How private is your contact data, really?

On a default modern phone, your contact list is in at least two places: the phone itself and a cloud account (Google, Apple, Microsoft). The cloud copy is the source of truth in most setups - the phone is just a cached view. "Backed up" is the polite word for uploaded to a US-headquartered company under their privacy policy.

Once it's there, it's typically used for a few things you may or may not have thought about: spam-call detection (your contacts get matched against other people's contacts), suggested-people features in messaging apps, and the integrations you've granted to assistants and AI agents. Each of those is a separate read of the same list.

If you're an individual using a contact app for personal purposes, GDPR's so-called "household exemption" applies - the law largely doesn't regulate what you do. The interesting question is what happens when you give those contacts to a company.

Once a company processes your contact list (uploaded for sync, used for matching, fed to an algorithm), that company becomes a controller for those people's data. They need a legal basis. They need a privacy notice. They need to honour Articles 15-21 (access, rectification, erasure, restriction, portability, objection). They need to limit international transfers under Articles 44-49. The bar isn't low.

If you care about this, the easiest single move is: pick a tool whose hosting jurisdiction you trust, and whose privacy notice you can actually read. "Hosted in Germany" + "no third-party trackers" + "self-serve export and delete" is roughly the bar.

Contact Book is hosted on infrastructure we operate ourselves, in Germany, under German law. We don't sell or share your data, we don't run third-party analytics on logged-in pages, and we don't train models on your contact list. The full position is on /privacy + /security; export and delete are one button each in account settings.