← Back to home Legal

Privacy Policy

This policy describes the personal data Qwing processes, the lawful basis for it, how long it is kept, who it is shared with, and the rights you have over it. It is written to match what the software actually does. Qwing is a pure post-quantum, end-to-end encrypted messenger: the overwhelming majority of what you create never leaves your device in a form anyone but your recipient can read.

1. Data controller

Qwing is developed and operated by an individual developer based in Lithuania (European Union). For the purposes of the EU General Data Protection Regulation (GDPR), that developer is the data controller for the limited personal data described in this policy.

You can reach the controller about any privacy matter, including data-subject requests, at privacy@qwing.app.

2. The short version

3. What is end-to-end encrypted (and never visible to us)

Everything you send to a contact is encrypted on your device before it leaves, and is decryptable only on your recipient's device: text, photos, videos, voice notes, files, link previews, replies, reactions, read receipts, profile names and avatars, and any wallet address you choose to share. Voice and video calls are encrypted end-to-end and routed peer-to-peer where the network allows. The cryptographic primitives are:

The following are technically impossible for us to access, because we never hold the keys: message, call and file content; your contact graph (who you talk to), for sealed-sender conversations; and the contents of your on-device encrypted Vault, which never leaves your device.

4. What the server processes

To deliver messages and route calls, the server processes a small amount of data. To be truthful about it: the server sees opaque ciphertext envelopes, sender hints, delivery metadata, push tokens, and the IP address of your device when it connects.

4.1 Account / identity

4.2 Message routing

4.3 Media

Attachments are encrypted on your device with a per-file key carried inside the encrypted message. The server relays the ciphertext temporarily so an offline recipient can fetch it; it cannot decrypt it.

4.4 Push tokens

Your most recent Apple (APNs) or Google (FCM) push token, used to wake your device for incoming messages and calls. The push payload contains no message content.

4.5 Connection metadata

When your device connects to the server, the server (and our reverse proxy) necessarily observes your IP address for the duration of the connection and in short-lived, rotating access logs used for abuse and denial-of-service protection. There is no per-user IP history table.

4.6 What the server never stores

5. Lawful basis for processing

We process the limited data above on the following GDPR Article 6 bases:

6. Retention periods

We keep personal data only as long as it is needed for the purpose it was collected, then delete it.

DataRetention
Message ciphertext (server queue)Deleted on delivery acknowledgement; a backstop sweeper removes delivered envelopes ~5 minutes after delivery.
Account / identity (UUID, public key, encrypted profile)Until you delete your account.
Push token (APNs / FCM)Until you log out, delete your account, or the token becomes invalid.
Encrypted media on the serverRemoved shortly after the recipient downloads it; a cleanup job hard-deletes any remaining ciphertext within a short window whether or not it was fetched.
Connection / access logs (incl. IP)Short-lived, rotating; retained only briefly for abuse and DoS protection, then automatically rolled off.
On-device data (messages, Vault, keys)Stored only on your device, encrypted at rest, under your control; removed by deleting your account, the in-app wipe, or uninstalling.

7. Third parties & recipients

Qwing minimises third-party processing. The third parties that may receive data are:

We do not sell personal data, and we do not share it with advertising networks or data brokers.

8. Wallet & blockchain networks

Qwing includes a self-custodial wallet. Your wallet keys are derived from your recovery phrase and stored only on your device. When you send a transaction, the app signs and broadcasts a real transaction to public blockchain networks through third-party RPC providers. At broadcast time those providers can see your wallet address and IP address, and the transaction is recorded permanently and publicly on-chain. Transactions are irreversible. Full detail is in the Wallet Disclosure.

9. Your rights

Under the GDPR you have the right to:

To exercise any right, contact privacy@qwing.app. You also have the right to lodge a complaint with your local supervisory authority; in Lithuania that is the State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija).

10. Account deletion

You can delete your account at any time in the app (Settings → Delete account). This calls the server's account-deletion endpoint, which removes your account row, queued envelopes, delivery hints and push tokens, and wipes the app's local data on the device. Full detail and timeline are on the Account Deletion page.

11. Data breaches

End-to-end encryption means a server compromise exposes ciphertext, not your messages. Nonetheless, if a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where the law requires it, within 72 hours of becoming aware of it, and we will inform affected users where the breach is likely to result in a high risk.

12. Children

Qwing is not directed at children. You must be at least 17 years old to use it (see the Terms of Service). We do not knowingly process data from anyone under that age; if you believe a minor has created an account, contact us and we will delete it.

13. Jurisdiction & transfers

Qwing is operated from the European Union and its server infrastructure is hosted in the EU. Lithuanian and EU law apply to this policy. The push providers (Apple, Google) and any blockchain RPC providers you choose to use may process data outside the EU under their own terms and safeguards.

14. Changes

Material changes to this policy will be announced in the app on next launch. The “Last updated” date at the top reflects the most recent change.

15. Contact

For any privacy question or data-subject request, contact the data controller at privacy@qwing.app.

Notice: This is a draft pending legal review.