← Back to OceansWave

Privacy Policy

Effective Date: January 2025

Our Commitment to Privacy

OceansWave is built on a fundamental principle: your conversations belong to you. We employ zero-knowledge architecture, which means we cannot read, listen to, or access the content of your voice messages—even if we wanted to.

This isn't just a policy decision; it's mathematically enforced through end-to-end encryption using XChaCha20-Poly1305, a military-grade cryptographic standard.

What We Cannot Access

  • Voice message content — Encrypted on your device before transmission
  • Encryption keys — Generated and stored only on your device
  • Message metadata — Who you're talking to is protected
  • Recovery phrases — Your 24-word backup never touches our servers

Information We Collect

To provide the service, we collect minimal information:

  • Account information — Email address for authentication (via Clerk)
  • Public keys — Your public encryption key (not your private key) for message routing
  • Encrypted blobs — Your voice messages in encrypted form (unreadable to us)
  • Timestamps — When messages were sent, for burn timer functionality

How End-to-End Encryption Works

When you record a voice message:

  1. A unique encryption key is generated on your device
  2. Your message is encrypted using XChaCha20-Poly1305
  3. Only the encrypted data is sent to our servers
  4. The recipient's device decrypts the message locally

At no point can OceansWave, your ISP, or any third party access the original audio.

Self-Destructing Messages

When a burn timer expires:

  • The encrypted audio file is permanently deleted from our servers
  • Associated encryption keys are cryptographically erased
  • Recovery is mathematically impossible

This process is automated and irreversible. We cannot retrieve deleted messages under any circumstances.

Third-Party Services

We use the following third-party services:

  • Clerk — For authentication (email, session management)
  • Infrastructure providers — For hosting (encrypted data only)

These services never have access to your decrypted message content.

Data Retention

  • Voice messages — Deleted when burn timer expires (1 minute to 3 months)
  • Account data — Retained while your account is active
  • Upon account deletion — All associated data is permanently removed within 30 days

Your Rights

You have the right to:

  • Access — Request a copy of data we hold about you
  • Delete — Request deletion of your account and associated data
  • Export — Download your data in a portable format
  • Control — Manage your encryption keys via backup/recovery

Law Enforcement Requests

If we receive a legal request for user data, we can only provide:

  • Account email address (if registered)
  • Encrypted data blobs (mathematically unreadable without user keys)
  • Public keys and timestamps

We cannot provide decrypted message content because we do not have the keys to decrypt it.This is the core protection of zero-knowledge architecture.

Changes to This Policy

We may update this policy to reflect changes in our practices or for legal compliance. Significant changes will be communicated through the app or via email.

Contact Us

Questions about our privacy practices? Contact us at:

support@oceanswave.ae