Last updated: 21 April 2026
TL;DR: Your messages are end-to-end encrypted (OMEMO / Signal Protocol). We cannot read them — even if we wanted to. We collect the absolute minimum to operate the service: your account JID, the encrypted message envelope while it's in transit, and basic crash diagnostics. We never sell your data, never share it with advertisers, and never give it to third parties unless legally compelled by a valid court order in your jurisdiction.
1. Who we are
ZalAI is an end-to-end encrypted messenger built on the open XMPP standard. The application is operated by ExpSec ("we", "us", "our"), based in the European Union. We act as the data controller for the limited information described below.
2. What data we process
Account data
- Your XMPP identifier (JID), e.g.
alice@expsec.eu — required to deliver messages.
- A salted+hashed password (we never store the cleartext).
- Your public OMEMO identity keys (so other users can encrypt to you). Private keys never leave your device.
- Optional profile data you choose to set yourself: nickname, avatar, status text, vCard.
Messages
- Message content is end-to-end encrypted with OMEMO (Signal Protocol). The server only sees an opaque ciphertext blob, the sender JID, the recipient JID and a timestamp.
- Encrypted messages are stored in the server's MAM archive only until they are delivered to all of your devices, then deleted (configurable: max 30 days).
- If you enable the optional CipherMachine, an additional AES-256-GCM layer is applied with a key shared out-of-band — even we, hypothetically, could never decrypt it.
Device data
- Device model, OS version, app version (used for crash reports and compatibility).
- Push notification token (Firebase Cloud Messaging) — required to wake the app for incoming messages on Android. We send only "you have a new message" wake-ups, never content.
- Approximate IP address while connected (used to route packets — like every internet service).
Optional data (only if you enable it)
- Live location — shared peer-to-peer end-to-end encrypted, never stored on our servers.
- Voice messages, photos, files — encrypted, uploaded to our HTTP File Upload component, automatically deleted after 30 days.
- AI assistant queries — only sent to a third-party LLM (OpenAI / Anthropic / your self-hosted endpoint) when you explicitly invoke the AI. We do not log them on our side.
- Mesh network communication is purely peer-to-peer over Bluetooth/Wi-Fi Direct and never reaches any server.
3. How we use it
We use the data above only to:
- Deliver your encrypted messages to the right device(s).
- Send push notifications so the app wakes up.
- Diagnose crashes and improve performance (anonymised stack traces only, never message content).
- Comply with legal obligations (rare; see "Data sharing").
We never use your data for advertising, profiling, behavioural analytics or training AI models.
4. Data sharing & third parties
We work with the smallest possible number of processors:
- Hetzner Online GmbH (Germany) — provides our XMPP server hosting (EU-located).
- Google Firebase Cloud Messaging — push wake-ups on Android (no message content).
- Apple Push Notification service — push wake-ups on iOS (no message content).
- Let's Encrypt — issuance of TLS certificates.
We only disclose user data to law enforcement when presented with a legally valid order from a competent EU authority and after exhausting reasonable challenges. Because messages are end-to-end encrypted, we can technically only provide account metadata (JID, registration timestamp, IP at last connection).
5. Retention
- Encrypted message archive (MAM): up to 30 days, then auto-deleted.
- Uploaded files (photos / voice / docs): 30 days, then auto-deleted.
- Account JID and OMEMO identity: until you delete your account.
- Crash reports: 90 days, then anonymised aggregates only.
You can delete your account at any time from Settings → Account → Delete account. All server-side data is wiped within 24 hours.
6. Security
- End-to-end encryption for all 1:1 and group messages (OMEMO, Signal Double Ratchet).
- TLS 1.3 for all transport between client and server.
- Optional second layer: CipherMachine AES-256-GCM with out-of-band key sharing.
- Local Vault: hidden chats are encrypted on your device with a separate Vault password; even physical access doesn't reveal them.
- SQLCipher protects the local database with AES-256.
- WebRTC calls use DTLS-SRTP (E2E encrypted media).
7. Your rights (GDPR)
If you live in the EU/EEA, UK or Switzerland, you have the right to:
- Access the data we hold about you.
- Rectify inaccurate data.
- Erase your account and associated data.
- Restrict or object to processing.
- Receive a portable export of your data.
- Lodge a complaint with your national supervisory authority.
To exercise any of these rights, write to us at privacy@zalai.app.
8. Children
ZalAI is not directed at children under 13 (under 16 in some EU member states). We do not knowingly collect data from such users. If you believe a child has registered, please contact us and we will delete the account.
9. Changes to this policy
We may update this policy as the product evolves. Material changes will be announced in-app at least 14 days before they take effect. The current version, with full revision history, is always available at https://zalai.app/privacy.html.