Signal · Signal Privacy Policy

Contact Discovery Data Processing

Medium severity
Share 𝕏 Share in Share 🔒 PDF

What it is

If you allow it, Signal can check your phone's address book contacts to see which ones use Signal, by sending scrambled (hashed) versions of your contacts' phone numbers to Signal's servers.

Consumer impact (what this means for users)

When you use Signal's contact discovery feature, information about your contacts — people who may not use Signal and have not consented to any data processing — is cryptographically processed and sent to Signal's servers, which may have GDPR implications for EU users.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.
  • Opt Out of Arbitration
    Contact discovery is an optional feature. Open Signal, go to Settings > Privacy and disable contact syncing to prevent your contacts' data from being hashed and transmitted to Signal's servers.

Cross-platform context

See how other platforms handle Contact Discovery Data Processing and similar clauses.

Compare across platforms →
Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

Even though Signal hashes contact data before transmission, this process involves uploading information about people who have not consented to Signal's data processing — a significant GDPR third-party data subject consideration.

View original clause language
Signal can optionally discover which contacts in your address book are Signal users, using a service designed to protect the privacy of your contacts. Information from the contacts on your device may be cryptographically hashed and transmitted to the server in order to determine which of your contacts are registered.

Institutional analysis (Compliance & legal intelligence)

(1) REGULATORY FRAMEWORK: Contact discovery implicates GDPR Art. 6 (lawful basis for processing third-party contact data), Art. 14 (information to data subjects whose data was not collected from them), and Art. 9 (where contact lists reveal special category data such as religious or political associations). CCPA §1798.100 applies to California residents' contact data. Illinois BIPA (740 ILCS 14) may apply if contact hashing constitutes biometric data processing — unlikely but worth assessment. (2)

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

  • FTC
    The FTC has authority over data practices involving third-party contact data and may scrutinize whether Signal's contact discovery adequately discloses processing of non-user contact information.
    File a complaint →

Provision details

Document information
Document
Signal Privacy Policy
Entity
Signal
Document last updated
April 29, 2026
Tracking information
First tracked
April 18, 2026
Last verified
April 18, 2026
Record ID
CA-P-003040
Document ID
CA-D-00305
Evidence Provenance
Source URL
https://signal.org/legal/
Wayback Machine
View archived versions →
SHA-256
c987bd00ea1fa41c8839b08b6e171831f324f37a5caf9a73223693d82c3902da
Verified
✓ Snapshot stored   ✓ Change verified
How to Cite
ConductAtlas Policy Archive
Entity: Signal | Document: Signal Privacy Policy | Record: CA-P-003040
Captured: 2026-04-18 11:58:17 UTC | SHA-256: c987bd00ea1fa41c…
URL: https://conductatlas.com/platform/signal/signal-privacy-policy/contact-discovery-data-processing/
Accessed: May 2, 2026
Classification
Severity
Medium
Categories
Unknown

Other provisions in this document