This means T9phone cannot listen to, record, or decrypt any call, even if compelled to do so.

The TURN relay server (used to traverse carrier NAT) forwards encrypted RTP packets without decrypting them. It sees ciphertext only.

Deleting your data

You can permanently delete your account from the Account page. This erases your user record, SIP credentials, all groups you own, and removes you from any groups you are a member of. The deletion is immediate and irreversible.