// security

What we store. What we don't. Why it matters.

burner-chat's job is to know as little about you as possible while still letting you talk to one person. Here's the full accounting, and the limits we're honest about.

What the server stores

  • Your username (so peers can find you to pair).
  • Your identity public key (Curve25519, used by your peers to verify it's you).
  • Your signed prekey + signature, and a small pool of one-time prekeys.
  • Encrypted message ciphertext, addressed to a recipient. Deleted on delivery — and in any case after 7 days.
  • Encrypted media blobs (photos/videos), stored at unguessable URLs. Useless without the per-message key, which only travels in the E2EE envelope.
  • An HMAC-SHA256 hash of your email (so two signups with the same address resolve to the same account).

What the server explicitly does not store

  • Your message plaintext.
  • Your media plaintext.
  • Your PIN, your vault key, or any of your private keys. They never leave your device.
  • Your phone number — we don't ask for one.
  • Your name, profile picture, or any "profile" field beyond the username you pick.
  • Push tokens. The server has no way to wake your device.
  • Read receipts, typing indicators, online/offline status, last-seen.
  • An account-recovery secret. Lose your PIN, the data is gone — by design.
  • Third-party analytics, trackers, or ad pixels. There are no third-party scripts on this site.

The crypto — short version

  • 1:1 messaging

    Signal Protocol — X3DH for the initial handshake (Diffie-Hellman with prekey bundles), Double Ratchet for ongoing forward secrecy. Same protocol Signal/WhatsApp use.

  • Local vault

    AES-GCM-256, key derived from your PIN via PBKDF2-HMAC-SHA256 with 600,000 iterations (current OWASP / NIST guidance). The vault contains your identity keys, sessions, and chat history.

  • Media (photos/videos)

    Per-blob random AES-GCM-256 key + IV, encrypted client-side, ciphertext uploaded to object storage. The key only travels inside the libsignal-encrypted envelope alongside the URL.

  • Transport

    HTTPS only. HSTS preload-eligible. Strict CSP — no third-party scripts, no inline event handlers, no remote stylesheets. Permissions-Policy disables camera, mic, geolocation, and interest cohorts.

  • Email

    Used once to send a sign-in link via Resend (a transactional mail provider). Never used again. Stored as a salted HMAC hash on our side so re-signups resolve to the same account; a leaked DB dump can't be reversed back to the address without the key.

On-device privacy controls

  • Hold-to-reveal media

    Photos and videos render only inside a 90px spotlight that follows your finger, with a 60Hz flicker raster on top. The eye fuses, casual shutter doesn't. Release to hide.

  • View-once media

    Toggle 🔥 before sending. The receiver's copy is deleted from their device the moment they release the touch. The encrypted blob remains on the server but the per-message key is gone — undecryptable.

  • Voice messages

    Recorded locally with the MediaRecorder API, encrypted with the same per-message key as photos/videos. View-once also applies — the audio's gone after the first listen.

  • Burn this conversation

    One tap clears every message in a thread on your device. The other side keeps theirs unless they burn too. No undo, no archive.

  • Pinned messages

    Pin a message and it survives the disappearing-message TTL. Useful for shared keys, codes, addresses — anything you want to keep but the rest of the chat to evaporate.

  • Panic PIN (duress wipe)

    Set a third PIN in Settings. Entering it on the lock screen wipes both real and decoy vaults instantly and falls back to a fresh-install state. Looks like a wrong PIN to whoever is watching.

  • Auto-lock + brute-force trip

    5 minutes idle locks the app. Five wrong PIN attempts (counter persists across reloads) wipes everything. The brute-force trip is local-only — no server is in the loop, no rate-limit can be bypassed.

  • PIN strength meter

    Rejects 1234 / 0000 / repeated chars / years / common PINs at the form. Real-time strength scoring on length and character variety.

  • Encrypted local search

    Search across every text message in your local vault. Runs entirely in the browser against the decrypted in-memory data — nothing crosses the wire.

Honest limits

  • We're a small server you're trusting to relay ciphertext and host the username directory. We can't read your messages, but in principle a sufficiently determined attacker who compromised the server could observe metadata: which usernames are paired, when ciphertext is uploaded and acked. Sealed-sender (the technique that hides the sender from the server) is on the roadmap.
  • Browser cryptography has limits. We can't fully prevent screenshots — but the secure media viewer (hold-to-reveal + spotlight + flicker raster) defeats casual phone-camera shots and OS screenshots usually catch only the masked frame. A determined attacker with a fast-shutter DSLR or screen-recording can still capture content while it's revealed.
  • PWAs on iOS Safari can install with a custom name and icon (your cover story), but the underlying URL bar may briefly flash sapporty.com on launch. The cover holds up at a glance, not under deep scrutiny.
  • If you forget your PIN, your data is unrecoverable. The PIN is the only thing that decrypts the vault, and we don't store it. Treat the export feature in Settings as your backup.

Recommended hygiene

  • 01.Compare safety numbers with your contacts the first time you chat — open the chat → tap the shield → match the digits in person.
  • 02.Pick a real PIN. 1234 takes a few seconds to brute-force; six digits or a phrase takes much longer.
  • 03.Set a decoy PIN. Use a believable cover (sports / crypto / recipes). The seeded content is real (live API data), so a glance won't reveal anything.
  • 04.Export your vault to a file you control (Settings → Backup & restore). It's still PIN-encrypted, so it's safe to put on a USB or a cloud drive.
  • 05.Turn on disappearing messages for sensitive chats (1h / 1d / 7d). Both sides delete in lock-step.
  • 06.For one-off shots, toggle 🔥 view-once before attaching — the receiver's copy is gone the moment they release.
  • 07.Set a panic PIN in Settings. If someone's about to compel you to unlock, type it: the device wipes and looks like a fresh install.
Install on your deviceSign in← Back