This policy describes the personal data Qwing processes, the lawful basis for it, how long it is kept, who it is shared with, and the rights you have over it. It is written to match what the software actually does. Qwing is a pure post-quantum, end-to-end encrypted messenger: the overwhelming majority of what you create never leaves your device in a form anyone but your recipient can read.
1. Data controller
Qwing is developed and operated by an individual developer based in Lithuania (European Union). For the purposes of the EU General Data Protection Regulation (GDPR), that developer is the data controller for the limited personal data described in this policy.
You can reach the controller about any privacy matter, including data-subject requests, at privacy@qwing.app.
2. The short version
- Message text, file content, voice notes, call audio and video, profile names and avatars are end-to-end encrypted on your device. The server only ever sees ciphertext.
- You sign up with no phone number and no email — your identity is a cryptographic key pair generated on your device.
- For sealed-sender messages the server cannot tell who is messaging whom; the sender is hidden behind a per-pair hint only your recipient can resolve.
- The server keeps the minimum routing data needed to deliver a message, then deletes the ciphertext roughly five minutes after delivery.
- We run no advertising SDKs, no analytics trackers, and no fingerprinting in the app.
- You can delete your account from inside the app; the deletion cascades on the server.
3. What is end-to-end encrypted (and never visible to us)
Everything you send to a contact is encrypted on your device before it leaves, and is decryptable only on your recipient's device: text, photos, videos, voice notes, files, link previews, replies, reactions, read receipts, profile names and avatars, and any wallet address you choose to share. Voice and video calls are encrypted end-to-end and routed peer-to-peer where the network allows. The cryptographic primitives are:
ML-KEM-1024— post-quantum key exchange (NIST FIPS 203)ML-DSA-87— post-quantum identity signatures (NIST FIPS 204)XChaCha20-Poly1305— symmetric encryption inside a per-message double ratchet (the “Q-Ratchet”)
The following are technically impossible for us to access, because we never hold the keys: message, call and file content; your contact graph (who you talk to), for sealed-sender conversations; and the contents of your on-device encrypted Vault, which never leaves your device.
4. What the server processes
To deliver messages and route calls, the server processes a small amount of data. To be truthful about it: the server sees opaque ciphertext envelopes, sender hints, delivery metadata, push tokens, and the IP address of your device when it connects.
4.1 Account / identity
- A randomly generated user ID (UUID) — no phone number or email is collected.
- Your
ML-DSA-87public key (your long-term identity key; public by design). - An optional username, only if you set one and choose to be discoverable.
- An encrypted profile blob (display name, avatar) that the server cannot decrypt.
4.2 Message routing
- Queued ciphertext envelopes for recipients who are currently offline.
- A sender hint (a per-pair token) and a recipient ID, used purely to route the envelope. For sealed-sender messages the hint does not reveal the sender's identity to us.
- A timestamp and an optional self-destruct timer value.
4.3 Media
Attachments are encrypted on your device with a per-file key carried inside the encrypted message. The server relays the ciphertext temporarily so an offline recipient can fetch it; it cannot decrypt it.
4.4 Push tokens
Your most recent Apple (APNs) or Google (FCM) push token, used to wake your device for incoming messages and calls. The push payload contains no message content.
4.5 Connection metadata
When your device connects to the server, the server (and our reverse proxy) necessarily observes your IP address for the duration of the connection and in short-lived, rotating access logs used for abuse and denial-of-service protection. There is no per-user IP history table.
4.6 What the server never stores
- Plaintext of messages, calls, attachments, voice notes or profile content.
- Your contact list — contacts live only on your device.
- Message backups, history archives or rolling snapshots.
- Read receipts or typing indicators as separate records — they are encrypted control messages dropped on delivery.
5. Lawful basis for processing
We process the limited data above on the following GDPR Article 6 bases:
- Performance of a contract — Art. 6(1)(b). Processing your account identifiers, ciphertext envelopes, routing hints and push tokens is necessary to provide the messaging service you asked for.
- Legitimate interests — Art. 6(1)(f). Short-lived connection logs and rate-limiting data are processed to keep the service secure and available and to prevent abuse, spam and denial-of-service attacks. We have balanced this against your interests and limited it to the minimum and shortest retention practical.
6. Retention periods
We keep personal data only as long as it is needed for the purpose it was collected, then delete it.
| Data | Retention |
|---|---|
| Message ciphertext (server queue) | Deleted on delivery acknowledgement; a backstop sweeper removes delivered envelopes ~5 minutes after delivery. |
| Account / identity (UUID, public key, encrypted profile) | Until you delete your account. |
| Push token (APNs / FCM) | Until you log out, delete your account, or the token becomes invalid. |
| Encrypted media on the server | Removed shortly after the recipient downloads it; a cleanup job hard-deletes any remaining ciphertext within a short window whether or not it was fetched. |
| Connection / access logs (incl. IP) | Short-lived, rotating; retained only briefly for abuse and DoS protection, then automatically rolled off. |
| On-device data (messages, Vault, keys) | Stored only on your device, encrypted at rest, under your control; removed by deleting your account, the in-app wipe, or uninstalling. |
7. Third parties & recipients
Qwing minimises third-party processing. The third parties that may receive data are:
- Apple Push Notification service (APNs) and Google Firebase Cloud Messaging (FCM) — the operating-system push channels that wake your device. They receive a push token and a minimal payload that contains no message content, no contact name and no preview.
- Blockchain RPC providers — if, and only if, you use the in-app wallet, the third-party node that broadcasts your transaction necessarily receives your wallet address and the IP address you broadcast from. See §8 and the Wallet Disclosure.
- Object / media storage — encrypted media in transit may be held briefly in our object storage so an offline recipient can fetch it. It is stored as ciphertext only.
- Hosting / infrastructure provider — the server runs on infrastructure located in the European Union. The provider has no access to message plaintext.
We do not sell personal data, and we do not share it with advertising networks or data brokers.
8. Wallet & blockchain networks
Qwing includes a self-custodial wallet. Your wallet keys are derived from your recovery phrase and stored only on your device. When you send a transaction, the app signs and broadcasts a real transaction to public blockchain networks through third-party RPC providers. At broadcast time those providers can see your wallet address and IP address, and the transaction is recorded permanently and publicly on-chain. Transactions are irreversible. Full detail is in the Wallet Disclosure.
9. Your rights
Under the GDPR you have the right to:
- Access — be told what personal data we hold about you. Settings → Account shows what the server holds; you may also email the controller.
- Rectification — correct inaccurate data. Most fields (profile name, username) you edit directly in the app.
- Erasure — delete your account and the personal data tied to it (see §10).
- Portability — receive your server-side personal data in a structured, machine-readable format. Because content is end-to-end encrypted, an export contains only the limited non-content data the server holds (e.g. your UUID and public key); request it from the controller.
- Objection / restriction — object to processing based on legitimate interests (§5).
To exercise any right, contact privacy@qwing.app. You also have the right to lodge a complaint with your local supervisory authority; in Lithuania that is the State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija).
10. Account deletion
You can delete your account at any time in the app (Settings → Delete account). This calls the server's account-deletion endpoint, which removes your account row, queued envelopes, delivery hints and push tokens, and wipes the app's local data on the device. Full detail and timeline are on the Account Deletion page.
11. Data breaches
End-to-end encryption means a server compromise exposes ciphertext, not your messages. Nonetheless, if a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where the law requires it, within 72 hours of becoming aware of it, and we will inform affected users where the breach is likely to result in a high risk.
12. Children
Qwing is not directed at children. You must be at least 17 years old to use it (see the Terms of Service). We do not knowingly process data from anyone under that age; if you believe a minor has created an account, contact us and we will delete it.
13. Jurisdiction & transfers
Qwing is operated from the European Union and its server infrastructure is hosted in the EU. Lithuanian and EU law apply to this policy. The push providers (Apple, Google) and any blockchain RPC providers you choose to use may process data outside the EU under their own terms and safeguards.
14. Changes
Material changes to this policy will be announced in the app on next launch. The “Last updated” date at the top reflects the most recent change.
15. Contact
For any privacy question or data-subject request, contact the data controller at privacy@qwing.app.