← Back

Account Deletion

Last updated: 2026-05-06

You can delete your WhisperX account from inside the app, on your own, without contacting us. This page describes exactly what is removed, what is not, and on what timeline. It is published so that Google Play's data‑safety policy can point at a stable URL.

1. How to delete

Open the WhisperX app.
Tap Settings (the gear icon in the bottom navigation bar).
Scroll to Danger Zone.
Tap Delete Account.
Confirm in the dialog. The action is irreversible.

If you have lost access to the device that holds your private key, the in‑app path is unavailable and we cannot delete the account on your behalf — there is no out‑of‑band password to verify ownership with. Without proof of ownership we will not remove an account on request, because doing so would be a denial‑of‑service vector against legitimate users.

The exception: if your account is clearly inactive (no FCM token has been refreshed and no message has been delivered to it for 12+ months), email [email protected] from the email you registered against (if any) and we will tombstone it.

2. What gets deleted on the server

A delete request triggers a single transactional cascade on the server. The following rows are removed:

The users row — your UUID, public key, optional username, encrypted profile blob.
Every queued messages row addressed to or originating from you, including any envelope still waiting for delivery.
Every vault_files row owned by you — both private vault items and shared attachments. The on‑disk ciphertext blobs they reference are removed within five minutes by the cleanup sweeper.
Every delivery_tokens row issued to or by you. Sealed‑sender hints can no longer be resolved against your identity.
Your registered FCM push tokens.
Your active refresh sessions.
Any blocking relationships referencing you.

3. What survives — and why

End‑to‑end encryption forces some things outside our reach:

Messages already delivered to your peers. Once a peer's device has fetched and decrypted a message, it lives on their device. We cannot recall it. If you want a peer to forget, ask them — or send the message with a self‑destruct timer next time.
Your contacts' wallet addresses you cached locally. Local app data is wiped only by uninstalling the app or by the in‑app emergency wipe.
Backend access logs. nginx and our service write rotated logs that may contain your IP for up to seven days for abuse / DoS investigation. They do not contain message content. After seven days they roll off automatically.

4. Timeline

0 seconds — your account row is deleted; no further messages can be addressed to you.
< 60 seconds — queued message rows are wiped by the deletion cascade; any in‑flight delivery attempts hit a missing recipient and drop the message.
< 5 minutes — the file cleanup sweeper removes on‑disk encrypted attachment ciphertext that referenced your account.
< 7 days — request and access logs containing your IP roll out of retention.
Backups — we do not retain server‑side backups that contain your data after deletion.

5. Local data

After server deletion the app signs you out and clears its local databases. To go further:

Uninstall the app — Android removes the app sandbox.
Or use Settings → Privacy → Emergency wipe to drop everything before uninstalling.
If you ever set a panic PIN, entering it on the lock screen wipes local data immediately and silently.

6. Reinstalling later

Reinstalling the app produces a brand new identity. There is no recovery from a previous account — old contacts will see the deleted account as offline forever, and your new identity will not be connected to it.

7. Reach out

Questions about deletion that aren't answered here: [email protected].