TheFlow is built so your most sensitive communication stays readable only by you and the people you choose to talk to. Not by us. Not by our infrastructure providers. Not by anyone served a subpoena. This page explains exactly how, what the limits are, and what control you have.
We care about being honest with you. Cryptography is a field where it is easy to make impressive-sounding claims that do not hold up. We will tell you what is actually true, where our guarantees end, and when you should use a different tool.
The Short Version
Your direct messages, group messages, and attachments are end-to-end encrypted using libsodium, the cryptographic library behind Wire, 1Password, and ProtonMail. We use X25519 for key exchange, the same elliptic curve used by Signal, WireGuard, and modern TLS. Your video and voice calls are encrypted peer-to-peer via WebRTC. We cannot read any of these, and we cannot be compelled to produce what we do not have.
Your conversations come in two kinds. Standard conversations are encrypted and stored on our servers, as ciphertext we cannot read, until you delete them, so your history syncs across your devices and can be restored through account recovery. Vanishing conversations are encrypted and automatically deleted, from every participant's devices and our servers, on a timer you choose. Either participant can also delete an entire conversation instantly, wiping it from both sides completely.
For the highest-risk work, such as protecting confidential sources as a journalist, we recommend Signal. Signal is purpose-built for that threat model and makes architectural choices we cannot match while also serving as a music platform with artist payouts. TheFlow's private messaging is meaningfully stronger than any mainstream social platform. It is not a replacement for Signal.
Direct Messages
Every direct message on TheFlow is end-to-end encrypted using libsodium. We use X25519 for key exchange and XSalsa20-Poly1305 for authenticated encryption with 256-bit keys. These primitives have been peer-reviewed for over a decade and are considered secure by contemporary cryptographic standards. They are equivalent in security to AES-256-GCM and come from the same cryptographic family used in Signal, WhatsApp, WireGuard, and TLS 1.3.
To be specific about the Signal comparison: we use the same elliptic curve (X25519) that Signal uses for key exchange. We do not yet use the full Signal Protocol. The Double Ratchet construction that provides per-message forward secrecy is on our roadmap. Our current encryption is strong against the threats that matter for most users. The Double Ratchet would close a specific class of risk (past messages becoming readable if your key is ever compromised) that matters more for users facing sophisticated adversaries.
When you send a message, your device generates a fresh random nonce, encrypts the message using your private key and the recipient's public key, and sends the ciphertext to our servers. We forward the ciphertext to the recipient's device, where it is decrypted with the recipient's private key and your public key.
What this means concretely:
TheFlow's servers never see the plaintext of your messages. Our databases store only ciphertext. Our backups contain only ciphertext. If we are legally compelled to hand over your messages, we provide ciphertext, which is useless without the recipient's private key. If we are breached, attackers get ciphertext, which is useless without private keys.
What this does not protect against:
The person you are messaging. If they screenshot, save, or share your message, no platform can prevent that.
Someone with full control of your device. If an attacker is reading your screen or has extracted your private key, they can decrypt your messages.
Future cryptographic advances. The primitives we use are strong against current known attacks. They are not post-quantum. If an adversary is recording your encrypted messages today to decrypt after future quantum computers exist, we cannot protect against that today. We are tracking the NIST post-quantum standards (ML-KEM, ML-DSA) and will adopt them in line with industry consensus, following the hybrid approach that Signal and Apple have established with PQXDH and iMessage PQ3.
Group Messages
Group messages work like direct messages, applied to each recipient. When you send a message to a group of N people, your device encrypts it separately for each recipient's public key, producing N ciphertexts, and sends all of them to our servers for routing. Our servers see that a group message was sent and to whom, but never the content.
Adding someone to a group gives them access to future messages only. They cannot read messages sent before they joined. Removing someone from a group stops them from receiving future messages, but does not erase messages already on their device.
Attachments
Media attached to direct or group messages (photos, audio clips, short videos) is encrypted the same way as message text. Your device encrypts the file with a random symmetric key, uploads the ciphertext to our media storage, and sends the decryption key inside the encrypted message. The recipient's device fetches the ciphertext and decrypts locally.
Neither we nor our storage provider can read attachment contents. Our CDN delivers opaque encrypted blobs to recipient devices.
Media you post publicly (profile photos, cover art, announcements, songs uploaded to your catalog) is stored unencrypted because it is meant to be seen or streamed. Our servers can see this content, as can anyone you have granted visibility to.
Video and Voice Calls
All calls on TheFlow use WebRTC, which mandates end-to-end encryption of media streams via DTLS-SRTP. This is not optional in the WebRTC specification. Your browser's WebRTC implementation encrypts call content by default using ephemeral keys negotiated directly between participants.
Voice and video content flows peer-to-peer, encrypted with keys our servers never see. When a direct peer-to-peer connection is impossible due to network restrictions, calls may be relayed through a TURN server. The relay handles already-encrypted packets and cannot decrypt them.
We do not record calls. We do not have the technical ability to record calls even if compelled. We see call signaling metadata: who called whom, when the call started, when it ended, and how long it lasted. This metadata is necessary to route calls and may be retained briefly for operational purposes.
Announcements (Beams)
Beams are one-to-many broadcasts from an artist to their followers or subscribers. They are not end-to-end encrypted, because encryption would defeat the purpose of content intended to reach thousands of people. Beams are transmitted over TLS and stored on our servers, with access controlled by the visibility setting you choose.
If you want to communicate privately with specific followers, use direct messages or group messages. Beams are public or semi-public by design.
Standard and Vanishing Conversations
Every private conversation on TheFlow is end-to-end encrypted. We cannot read any of it. What differs between the two kinds of conversation is how long it exists.
Standard conversations
Standard conversations are stored on our servers in encrypted form until you delete them. Your history syncs across your devices, and if you use account recovery after losing your devices and password, your messages come back with your account. We hold only ciphertext we cannot read. Metadata about who you messaged and when is retained under conventional policies until the conversation is deleted.
The residual risk with stored history is this: if your password is ever compromised, your encrypted backup could theoretically be decrypted offline. We defend against this by enforcing strong passwords at signup (zxcvbn score 3 or higher, checked against known breach corpora, stretched with Argon2id), but the defense is probabilistic, not absolute. For sensitive exchanges, use a vanishing conversation or delete the conversation when you are done.
Vanishing conversations
Set a timer on any conversation and its messages are automatically deleted when the timer expires, from your device, from the other participant's device, and from our servers. The deletion is real: once a message vanishes, there is no ciphertext left on our infrastructure and no copy on either device for us or anyone else to recover.
If a participant is offline when a message expires, the deletion instruction is held and applied to their device the next time it connects, for up to 30 days. This waiting period is a consequence of real end-to-end encryption, not a weakness: we cannot reach into an offline device or decrypt anything on it, so the instruction waits until that device comes back online to carry out the deletion itself.
Deleting an entire conversation
Either participant can delete an entire conversation at any time. When you do, the conversation and all of its messages are removed from both participants' devices and from our servers completely, including the record that the conversation existed. This is immediate on connected devices; an offline device applies it on reconnect within the same 30-day window.
A reminder: deletion and vanishing remove the message from TheFlow and from the app. They do not prevent the other person from screenshotting or saving a message before it is gone. Anyone you message can capture what you send. No platform can prevent this.
Your Privacy Tools
These tools are available in any conversation:
Disappearing messages. You can set a timer on any conversation (5 minutes, 1 hour, 1 day, 30 days, or off). When the timer expires, messages are deleted from your device, the other participant's device, and our servers. If a device is offline at expiry, it applies the deletion the next time it connects, for up to 30 days.
Delete individual messages. You can delete any message you have sent. It is removed from our servers immediately and from the recipient's device the next time their app connects. If the recipient has already read or screenshotted the message, we cannot undo that.
Delete all your messages. You can wipe your entire message history from TheFlow's servers at any time. This removes all ciphertext of every message you have sent or received. Recipients may still have copies on their own devices.
Delete your account. You can permanently delete your TheFlow account. All account data is removed from our live systems immediately and purged from our backups within 30 days. Earnings records are retained for legal and tax purposes as required by law, with your identity minimized where possible.
Verify fingerprints. Each account has a short cryptographic fingerprint derived from its public key. For sensitive conversations, you and the person you are messaging can compare fingerprints through a different channel (in person, by phone) to confirm that no key substitution has occurred. Most users will not need this, but it is available for those who do.
Account Recovery
TheFlow is a platform where artists' livelihoods depend on account access. We made a deliberate choice: rather than follow Signal's model (lose your device, lose your account, no exceptions), we offer identity-verified account recovery for users who have lost their password and all their devices.
Recovery requires identity verification through liveness check and government ID, includes a 24-hour cooling-off period during which notifications are sent to all your existing devices and email address, and results in a password reset and device re-enrollment. Recovery gives you back your account. It does not restore message history that was end-to-end encrypted under keys you no longer have. Your standard (stored) conversation history returns if the password-derived key can be reconstructed. Conversations you deleted, and messages that vanished on a timer, are gone - there is nothing on our servers to restore.
If you prioritize maximum surveillance resistance over account recoverability, you can disable identity-verified recovery in your security settings. If you lose your password and all your devices with recovery disabled, your account is permanently unrecoverable.
What We Can Provide Under Legal Process
We receive and respond to lawful legal requests. We will publish a transparency report annually.
We can provide in all modes:
Account metadata (creation date, last connection, email address, profile information you have made visible). Payment and earnings records as required by financial regulations. Public posts and announcements. Your encrypted account recovery blob, useless without your password.
We can provide for standard conversations:
Ciphertext of messages in those conversations until you delete them, useless without the recipient's private key. Metadata about when those conversations occurred.
We cannot provide for vanishing or deleted conversations:
Nothing. Once a message has vanished or a conversation has been deleted, its ciphertext and metadata are gone from our infrastructure, including the record that the conversation occurred. The only exception is the active delivery window for a message still in transit to an offline device (up to 72 hours).
We cannot provide for any conversation:
Plaintext of direct or group messages. Plaintext of message attachments. Content of voice or video calls. Your private keys. The plaintext contents of your recovery blob or encrypted backup.
If you are compelled by legal process to reveal your password, authorities could potentially decrypt your recovery blob offline (expensive but possible with weak passwords) and use the recovered private key to decrypt any message ciphertext they obtained from us. The mitigations are strong password enforcement, using vanishing messages or deleting conversations for sensitive exchanges, and disabling recovery entirely if your threat model requires it.
Our Commitments
We will not add backdoors, escrow mechanisms accessible to TheFlow, or law-enforcement-accessible decryption for end-to-end encrypted content.
We will publish transparency reports annually detailing legal requests we have received and how we responded.
We will commission independent security audits of our encryption implementation and publish the results.
We will disclose promptly any compromise of our systems that could have exposed user data.
We will notify users of legal process affecting their accounts whenever legally permitted.
If you find a security issue, please report it to security@theflow.com. We operate a responsible disclosure program and credit researchers who find and responsibly report vulnerabilities.
What Is Coming
The Signal Protocol. Our current encryption uses long-lived keys. If your private key is ever compromised, historical messages become readable by the attacker. The Signal Protocol's Double Ratchet solves this by rotating keys per message, so each message uses a unique key that is deleted immediately after use. We plan to adopt the Signal Protocol for a future release. This is the same mechanism used by Signal and WhatsApp.
Post-quantum cryptography. We will adopt the NIST post-quantum standards in hybrid schemes as the ecosystem matures, following the model established by Signal's PQXDH and Apple's iMessage PQ3.
Client-to-client device sync. Currently, if you use one of your devices rarely, it may miss messages that arrived during its offline period beyond our 72-hour delivery window. We plan to add direct device-to-device sync so your own devices can catch each other up without relying on server retention.
The Honest Summary
TheFlow provides strong end-to-end encryption for private communication. Standard conversations keep your encrypted history on our servers until you delete it, giving you cross-device sync and recoverable messages. Vanishing conversations and conversation deletion let you remove your history from our servers and from both devices entirely, on a schedule you choose or instantly.
Both protect your message content from us, from breaches of our infrastructure, and from legal process to a degree that exceeds any mainstream social platform. Neither is Signal. Signal is Signal, and it is the right tool for the narrow threat model it was designed for.
If you trust us, it is because we are being specific about what we protect, where our guarantees end, and what you should do when our guarantees are not enough. That is the honest shape of cryptography in a real product. We will not tell you otherwise.
