Privacy

Last updated: May 11, 2026

The short version

Chro is a focus tool. It does not watch your browsing. Our servers cannot tell which URLs you visit, and we don’t want to. This page describes exactly why that’s true.

What Chro does

Chro is an iOS app that configures Apple’s URL Filter API to block specific URLs in supported social apps (for example, the For You timeline in X). The filter runs entirely on your device. The list of URLs to block is shared across all Chro users and lives on our server.

How URL lookups work without us seeing them

Apple’s URL Filter API was built so that the server providing the block list cannot learn which URLs are being checked. Chro uses the architecture Apple specifies:

1. On-device bloom filter. Your iPhone downloads a small data structure that lets it quickly decide whether a URL might be in the block list. Most URLs are answered locally and never reach our server.
2. Private Information Retrieval (PIR). When the bloom filter says “maybe,” your iPhone constructs an encrypted query that asks the server “does this hash appear in your block list?” The encryption uses homomorphic encryption: the server can compute an answer without ever decrypting the query.
3. Oblivious HTTP (OHTTP). The encrypted query is wrapped in another encryption layer and sent through an Apple-operated relay. The relay sees who’s asking but not what they’re asking. Our server sees the question but not who’s asking.

The result: neither Chro nor Apple can correlate “who” with “what.” This is enforced by cryptography and by Apple’s infrastructure, not by our promise.

What we actually receive

Our server receives encrypted PIR queries via Apple’s OHTTP relay. We have no way to decrypt them to reveal which URL was asked about. We also receive standard HTTP-layer metadata (request size, timestamps) that comes with operating any server.

Our server logs request counts and approximate response times for capacity planning. These logs do not contain identifiers that we could tie back to you.

What we don’t collect

• Your browsing history.
• Which apps you use, when, or for how long.
• Your name, email (unless you mail us), phone number, contacts, or location.
• Advertising or tracking identifiers (no IDFA, no fingerprinting).
• Third-party analytics SDKs.

If you email us

If you write to [email protected], your email address and the contents of your message are stored in our mailbox so we can reply. We don’t add you to a marketing list. We delete support emails after about a year.

Subprocessors

Operating Chro requires a few infrastructure providers. None of them receive plaintext URL data:

• Apple. Operates the App Store, the URL Filter API, and the Oblivious HTTP relay that sits between you and our server.
• Fly.io. Hosts our PIR server, Privacy Pass issuer, and OHTTP gateway. Receives encrypted queries, not URLs.
• Cloudflare. Operates DNS for trychro.com and hosts this website. Cloudflare does not sit in the path of URL lookups.

Subscriptions

If and when Chro adds paid features, payment is handled entirely by Apple via the App Store. We receive Apple’s anonymized subscription state (active / cancelled / refunded) and an opaque transaction identifier. We never receive your credit card number or full Apple ID.

Children

Chro is not directed at children under 13. If a child uses Chro, the architecture above still applies — we don’t learn what they do.

Your rights

Because we don’t hold personal data tied to you, there is generally nothing to access, correct, or delete. If you’ve emailed us and want that record deleted, write to [email protected] and we’ll handle it.

Changes

If we change this policy in a meaningful way, we’ll update the date at the top and note the change in a release announcement.

Contact

Questions? [email protected].