Privacy

Privacy Policy

In short: the content of private messages is encrypted on the device and is not accessible to the server. But this is not an anonymous network like Tor - the server still sees some of the metadata for delivery.

Honest status

Essenger is under active development. Web/PWA is available now, while iOS is in beta/TestFlight. An independent external audit has not yet been completed. Server-blind Sealed Sender and forward secrecy for groups remain on the roadmap and are not shipped features.

What we can't read

What the server stores or can see

Account details

Username/UUID, public keys, encrypted blobs of key material, settings and technical records necessary for the service to operate.

Messages

Ciphertext, delivery IDs, size, creation/delivery time and status fields. Plaintext is not sent to the server.

Routing metadata

On the current active path, the server sees the account of the sender and recipient, the time of sending and the network metadata of the connection.

Calls

Signaling + STUN/TURN is used for calls. The media stream is encrypted point-to-point (DTLS-SRTP), so TURN sees IP addresses/session times, but not the media content. Important: unlike messages, call signaling is visible to the server and is not yet authenticated at the application level - this is protection against passive eavesdropping, but not full-fledged E2E with protection against active MITM.

What we don't use for registration

no phone numberno email by defaultno default address book

Security restrictions

Inquiries and contact

If you need to delete an account or discuss a security issue, use the project/repository contact channel or contact the service owner. This page should be updated as architecture changes occur.