Short version: Your messages and calls are end-to-end encrypted. We can't read them. We run a relay, not a surveillance network. We don't sell your data, serve ads, or use third-party analytics.
1. Who we are
Phaze ("we", "us", "our") is an independent encrypted messaging application available at phazechat.world and on Android via Google Play. For privacy questions: privacy@phazechat.world.
2. What we collect
When you register an account, we store:
- Your username, a bcrypt hash of your password, and your email address (used for verification and password reset only — never for marketing).
- Optionally, your display name and mood text.
- Your friends list and block list so we can route messages.
- Your NaCl public key — shared with contacts so they can encrypt messages to you.
- A Firebase Cloud Messaging (FCM) token — used to deliver push notifications to your Android device. See Section 5 for details.
- Connection metadata (IP address, device model string) transiently for rate-limiting and fraud prevention — retained for a maximum of 30 days.
3. Messages, calls, and files
- Direct messages are end-to-end encrypted with
NaCl box (Curve25519 + XSalsa20 + Poly1305) before they leave your device. The Phaze Nexus relay only sees ciphertext — we cannot decrypt your messages.
- Voice and video calls are negotiated peer-to-peer via WebRTC. Call audio and video are never stored or recorded by our servers.
- File attachments are uploaded temporarily to support offline delivery and deleted automatically after 7 days.
- Stories (photos/videos) are stored until you delete them or after 24 hours.
- Key backups (optional): if you use the key backup feature, your private key is encrypted with a PIN on-device before upload. We store the ciphertext only and cannot access your private key.
4. What we do NOT collect
- The plaintext content of your messages or calls.
- Your contacts' phone numbers or address book.
- Location data.
- Advertising identifiers or browsing history.
- Any data for advertising, profiling, or sale to third parties.
- Any data to train AI or machine-learning models.
5. Third-party services
- Firebase Cloud Messaging (Google): used to deliver push notifications to Android devices. Google receives your FCM device token. Subject to Google's Privacy Policy.
- Email delivery: verification and password-reset emails are delivered via an SMTP provider, which sees your email address and subject line.
- SMS (optional): if you opt into phone verification, handled via Twilio. Twilio sees your phone number and the OTP.
- TURN/STUN relay: used to establish peer-to-peer calls when direct connections are blocked by NAT. TURN servers relay encrypted RTP packets and cannot decrypt call content.
- Hosting:
phazechat.world runs on a commercial hosting provider. Your IP is visible to the provider for the duration of your connection.
6. Data retention
| Data type | Retention period |
|---|
| Account data (username, email, hashed password) | Lifetime of account, or 90 days after deletion request |
| Message metadata (sender, recipient, timestamp) | 30 days after delivery |
| File attachments | 7 days after upload |
| Stories | 24 hours or until manually deleted |
| Connection logs (IP, device model) | 30 days |
| FCM push tokens | Until you sign out or uninstall |
7. Encryption
All data in transit uses TLS 1.2 or higher. Private messages use an additional layer of NaCl end-to-end encryption keyed to Curve25519 key pairs generated on-device. We do not hold, escrow, or have any access to your private keys. Passwords are stored as bcrypt hashes (cost factor 12).
8. Your rights
- Access: request a copy of the data we hold about you.
- Deletion: email privacy@phazechat.world to have your account and associated data purged.
- Correction: update your username or email from the app's Settings.
- Portability: your local message history is stored on your device and is yours.
We will respond to rights requests within 30 days.
9. Children
Phaze is not directed at children under the age of 13 (or 16 in the EU). We do not knowingly collect data from children. If you believe a child has created an account, contact privacy@phazechat.world and we will delete it.
10. Law enforcement requests
We respond to lawful process in the jurisdiction of our hosting provider. Because messages are E2EE, we cannot hand over content we do not have. We can produce the account metadata described in Section 2.
11. Changes to this policy
If we make material changes, we will update the "Last updated" date above and announce the change in the app. Continued use of Phaze after changes constitutes acceptance of the updated policy.
12. Contact
Questions or complaints: privacy@phazechat.world
Website: https://phazechat.world