Exactly two things. ① Your identity vault: both private keys and your recovery words, sealed with AES-256-GCM under a key derived from your App Password (PBKDF2, 600,000 rounds) and kept in this browser's localStorage. ② Your message database: conversations, contacts, and groups, stored readable in this browser's IndexedDB — the password protects your keys, not your history. That's the complete list. Nothing about you exists anywhere else.

The relay is a dumb, blind mailbox. It stores sealed envelopes for at most 24 hours, has no user accounts, and rate-limits per IP. Anyone can run one — it's ~200 lines of open-source code.

Your 12 recovery words recreate your exact keys on any device — same address, so contacts can still reach you (ID → Recovery words to view them again). Message history does not come back: it only ever existed on your devices, which is the point — there is no server copy of it for anyone to recover, including you. No words and no backup file means the identity is gone permanently. Nobody can reset it, because nobody else has it.

Don't want permanence? Skip the backup. Use an identity for a session, then Menu → Delete this identity. Fresh keys take five seconds and cost nothing — new address, clean slate. Contacts from the old session can't reach the new you. Disposable identities are a feature here, not an accident.

Each message gets a fresh ephemeral ECDH P-256 key, run through HKDF into a one-time AES-256-GCM key, and is signed with your long-term ECDSA key — all with the browser's native Web Crypto API, zero libraries. Payloads are padded to 256-byte blocks so length reveals nothing. Replay attacks are rejected with a counter sealed inside the ciphertext.

Groups use a shared AES-256-GCM key distributed over the existing encrypted 1:1 channels. The relay sees the group as one anonymous address — it doesn't even know it's serving a group. Add or remove a member and the key rotates: removed members can't read anything sent after they left.

In any conversation, tap Auto-delete to expire messages from your device (1h–7d). The other side keeps their copy until they set their own timer. The relay independently deletes all envelopes after 24 hours.

1. Keys are trusted on first use. There are no safety numbers yet. For high-stakes contacts, exchange QR codes in person, or compare your identicons over a channel you trust.
2. Forward secrecy is sender-side only. If your long-term key leaks, messages previously sent to you that an attacker recorded could be decrypted. (Sent messages stay safe — their ephemeral keys are gone.)
3. Local history is readable on your device. Use your OS's disk encryption and screen lock; the App Password protects keys, not the message database.
4. Relays see metadata. Timing, padded sizes, and IPs. The demo relay is shared; run your own to control it.
5. iOS can evict browser data after ~7 days of disuse. Install to your Home Screen and write down your 12 words.