@jurjen_heeck (A little advertising, please bear with me)

With our messenger “Ginlo” (@ginlo) we thought very long about this.

We also ask your permission to check if any of your contacts have Ginlo accounts. But we do it this way:

When someone creates a Ginlo account and provides contact information (they don’t have to, but they can) such as a phone or mobile number, we store that information on the server only for the briefest of times to confirm it (send a code to that mobile or email). Then we destroy it on our servers. Instead, we generate a `bcrypt`-hash with a salt out of that contact information (never reversible to the contact-data back) and store it linked to this ginlo account on the server.

If then someone else creates an account and they give us permission to check if any of their Adressbook-contacts exist on Ginlo, we create similar hashes for each mobile phone and email address from those contacts LOCALLY ON THE USER’S DEVICE and send only these bcrypt-hashes to the server.

The server then responds with the hash + account-guid if it could find any account matching that.

The server NEVER EVER stores those hashes from your adressbook (and even if it did, they are just hashes, meaning one-way only).

This way, you *can* (if you want) let ginlo check if any of your contacts have a ginlo account WITHOUT EVER HAVING TO FEAR that we save any of those contacts on the server. We don’t want that, because we have no tracking, no ads, no nonsense. Ginlo Private is free of charge. The company makes money with the “Ginlo Business”-Version where companies or business pay a monthly fee.

Of course, with this approach we cannot tell you “Hey, your contact ‘X’ has joined Ginlo” … but that’s a really cheap price to pay.

To us, your are definitely NOT the product. The product we sell is “Ginlo Business” (and yes, many business customers require a free private version because they want to be able to talk to their customers, and yes, the business version has a few more perks, but only mostly things businesses need)

@briankrebs