Privacy Policy

Last Updated: December 2, 2025

Introduction

At zk.im, we are committed to protecting your privacy. This Privacy Policy explains how we handle information in our zero-knowledge decentralized messaging platform. Our architecture is designed from the ground up to minimize data collection and maximize user privacy.

Key Principle: We collect the absolute minimum data necessary to provide our services. Most data never leaves your device, and we cannot access your encrypted messages or personal information.

Zero Metadata Collection
We do not collect message metadata

Unlike traditional messaging platforms, zk.im does not collect or store metadata about your communications:

  • We do not know who you communicate with
  • We do not know when you send or receive messages
  • We do not know how often you use the platform
  • We do not store your contact lists
  • We do not track your device information for messaging
  • We do not collect location data for messaging services

Why this matters: Metadata can reveal as much about you as the content of your messages. By collecting zero metadata, we ensure that even if our systems were compromised, there would be no communication patterns to analyze.

Data We Collect
Minimal data collection for service operation

Website Analytics (Anonymous)

For website traffic analysis, we collect anonymous, aggregated data:

  • Hashed IP Address + User-Agent: Combined and hashed using BLAKE3 to create an anonymous visitor identifier. We cannot reverse this to identify you.
  • Page Paths: Which pages were visited (e.g., "/blog", "/chat")
  • Referrer Information: Which website referred you (if available)
  • Device Type: Desktop, mobile, or tablet (from User-Agent parsing)
  • Browser & OS: Browser type and operating system (from User-Agent parsing)

Important: We do not use cookies, tracking pixels, or any client-side tracking scripts. All analytics are processed server-side from HTTP access logs.

Geographic Data (ZKIM Geo Database)

For network optimization and security, we use the ZKIM Geo Database to determine approximate location:

  • Country & Region: Approximate geographic location (city-level accuracy, typically within 5-10km)
  • Network Information: ISP and organization data for security analysis

How it works: This data is derived server-side from your IP address using the ZKIM Geo Database. No client-side JavaScript or tracking is used. This data is used only for analytics and network optimization, never for advertising or profiling.

Wallet-Based Authentication

When you connect a wallet (MetaMask, Phantom, etc.), we receive:

  • Wallet Address: Your blockchain wallet address (public information)
  • Chain Information: Which blockchain network you're using

Important: We do not store your private keys. All key management happens client-side. For Invisible Wallet users, keys are never stored—they are constructed on-demand from multiple factors.

Data We Do NOT Collect
Your privacy is our priority

We explicitly do not collect:

  • Message Content: All messages are encrypted end-to-end. We cannot read them.
  • Personal Information: Name, email, phone number, or any personally identifiable information (unless you choose to share it in your profile)
  • Contact Lists: We do not access or store your device contacts
  • Location Data: We do not request or track your precise location
  • Biometric Data: Biometric authentication data (fingerprints, face ID) never leaves your device
  • Device Identifiers: We do not use device IDs, advertising IDs, or other persistent identifiers
  • Cookies for Tracking: We do not use tracking cookies or third-party analytics services
  • Social Media Data: We do not access your social media accounts or profiles
How We Store Your Data
Client-side encryption and decentralized storage

Client-Side Encryption

All user data is encrypted on your device before it is stored or transmitted:

  • Encryption Standard: XChaCha20-Poly1305 (via libsodium-wrappers-sumo)
  • Key Management: Keys are derived using Argon2id13 (memory-hard, provides resistance against brute-force attacks)
  • Zero-Knowledge: We never see your encryption keys or unencrypted data

Decentralized Storage

Your data is stored in decentralized systems:

  • ZKIM CAS (Content Addressable Storage): User-controlled, mutable storage for messages, profiles, and preferences. You can update or delete this data at any time.
  • Arweave (Permanent Storage): Used only for critical records like username registrations and wallet mappings. These are permanent and censorship-resistant.
  • Local Storage: Temporary session data and cache stored only on your device.

No Backend Servers

Unlike traditional platforms, zk.im has no backend servers that store your data:

  • No centralized database with your messages
  • No server-side backups of your data
  • No corporate access to your information
  • No government subpoena capability (we have nothing to provide)
Your Privacy Rights
You control your data

Data Control

  • Access: You can access all your data stored in ZKIM CAS at any time
  • Modification: You can update or modify your profile and preferences
  • Deletion: You can delete your messages and profile data by unpinning from ZKIM CAS
  • Export: You can export your data in standard formats

Opt-Out Options

  • Analytics: You can block analytics by using ad-blockers or privacy-focused browsers
  • Location Data: Geographic data is derived automatically but not used for advertising or profiling

GDPR & CCPA Compliance

Even though we collect minimal data, we respect your rights under GDPR, CCPA, and other privacy regulations:

  • Right to access your data
  • Right to rectification (correction)
  • Right to erasure (deletion)
  • Right to data portability
  • Right to object to processing
Data Sharing & Third Parties
We do not sell your data

We do not sell, rent, or share your personal data with third parties.

The only exceptions are:

  • Blockchain Networks: When you make transactions, data is published to public blockchains (this is inherent to blockchain technology)
  • P2P Network: Encrypted messages are relayed through the peer-to-peer network, but peers cannot decrypt them
  • Legal Requirements: If required by law, we would comply, but we have minimal data to provide (only anonymous analytics)
Security Measures
How we protect your data
  • End-to-End Encryption: Three-layer encryption (platform, user, content) ensures maximum security
  • Quantum-Resistant Cryptography: We use memory-hard key derivation (Argon2id13) and strong classical encryption (XChaCha20-Poly1305 with 256-bit keys) that provides resistance against quantum attacks. Post-quantum algorithms (Kyber, Dilithium) are planned for future implementation.
  • Zero-Knowledge Architecture: We cannot access your encrypted data even if we wanted to
  • Decentralized Infrastructure: No single point of failure or compromise
  • Client-Side Key Management: Keys are generated and managed on your device, never transmitted to servers
Children's Privacy

zk.im is not intended for users under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the updated policy on this page
  • Updating the "Last Updated" date at the top
  • Displaying a notice in the application for significant changes

Your continued use of zk.im after changes become effective constitutes acceptance of the updated policy.

Contact Us
Questions about privacy?

If you have questions about this Privacy Policy or our data practices, please contact us:

  • Website: zk.im
  • Support: Available through the platform's help system