Privacy Policy

This page describes the data WhisperX processes, who can see it, and how long it lives. It is written to match the actual code, not to reassure. If a section below contradicts what the app does, the app is the authority — please report it as a bug.

1. The short version

• Message content, file content, voice notes, and call media are end‑to‑end encrypted on your device with post‑quantum cryptography. The server only ever sees ciphertext.
• The server cannot tell who is messaging whom for sealed‑sender messages — sender identity is hidden behind an HMAC hint that only the recipient can resolve.
• The server stores the minimum routing data needed to deliver messages and tears it down as soon as delivery is confirmed.
• We do not run analytics, advertising SDKs, fingerprinting libraries, or third‑party trackers in the app.
• You can delete your account from inside the app. Deletion cascades on the server.

2. What is encrypted end‑to‑end

Everything you send to a contact is encrypted on your device before it leaves: text, photos, videos, voice notes, files, link metadata, forward labels, replies, reactions, typing indicators, read receipts, wallet address broadcasts, profile names and avatars. The cryptographic primitives are:

• ML‑KEM‑1024 for key exchange (NIST FIPS 203, post‑quantum)
• ML‑DSA‑87 (Dilithium‑5) for identity signatures
• XChaCha20‑Poly1305 for symmetric encryption inside a per‑message ratchet

Calls add WebRTC FrameCryptor on top of DTLS so each audio/video frame is independently encrypted with a key your peer derives via ML‑KEM. The TURN relay (when used) sees encrypted frames only.

3. What the server stores

3.1 Account row

When you create a WhisperX identity the server stores:

• A randomly generated user ID (UUID).
• Your ML‑DSA public key (the long‑term identity key — public by design).
• Optional username (only if you set one and choose to be discoverable).
• An encrypted profile blob (display name, avatar emoji/colour) — encrypted with a key you only share with contacts you've added; the server cannot decrypt it.
• Your most recent FCM push token, used to wake your device for delivery. The push payload contains no message content.

3.2 Queued messages

When a peer is offline, their incoming ciphertext is held in a messages table until your device picks it up over WebSocket or HTTP. The row contains: an envelope (the encrypted blob), a sender hint (HMAC, see §4), a recipient ID, a timestamp, and the optional self‑destruct timer. As soon as your device acks delivery the row is deleted; a periodic sweeper also drops delivered rows after one minute as a backstop.

3.3 Shared media (photos, videos, files, voice notes)

Attachments are encrypted on your device with a per‑file AES‑256 key that travels inside the encrypted message. The ciphertext is uploaded to the server and lives at most 7 days, after which a cleanup job hard‑deletes it whether or not your peer downloaded it. If the recipient clears their cache or reinstalls within that window they can re‑download. There is no backup beyond that window — privacy beats retention.

3.4 Delivery tokens

For sealed‑sender mode, each pair of contacts exchanges a one‑way delivery token derived from your shared ratchet. The server sees the token hash but cannot link it to a sender identity. Tokens are revoked when you block a contact.

3.5 What the server does not store

• Plaintext messages, calls, attachments, voice notes, profile names.
• Your contact list. Contacts live only on your device.
• IP addresses beyond what nginx access logs retain (rotated on the host) — there is no per‑user IP table.
• Read receipts or typing indicators as separate rows — they are encrypted control messages routed through the same channel and dropped on delivery.
• Message backups, history snapshots, or rolling archives.

4. Sealed sender

For ratchet‑established conversations the server does not see who sent each message. The sender computes an HMAC of (their identity, your delivery token) — the sender hint — and submits it alongside the ciphertext. Only your device, holding the matching token, can resolve which contact the hint corresponds to. Sender hints are checked using a constant‑time decoded‑byte comparison so we cannot accidentally regress that property to a case‑sensitive string match.

5. Push notifications (FCM)

Android push delivery uses Firebase Cloud Messaging because that is what the Android system enforces for waking sleeping apps. The push payload we send contains only:

• A type field identifying the event (new message, incoming call).
• The opaque sender hint from §4 — used so your device can honour per‑contact mute without first opening the app.

No content, no contact name, no preview ever travels through Google's infrastructure. If you uninstall WhisperX, the push token is deleted from the server the next time we attempt to deliver to it (FCM returns UNREGISTERED).

6. Calls

Voice and video calls use WebRTC. Signalling (offer/answer/ICE candidates) goes through the WhisperX server in encrypted control messages over the same ratchet that messaging uses. Media flows directly between you and your peer when NAT permits; otherwise it falls back to a TURN relay we operate. The TURN relay sees encrypted media frames only — it cannot decrypt audio or video.

7. Wallet

WhisperX includes an optional non‑custodial wallet. Private keys are generated and stored on your device only. Your wallet address is not sent to the server — it is broadcast to your contacts through the encrypted ratchet, the same way any other message travels. See the Wallet Disclosure.

8. Crash reporting

Crash reports are sent through Firebase Crashlytics only when you explicitly opt in (Settings → Privacy → Crash reporting). Reports contain stack traces and device model — no message content, no contact identifiers, no chat metadata.

9. Children

WhisperX is not directed at children under 13. We do not knowingly collect data from children. If you believe a child has used the service, contact us and we will delete the account.

10. Data subject rights

You can exercise the following rights at any time without contacting us:

• Access: Settings → Account shows everything the server holds about you.
• Erasure: Settings → Danger Zone → Delete Account triggers a server‑side cascade. See Account Deletion.
• Portability: not currently supported (intentional — we do not produce export bundles that contain plaintext).

For requests that require human handling, email [email protected].

11. Jurisdiction

WhisperX is operated from the European Union. Server infrastructure is hosted in the EU. Lithuanian law applies to this policy.

12. Changes

Material changes to this policy will be announced inside the app on next launch. The Last updated date at the top reflects the most recent change.