Whispr Privacy Policy

Whispr is developed and maintained under the name PointBreakLab (pointbreaklab.com), a privacy-first independent software project based in Würzburg, Germany. The operator is the data controller for the purposes of applicable privacy law (GDPR / DSGVO). Contact: mail.roshankumargupta@gmail.com

We collect nothing. Whispr has no backend servers, no registration system, no accounts in the cloud, and no analytics SDK. The app never connects to a PointBreakLab server.

Whispr is a serverless, peer-to-peer messaging application. Messages travel directly between devices over three channels: • Local Wi-Fi (LAN) — direct HTTP between devices on the same network, with every message wrapped in ECIES application-layer encryption so contents are invisible to other devices on the same network. • Bluetooth LE mesh — multi-hop relay between nearby devices for offline messaging. Payloads are end-to-end encrypted before entering the mesh. • Tor hidden services — over the internet via the Tor anonymity network. Your IP address is not revealed to your contact. All three channels apply end-to-end encryption using the Signal Protocol (X3DH key agreement + Double Ratchet algorithm) before any data leaves your device. PointBreakLab cannot decrypt your messages even if compelled by law.

All app data is stored exclusively on your device: • Messages, contacts, and settings are stored in an SQLite database encrypted with SQLCipher (AES-256-CBC full-file encryption) on Android and iOS. • Cryptographic private keys are stored in your device's secure hardware enclave: Android Keystore on Android, iOS Keychain on iPhone. • The database encryption key is derived from your password using PBKDF2-SHA512 (200,000 iterations) and is never stored in plaintext. • Whispr does not use iCloud, Google Drive, or any cloud backup for message data. If you use the built-in encrypted backup feature, the backup file is saved to your local device storage — you control where it goes.

Whispr contains no advertising SDKs, no social login, and no third-party analytics. The only third-party component that may contact an external server is the embedded Tor daemon, which connects to the Tor network for routing — not to any PointBreakLab server. The Tor Project's privacy policy applies to that connection (torproject.org). The QR-code scanning library (Google ML Kit via mobile_scanner) includes Firebase Transport Runtime as a transitive dependency. This component is bundled but does not transmit data; it is used only for local barcode detection. No Firebase project is configured in Whispr.

Whispr requests the following device permissions and explains exactly why:

Because all data exists only on your device, you are in full control of deletion: • Uninstalling the app removes all stored data. • The "Data Burn" feature (Settings → Security → Panic Button) performs a 3-pass cryptographic wipe: the database encryption key is destroyed first (making all stored data permanently unreadable), all table rows are deleted, and the database file is overwritten three times before unlinking. • Disappearing messages are automatically deleted from your device after the timer you set expires. There is no data stored with PointBreakLab to delete.

Whispr is not directed at children under 13 (or under 16 in the European Economic Area). We do not knowingly collect information from children. Because Whispr collects no data from any user, no special handling of children's data is required.

Under GDPR, CCPA, and similar laws you have rights including access, rectification, erasure, and portability of your personal data. Because PointBreakLab holds no personal data about you, there is nothing for us to access, correct, export, or delete on our end. All such data exists only on your device and is entirely under your control. If you have questions, contact us at mail.roshankumargupta@gmail.com.

Whispr is designed from the ground up for security: • End-to-end encryption: X3DH + Double Ratchet (Signal Protocol), AES-256-GCM per message. • At-rest encryption: SQLCipher AES-256 full-database encryption on mobile. • Key protection: private keys stored in Android Keystore / iOS Keychain with hardware-backed protection. • Transport: ECIES application-layer encryption on LAN; Tor hidden services for internet transport. No security system is perfect. Whispr is provided as-is without warranty. See the in-app Security Guide for best practices.

We may update this Privacy Policy when we release a new version of the app. The updated policy will be included in the new version and available at pointbreaklab.com. The date at the top of this document reflects the most recent revision.

Questions about this Privacy Policy: PointBreakLab mail.roshankumargupta@gmail.com pointbreaklab.com