CipherChat
Download
Legal · Privacy

Privacy Policy

Last updated: June 1, 2026

CipherChat is an end-to-end encrypted messenger. This policy explains what information we collect, what we deliberately cannot access, and the choices you have. We aim to be honest and specific rather than vague.

01 Introduction

This Privacy Policy describes how CipherChat ("CipherChat", "we", "us", or "our") handles information in connection with the CipherChat messaging applications and related services (the "Service"). By using the Service, you agree to the practices described here.

CipherChat is built around a simple principle: the content of your conversations belongs to you and the people you talk to — not to us. Our systems are designed so that we hold the minimum information necessary to operate a reliable, secure messenger, and so that the contents of your messages are not technically accessible to us.

02 Information we collect

We collect a limited set of information needed to create your account, deliver your messages, and keep the Service secure.

Account identifiers

  • Phone number and/or email address. Used to register your account, sign you in, and help your contacts find you. Depending on how you sign up, you may provide one or both.
  • A display name and optional profile photo, if you choose to set them.

Device and delivery information

  • Device identifiers for the devices linked to your account, so messages can be synced and verified across them.
  • Push notification tokens issued by Apple, Google, or other platform providers, used solely to wake your device when a new (still-encrypted) message arrives.
  • Public cryptographic keys (such as identity, signed pre-keys, and one-time pre-keys) that other users need in order to establish an encrypted session with you. We never receive your private keys.

Limited service metadata

  • Connection and timing information, such as when your client connects, approximate timestamps needed to queue and deliver messages, and coarse technical data (for example, app version and operating system) used for compatibility and reliability.
  • IP address at the time of connection, processed transiently to route traffic and to detect and prevent abuse. We aim to minimize how long this is retained.
  • Diagnostic and abuse-prevention signals, such as rate-limiting counters and security events.

We do not maintain advertising profiles. We do not track your activity across other apps or websites, and we do not build behavioral profiles for advertising purposes.

03 What we cannot access

The content of your end-to-end encrypted communications is not accessible to us. This is a deliberate, structural property of the Service — not merely a promise.

  • Message text, media, files, and calls are encrypted on your device before they are sent, using the Signal protocol (X3DH/PQXDH key agreement, the Double Ratchet, and post-quantum ML-KEM).
  • Our servers only ever store ciphertext — the unreadable, encrypted form of your messages — while they are queued for delivery. We do not hold the keys required to decrypt them.
  • Only the intended recipients' devices hold the keys needed to decrypt and read your messages.

Because of this design, we are unable to read your messages, hand over their plaintext, or recover them if the keys on your devices are lost.

04 How we use information

We use the limited information we collect only for the following purposes:

  • To operate and provide the Service — create and maintain your account, link your devices, and route messages to the right place.
  • To deliver messages — queue encrypted messages and send push notifications so your devices know to fetch them.
  • To maintain security and prevent abuse — detect spam, fraud, and attacks; enforce rate limits; and protect the integrity of the Service and its users.
  • To provide support — respond to your requests when you contact us.
  • To comply with applicable law — meet legal obligations that genuinely apply to us.

We do not use your information to serve advertising, and we do not use the content of your messages for any purpose, because we cannot access it.

05 Data sharing

We do not sell your personal data. We do not rent it, and we do not share it with data brokers or advertisers.

We share information only in these limited circumstances:

  • Service providers (processors). We use a small number of vetted infrastructure providers — for example, hosting, content delivery, and push notification gateways — that process information on our behalf and under contractual obligations to protect it. They cannot access the content of your encrypted messages.
  • Legal compliance. We may disclose limited information if required by valid legal process, or where we believe in good faith that disclosure is necessary to comply with the law or to protect the rights, safety, or property of users or the public. Because we store only ciphertext and minimal metadata, the information we are able to provide is inherently limited.
  • Business transfers. If CipherChat is involved in a merger, acquisition, or sale of assets, information may be transferred as part of that transaction, subject to this policy.

06 Data retention

We retain information only for as long as it is needed for the purposes described in this policy.

  • Encrypted messages are stored on our servers only until they are delivered to your devices, after which the server copy is removed. Undelivered messages are kept for a limited period and then discarded.
  • Account information is retained while your account is active. When you delete your account, we delete or de-identify the associated account data, except where we must retain limited records to comply with legal obligations or to prevent abuse.
  • Operational and security logs are kept for short, defined periods and then deleted or aggregated.

07 Security

Security is the foundation of the Service, not an add-on.

  • End-to-end encryption. Messages, media, and calls are encrypted on your device using the Signal protocol, including X3DH/PQXDH key agreement, the Double Ratchet for forward secrecy and post-compromise security, and post-quantum ML-KEM.
  • Encryption in transit. All connections between your devices and our servers are additionally protected with modern transport encryption (TLS).
  • Key handling. Your private keys are generated and stored on your devices and are never transmitted to or held by us. Only your public keys are shared, as needed to establish sessions.
  • Verification. You can compare safety numbers to confirm a contact's identity, and CipherChat alerts you when a contact's device or keys change.

No system can be guaranteed to be perfectly secure, but we work to apply strong, well-reviewed cryptography and to minimize the data that could ever be exposed.

08 Your rights

Depending on where you live, you may have rights regarding your personal data, including the right to access, correct, or delete it, and to object to or restrict certain processing.

  • Access and correction. You can view and update your profile information directly in the app.
  • Account deletion. You can delete your account from within the app. Deleting your account removes your account information from our systems, subject to limited legal retention. Because we hold only ciphertext for messages, there is no readable message content for us to delete on your behalf.
  • Exercising your rights. You can contact us at support@cipherchat.app to make a request. We may need to verify your identity before acting on it.

09 Children

The Service is not directed to children. You must be at least 13 years old to use CipherChat, or older where required by your local law (for example, 16 in parts of the European Union). We do not knowingly collect personal information from children below the applicable age. If you believe a child has provided us with personal information, please contact us at support@cipherchat.app and we will take appropriate steps to delete it.

10 International transfers

CipherChat operates globally, and the limited information we process may be transferred to, and stored in, countries other than the one in which you live. Where required, we use appropriate safeguards (such as standard contractual clauses) to protect information transferred across borders. Regardless of where data is processed, the content of your messages remains end-to-end encrypted.

11 Changes to this policy

We may update this Privacy Policy from time to time to reflect changes to the Service or to legal requirements. When we make material changes, we will update the "Last updated" date above and, where appropriate, provide additional notice within the app. Your continued use of the Service after an update means you accept the revised policy.

12 Contact

If you have questions about this Privacy Policy or how we handle your information, contact us at support@cipherchat.app.

Prefer a human walkthrough first? Our Help Center answers the most common privacy and security questions.