zukka

Legal Process Guidelines

For law enforcement and government agencies. · zukka is operated by Smartago LLC, a Delaware (USA) company. · Last updated: June 27, 2026

Smartago LLC complies with valid, binding legal process issued under applicable law. This page explains how to serve process for zukka accounts, what categories of data exist on our systems, and — equally important — what categories of data do not exist and can never be produced, regardless of the legal instrument used.

1. How to serve legal process

2. What exists on our systems

CategoryContentsNotes
Basic subscriber recordnickname, account creation date, country codeno name, no email, no phone number — these are never collected
Session recordsdevice model and OS, login timestamps, country code, connection IPraw IPs are automatically deleted after 30 days; only the country code is retained thereafter
Invitesinvite codes, status, timestamps
Stored contentmessages, attachments and contact data as ciphertextencrypted with keys that derive from the user's passphrase and never exist complete on our systems; we hold no means of decryption
What can never be produced, under any process: readable message or file content; the names or photos a user assigned to contacts; the user's encryption phrase, passwords, or complete keys; the user's real-world identity, email or phone number; raw IP addresses older than 30 days. These do not exist on our systems in producible form.

3. What each instrument can obtain (US process — 18 U.S.C. §2701 et seq.)

We have no technical capability to intercept communications in real time or to produce content in readable form. Smartago LLC is not a telecommunications carrier subject to CALEA capability mandates; and even the CALEA decryption rule (47 U.S.C. §1002(b)(3)) — which can require a carrier that itself encrypts to assist in decryption — does not reach us, because the complete keys do not exist on our systems.

4. Preservation requests

Upon a request under 18 U.S.C. §2703(f), we will preserve the then-existing records described in section 2 for 90 days, renewable once for an additional 90 days. Preservation does not suspend the automated 30-day IP deletion for periods before the request was received — data already deleted cannot be preserved.

Separately, where we file a report with the NCMEC CyberTipline under 18 U.S.C. §2258A, we preserve the contents of that report for one year as §2258A(h) requires. We are under no obligation to monitor, screen or affirmatively scan communications (§2258A(f)), and have no technical means to do so.

5. Emergency disclosure

Under 18 U.S.C. §2702(b)(8), where we have a good-faith belief that an emergency involving danger of death or serious physical injury requires disclosure without delay, we may disclose the available records described in section 2. Mark such requests "EMERGENCY" in the subject line to legal@zukka.app and include the facts establishing the emergency, the specific account, and the requesting officer's verifiable credentials.

6. Non-US authorities

Smartago LLC is a US company and responds to process binding under US law. Non-US authorities should proceed through a Mutual Legal Assistance Treaty (MLAT) request or letters rogatory via the US Department of Justice, or through mechanisms available under executive agreements where applicable. We do not act on foreign orders served directly.

7. User notice

Our policy is to notify the affected user before producing records, unless we are legally prohibited from doing so (for example by a non-disclosure order under 18 U.S.C. §2705(b)). Where notice is delayed by such an order, we provide it once the prohibition lapses.

8. Costs

We may seek reimbursement for costs incurred in responding to legal process, as permitted by 18 U.S.C. §2706.

9. Transparency

Requests received and their outcomes are reported, in permitted form, in our biannual Transparency Report.

10. National security process

National security demands — National Security Letters under 18 U.S.C. §2709 and orders under the Foreign Intelligence Surveillance Act (FISA) — are handled in accordance with applicable law, including any non-disclosure obligations they carry. To the extent the law permits, the numbers are reported in approved bands in our Transparency Report. As with all process, what can exist to be produced is limited to the categories in section 2; no readable content or keys exist on our systems.

11. Child safety and mandatory reporting

Smartago LLC has zero tolerance for child sexual abuse and exploitation. When we obtain actual knowledge of an apparent violation we report it to the NCMEC CyberTipline as required by 18 U.S.C. §2258A and cooperate with valid legal process, including emergency disclosure where a child is in danger. Our full standards, mandatory-reporting duties and child-safety point of contact are set out in our Child Safety Standards.

12. Authentication of requests

Fraudulent law-enforcement requests are a known threat — including forged process and "emergency" requests sent from compromised or spoofed official email accounts — so we authenticate before we act. We accept requests only through the official channel above and only from verifiable official sources, and we never rely on contact details supplied inside a request itself. We may independently verify the requesting agency and officer through a channel we source ourselves (for example the agency's publicly listed telephone number), require official credentials and proper signatures, and decline or delay any request we cannot verify. Genuine officers should expect a brief verification step: it protects users from impersonators and does not obstruct lawful process.