We don't want your data
Last updated: May 26, 2026
nbit.chat is built on a simple principle: your conversations are none of our business. This privacy policy explains what data touches our servers, what stays in your browser, and what we never see at all.
The short version
- We cannot read your messages - they're encrypted before they leave your device
- We do not store plaintext messages on our servers
- We do not require accounts, emails, or any personal information
- We do not use analytics, tracking cookies, or advertising
- We do not sell, share, or monetize personal data
End-to-end encryption
All text messages and file transfers are encrypted on your device using RSA encryption with per-message AES-256-GCM symmetric keys before being transmitted. Encryption keys are generated entirely in your browser using the Web Crypto API. Your private key never leaves your device unless you explicitly copy and share it.
Our servers relay encrypted data between participants but have no ability to decrypt it. We do not hold, generate, or escrow any decryption keys.
Voice and video calls
Voice and video connections are established peer-to-peer using WebRTC. Audio and video streams travel directly between participants, encrypted by the browser's built-in DTLS-SRTP encryption. Our servers only handle the initial signaling (offer/answer/ICE candidates) to help peers find each other. No audio or video data passes through or is recorded on our servers.
We use Cloudflare STUN/TURN servers to assist with NAT traversal when direct peer connections aren't possible. Cloudflare's own privacy policy applies to their relay service.
What our servers temporarily process
When you connect to a chat room, our WebSocket servers necessarily handle certain connection-level data to operate. Here is exactly what that includes:
- IP address - Used solely for rate limiting and abuse prevention (e.g., blocking spam). Not logged to disk, not transmitted to other users.
- User agent string - Combined with IP to create a temporary fingerprint hash for reconnection and rate limiting.
- Randomly generated client ID - Created per session, not linked to any real identity.
- Encrypted profile data - If you set an alias or avatar, it is encrypted client-side before being sent. The server stores the encrypted blob for up to 1 year to display your profile to other participants. We cannot decrypt it.
- Channel membership - The server tracks which client IDs are in which rooms so it can route messages. This is held in memory and not persisted.
What our servers do NOT have
- Plaintext messages, files, or any decrypted content
- Encryption or decryption keys
- Email addresses, phone numbers, or real names
- Browsing history or page analytics
- Cookies (we set none)
- Third-party trackers or advertising scripts
What your browser stores locally
nbit.chat uses your browser's IndexedDB to store data locally on your device. This includes:
- Your encrypted chat messages (stored locally so you can see history)
- Room metadata (chat ID, public key)
- Audio/microphone settings
- Recently accessed room IDs
All of this stays on your device. We never upload it. Clearing your browser data permanently deletes it. There is no recovery mechanism - this is intentional.
File transfers
Files are encrypted client-side and transferred in chunks through our server. During an active transfer, encrypted chunks are temporarily cached on the server to handle connection interruptions. These chunks are automatically deleted after 7 days or when the transfer completes, whichever comes first. We cannot decrypt the file content.
Room administration
Room creators can act as administrators and may ban disruptive users. Ban records include the banned user's client ID, IP-based fingerprint hash, and user agent. This data is stored per-channel to enforce bans across reconnections. Banned users' data persists until an admin unbans them or the channel is deleted.
Third-party services
- Cloudflare - STUN/TURN relay for WebRTC NAT traversal. Cloudflare may process connection metadata under their own privacy policy.
- Tenor (Google) - If you use the GIF search feature, your search query is sent to nbit.chat, then nbit.chat sends the query to Tenor's API and proxies the returned GIF media. Tenor sees the request from our server, not your browser IP.
- SponsorBlock - If you play an embedded YouTube preview, nbit.chat may request sponsor-segment metadata from sponsor.ajay.app using the YouTube video ID. This is used only to skip sponsor, intro, outro, or filler segments in the embedded preview.
We do not use Google Analytics, Facebook Pixel, Sentry, Hotjar, or any other analytics or error tracking service.
Data retention
| Data | Retention |
|---|---|
| Chat messages | Never stored on server. Local browser storage only. |
| Encrypted user profiles | Up to 1 year from last activity, then auto-deleted. |
| File transfer chunks | 7 days maximum, then auto-deleted. |
| Rate limit records | 5 minutes. |
| Reconnection sessions | Up to 5 minutes. |
| Empty channels | Deleted when inactive for 1 year. |
Children's privacy
nbit.chat is not directed at children under 13. We do not knowingly collect any information from children. Since we don't collect personal information from anyone, this applies universally.
Changes to this policy
If we update this privacy policy, the changes will be posted on this page with an updated date. Since we don't collect email addresses, we can't notify you directly - we recommend checking this page periodically.
Contact
If you have questions about this privacy policy, reach us at contact@nbit.chat.