Data Security

End-to-end encrypted chats

Every text chat session establishes a unique encryption channel between you and your match using ECDH (P-256) for key agreement and AES-GCM 256-bit for message encryption. Both happen entirely in your browser using the Web Crypto API. The server never sees plaintext.

Ephemeral keys

Encryption keys are generated per session and never stored. When the session ends, the keys are gone — and so is the ability to decrypt that conversation. Even an attacker who later gains database access cannot read past chats.

WebRTC video

Video and audio use WebRTC, which is encrypted in transit by default (DTLS-SRTP). Streams are peer-to-peer where possible — your video does not flow through our servers.

Account protection

• Passwords are hashed with industry-standard algorithms by our auth provider.
• Sessions use signed JWTs with short refresh windows.
• Row-Level Security on our database ensures you can only access your own data.

What we cannot protect against

End-to-end encryption protects messages in transit and at rest on the server. It does not stop the person you're chatting with from screen-recording their own screen. Always assume the other person could capture your conversation.

Responsible disclosure

Found a vulnerability? Email privacy@chatmeup.app with details. Please give us a reasonable window to fix it before public disclosure.

More

For data handling and rights, see our Privacy Policy.