Data disclosure policy.
How we respond to government and third-party requests for customer data. We resist over-broad requests, require lawful process, notify customers when we can, and publish a transparency report. The standards we hold ourselves to.
01Default position
We do not give customer data to third parties unless we are legally compelled to. We resist over-broad requests, push back on vague legal process, narrow the scope wherever we can, and we tell affected customers unless the law forbids us. This page describes the standards we apply.
The Message platform was built by people who care about civil liberties and who know that "chat with us" is a record of a lot of personal life. We treat that responsibility as load-bearing.
This policy applies to law enforcement requests, civil subpoenas, regulatory demands, and private third-party demands. It does not change the customer-controlled controls that already exist (export, deletion, retention). It also does not waive any obligation Message has to its customers under the DPA or the Terms of Service.
02Lawful process required
To compel Message to disclose customer content or non-content account data in the United States, the requesting party must serve valid legal process. The categories we accept, with the level of process they unlock:
- Subpoena (grand jury, civil, administrative). Unlocks basic subscriber information: account name, billing contact, recent IP addresses, account creation date. Does not unlock content.
- Court order under 18 U.S.C. 2703(d). Unlocks transactional records (call detail records, conversation metadata, login timestamps). Does not unlock content.
- Search warrant supported by probable cause. Required to unlock content (conversation bodies, call recordings, transcripts, attachments). We do not produce content on anything less than a search warrant.
- National Security Letter (NSL). Treated under the relevant statutes; scope is read narrowly; we apply the FBI's standard certification language and our own gag-order review.
- Mutual Legal Assistance Treaty (MLAT) request. Accepted from foreign authorities through the US Department of Justice. Direct foreign-authority requests outside MLAT are not honored.
- Civil discovery subpoena. Accepted only when validly issued under the applicable rules of civil procedure; we typically require notice to the affected customer before producing.
For requests from non-US authorities under the GDPR, the UK GDPR, the LGPD, the PIPL, and similar regimes, the equivalent local process is required and is read at least as narrowly as the US equivalents above.
03Categories of data we hold
Depending on the workspace configuration, Message may hold any of the following on behalf of a customer:
- Account-level identifiers: workspace name, owner email, billing contact, plan tier, last login.
- End-user identifiers: visitor email and phone (when provided), browser fingerprint hash, IP, geolocation derived from IP.
- Conversation metadata: conversation ID, channel (chat, ticket, call), agent assignment, tags, timestamps, outcome.
- Conversation content: message bodies, attachments, call recordings (where enabled by the customer), call transcripts, voicemails.
- Operational logs: authentication events, agent actions on the conversation, AI completions returned to the customer.
- Commerce metadata (when integrated): order ID, refund amount, subscription state.
Each category has different sensitivity and is unlocked by a different level of legal process, as described above.
04Customer notification
We tell affected customers about government and third-party requests for their data, with one exception: when a court orders us not to (a gag order, an NSL non-disclosure provision, or an emergency situation explicitly recognized in the order).
When a gag order applies:
- We challenge the gag if there is a credible argument it is over-broad or unconstitutional.
- We seek the shortest possible gag duration consistent with the request.
- When the gag expires or is lifted, we notify the customer retrospectively, even if the underlying disclosure has already happened.
Customers are notified at the security contact on file. Customers should keep that contact up to date in Settings > Security.
05Emergency disclosure
We will produce information without legal process only in a true emergency: where there is a good-faith belief that disclosure is necessary to prevent an imminent risk of death or serious physical injury. The bar is high; "serious physical injury" means actual bodily harm, not financial loss or reputational damage.
Emergency requests are evaluated by the legal team and the security team together. We require:
- A specific, articulable threat (not a general concern).
- A specific subject (not a fishing trip).
- An explanation of why the threat is imminent and why legal process cannot be obtained in time.
- A named, verifiable law-enforcement contact on the requesting side.
When we honor an emergency request, we produce only what is reasonably required to address the imminent harm. We notify the affected customer after the fact, once doing so will not interfere with the threat response.
06Transparency report
We publish an annual transparency report. The first issue is scheduled for January 2027 and covers calendar year 2026. Each report includes, at minimum:
- Total number of government requests received, broken down by jurisdiction and type (subpoena, 2703(d) order, warrant, NSL, MLAT, foreign authority direct).
- Number of customers affected.
- Disposition: percentage produced in full, produced in part, rejected, withdrawn.
- Number of gag orders received and the number lifted in the reporting year.
- Number of emergency disclosures.
- Civil subpoenas received and how they were handled.
If we receive zero requests in a category, we still report a zero. Silence on a category is meaningful.
07International requests
Requests from foreign authorities are evaluated against the same legal-process standards as US requests, plus the requirements of the GDPR and equivalent regimes where applicable:
- Requests routed through MLAT and processed by the US Department of Justice are honored on the same terms as a domestic subpoena, 2703(d) order, or warrant of equivalent type.
- Direct requests from foreign authorities outside MLAT are scrutinized for compatibility with US law, the GDPR (Article 48 in particular), and the customer's jurisdiction.
- Where compliance would force us to violate one law to satisfy another, we refuse the request and explain why.
- Cross-border data transfers triggered by a foreign request are documented as part of the transfer impact assessment regime described in International Data Transfer.
08How to serve us
Legal process should be served to:
- Email: [email protected] (preferred). Subject line should include the matter name and the words "Legal Process".
- Postal mail (backup): Message.com LLC, Attn: Legal, 363 N Sam Houston Pkwy E Ste 125, Houston, TX 77060, USA.
Service by social media, by tagging a Message staff member online, or by phone is not effective. We will not accept process by those means.
We acknowledge valid process within two business days and respond on a timeline set by the order. Where the deadline is unreasonable for the scope, we will request an extension before producing.
09Costs
Responding to legal process costs engineering and legal time. Where a request is well-scoped and we can produce the data with a routine query, we generally absorb the cost. Where a request is broad enough to require custom work (multi-month historical reconstruction, broad-pattern searches across the dataset, novel forensic preservation), we reserve the right to charge a reasonable fee at our standard time-and-materials rate.
We do not charge customers for responding to requests targeting their own data. Affected customers are not invoiced for the engineering time required to comply.
10What we will not do
The platform is not built to do these things, and we will not do them even if asked nicely:
- Bulk monitoring of conversations for any purpose other than legitimate security operations against our own infrastructure (abuse detection, fraud prevention, infrastructure threat response).
- Partnerships with intelligence agencies that provide programmatic, bulk, or sustained access to customer data.
- Voluntary disclosure to law enforcement or intelligence services in the absence of valid legal process or a recognized emergency.
- Building backdoors into encryption, key escrow under government control, or any other engineering change designed to defeat our own security controls.
- Selling customer data, customer lists, end-user lists, conversation content, or derived signals to data brokers, advertisers, or any other third party.
If you ever see evidence that we have violated any of the above, file a complaint to [email protected] and we will investigate publicly.
11Account information requests
The most common request we receive is for basic subscriber information about a workspace owner (name, email, billing address, last login IPs). We require a subpoena or equivalent legal process for this, and we narrow the response to what is strictly responsive.
We do not voluntarily verify whether a particular person has an account with Message. If you are looking for that confirmation outside legal process, the answer will be that we cannot tell you.
12Preservation requests
Preservation requests (under 18 U.S.C. 2703(f) and equivalents) are honored for 90 days, extendable for another 90 on a renewed request, provided the request is in writing and identifies the target workspace specifically. Preservation does not produce data; it holds the data against the routine retention schedule until valid legal process is served.
The customer is notified of a preservation request on the same terms as any other request: promptly, unless legally prohibited.
13Notification after disclosure
When we have produced data in response to legal process, we send the affected customer a written notice that includes, at minimum:
- The type of legal process served.
- The categories of data produced.
- The window of dates the production covered.
- Whether a gag order applied and, if so, when it was lifted.
- How the customer can challenge the disclosure (in court, with the issuing authority, or with us if we made an error in our review).
The notice is delivered to the security contact on file. If we cannot deliver because the contact is invalid, we make reasonable efforts to reach the workspace owner by other channels (billing email, in-app banner).
14Contact
Service of legal process: [email protected]. Backup by certified mail to the Houston address above.
Questions about this policy (not formal legal process) also go to [email protected]. We answer from a named human within two business days.
Security-specific reports (suspected unauthorized access, suspected leak of customer data) should be sent to [email protected].
Serving legal process or asking a policy question?
Email [email protected] with the matter name in the subject line. Certified mail to the Houston address works too. We acknowledge inside two business days.
Start free trial →