Creating a Signal account requires a phone number, and if you choose to use the contact discovery feature, your contacts' phone numbers are cryptographically hashed before being sent to Signal's servers to check who is also on Signal.
This analysis describes what Signal's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Phone number registration ties your Signal identity to a real-world identifier, and contact discovery involves uploading hashed versions of your contacts' phone numbers to Signal's servers, which affects not just your privacy but also the privacy of people in your address book who may not be Signal users.
Interpretive note: The policy does not specify retention periods for hashed contact data or clarify whether the legal basis for processing third-party contact data meets GDPR requirements, creating ambiguity for EU compliance assessment.
Your phone number is the sole required personal identifier for Signal and cannot be replaced with an anonymous identifier; the optional contact discovery feature transmits hashed contact data to Signal's servers, which has privacy implications for contacts who have not consented to this process.
Cross-platform context
See how other platforms handle Phone Number Registration and Contact Discovery and similar clauses.
Compare across platforms →Monitoring
Signal has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"You register a phone number when you create a Signal account. Phone numbers are used to provide our Services to you and other Signal users. Signal can optionally discover which contacts in your address book are Signal users, using a service designed to protect the privacy of your contacts. Information from the contacts on your device may be cryptographically hashed and transmitted to the server in order to determine which of your contacts are registered.— Excerpt from Signal's Signal Privacy Policy
REGULATORY LANDSCAPE: The processing of contact data from a user's address book engages GDPR Article 6 lawful basis requirements, particularly for data about third parties (contacts) who have not directly consented to Signal's processing. The contact discovery process, even using cryptographic hashing, constitutes processing of personal data about non-users under GDPR. CCPA's definition of personal information would also encompass hashed phone numbers if they remain reasonably linkable to individuals. The FTC and EU data protection authorities are relevant enforcement bodies. GOVERNANCE EXPOSURE: Medium. The use of cryptographic hashing for contact discovery is a genuine privacy-preserving technical measure and Signal has published technical documentation on its approach. However, the policy does not specify the retention period for hashed contact data on Signal's servers, which is a GDPR accountability gap. JURISDICTION FLAGS: EU/EEA data protection authorities may scrutinize the legal basis for processing third-party contact data under GDPR Article 6, particularly regarding legitimate interests balancing. Illinois BIPA implications are less direct given that hashed phone numbers are not biometric identifiers, but the principle of processing third-party data without explicit consent is analogous. CONTRACT AND VENDOR IMPLICATIONS: Organizations deploying Signal should assess whether employee use of contact discovery features triggers corporate data governance obligations, particularly if business contacts are included in employees' address books. COMPLIANCE CONSIDERATIONS: GDPR compliance teams should evaluate whether Signal's contact discovery process requires a Data Protection Impact Assessment under Article 35, given that it involves large-scale processing of personal data about potentially non-consenting third parties. Data mapping exercises should account for the optional but commonly used contact discovery feature.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Phone number registration ties your Signal identity to a real-world identifier, and contact discovery involves uploading hashed versions of your contacts' phone numbers to Signal's servers, which affects not just your privacy but also the privacy of people in your address book who may not be Signal users.
Your phone number is the sole required personal identifier for Signal and cannot be replaced with an anonymous identifier; the optional contact discovery feature transmits hashed contact data to Signal's servers, which has privacy implications for contacts who have not consented to this process.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Signal.