shield Privacy & security

Private by design.
Gone by default.

zwip is built so there's as little to protect as possible: no accounts, no history, and rooms that erase themselves. Here's exactly how it works — and where the limits are.

person_off

No accounts, no personal data

There's no sign-up. We never ask for an email, phone number, or password, and we don't create a profile for you. To use zwip you pick a display name for a single room — that's it.

timer

Ephemeral rooms that self-destruct

A room exists only while it's in use. After 60 minutes of inactivity it is destroyed automatically — and when it goes, its messages and every uploaded file are permanently deleted from the server, not just hidden.

There is no archive, no search history, and no "seen" trail left behind.

lock

Private & hard to guess

Rooms aren't listed or discoverable anywhere — the only way in is the code. Codes are generated with a cryptographically secure random source, so they can't be predicted or enumerated.

Automation tokens (webhooks) are stored only as a one-way SHA-256 hash and shown to you once, like an API key.

https

Encrypted in transit

All traffic is served over HTTPS, and live messaging runs over secure WebSockets (wss://). Data between your browser and zwip is encrypted end to end of the network path.

enhanced_encryption

Encrypted at rest

Your messages, sender names, room names and uploaded files are encrypted before they're written to disk (AES-256-GCM). Nothing is stored in plaintext, so a leaked database or stolen backup is unreadable ciphertext without the key.

This is not the same as end-to-end encryption — see the honest note below.

block

No ads, no tracking, no selling data

zwip doesn't run advertising, doesn't build behavioural profiles, and doesn't sell or share your data. Because we don't collect accounts or history, there's simply very little to monetise — and that's the point.

Where zwip is hosted

dns

Hosted in Finland 🇫🇮

zwip runs on servers in Finland, a member state of the European Union. That means it operates under the EU's General Data Protection Regulation (GDPR) — one of the world's strictest privacy frameworks — as implemented nationally by Finland's Data Protection Act (Tietosuojalaki, 1050/2018), overseen by the Finnish Office of the Data Protection Ombudsman.

Finland also has a long tradition of strong privacy protection and press freedom, and consistently ranks among the world's leaders on digital rights.

Being honest about the limits

Privacy claims are only worth anything if they're honest, so:

info
Messages are not end-to-end encrypted. They're encrypted in transit and at rest, but the server holds the key so it can relay and briefly store them until the room expires — which means at-rest encryption protects against a leaked disk or backup, not against the server itself or its operator. zwip is designed for ephemeral, low-stakes conversations — not for secrets that would be catastrophic if exposed. Anyone who has a room's code can join it, so share codes only with people you trust, and prefer a fresh room for a fresh conversation.

Want to be fully in control? zwip is self-hostable — run your own instance and the data never leaves your hardware. See the API docs.