Privacy Policy: secure messaging app
This document explains what data Mold collects, what it has no access to, and how it handles what it has. We designed our secure messaging app so that security becomes the architecture working by default.
Effective date of this document: April 15, 2026.
Responsibility.
Mold is owned by Wiss Core, conducting its operations in the State of California, USA. All company activities are subject to U.S. federal law and California state law. The most secure messaging app must be accountable to a clear legal framework. For questions related to this policy, contact us through our contact details.
The complete inventory.
The messenger without a phone number Mold stores only what is technically necessary for message delivery. The three categories below are the entire volume of data existing on our servers at any given time. This is the standard for an encrypted messaging app.
Mold ID (a sequential ICQ-like number), user nickname, public cryptographic key, date and time of account creation, date and time of last connection.
Messages awaiting delivery are stored on the messenger server in encrypted form. The blocks of encrypted messages may be deleted from the server, depending on the application settings. We do not own decryption keys and cannot read the contents of such messages.
The Mold application supports push notifications. To implement this process, Firebase Cloud Messaging tokens are used, necessary to wake the messenger on the device. These notifications do not contain message text.
Architecture, not a promise.
The following data categories physically do not exist in our infrastructure. This is the architectural fact of an end to end encryption messenger. The constitutional tradition of the United States protects the right to build such systems.
All messages are end-to-end encrypted with Noise Protocol XX with ChaCha20-Poly1305. Plain text never leaves the user device. We have no mechanism for decrypting conversations.
Private keys are generated and stored exclusively on the device. They are never transmitted to Mold servers. Key escrow does not exist.
Mold never uploads contacts from the device. We do not know who communicates with whom, except for dry routing information for active delivery.
Our application servers do not record client IP addresses.
Mold does not request permission to access location on any operating system and does not collect GPS, cell tower, or Wi-Fi access point data.
A messenger without a phone number does not require any item of personal identification for the purpose of registration in the system and subsequent correspondence.
The site where you are right now.
Moldchat.com does not use analytics services, advertising networks, or third-party tracking scripts. The most secure messaging app site avoids any external trackers.
On this site there are no Google Analytics, Meta Pixel, Hotjar, or any other tracking scripts. Moldchat.com does not measure or analyze user behavior.
The CMS (engine) on which this site runs sets a technical session cookie necessary for the proper operation of the site.
If you subscribe to project news, we will save your email exclusively for sending updates about work on the application and the expansion of the capabilities of the Mold messenger. You can unsubscribe from such notifications at any time. We do not transfer the email of our current and past subscribers to anyone.
Messages sent through our contact form (name, email, message text) are delivered directly to our team and are not stored in any long-term form.
User data retention periods
| Data type | Retention period | Basis |
|---|---|---|
| Account metadata | Until account deletion | Service operation |
| Encrypted blocks | Depends on user settings | Delivery |
| Push tokens | Until refresh or account deletion | Notification delivery |
| Preserved data (legal hold) | 90 days, one-time renewal | 18 U.S.C. § 2703(f) |
| CSAM evidence | ≥ 1 year | REPORT Act 2024 |
| Newsletter email | Until unsubscribe | Your consent |
Full user control.
The encrypted messenger Mold is designed so that you control your data by default, not on request. The following actions are available to every user without contacting us.
A user can delete their account at any time. If a user has fully deleted their account themselves, restoring it is no longer possible. Your cryptographic identity is erased from the server, the data on the device also no longer exists, and the 12-seed phrase is no longer linked to anything.
Dead Man's Switch erases your data automatically if the application has not been opened for a configurable period. Guardian Wipe allows a trusted contact to erase your data remotely.
Your messages are stored only on your device. Your cryptographic identity is derived from the 12-seed phrase. Our servers have nothing to export.
13+ only.
Mold is not intended for children under 13. We knowingly do not collect information about children. In accordance with the Children's Online Privacy Protection Act (COPPA), if we learn that a user is under thirteen, we will block account activity. We are registered with NCMEC and report all detected CSAM materials to the CyberTipline pursuant to 18 U.S.C. § 2258A.
CCPA.
Under the California Consumer Privacy Protection Act (CCPA), California residents have the right to know what personal information is collected by anyone and to request its deletion. The secure messaging app Mold operates with this law in mind. If the current implementation is not enough, please delete your account from the Mold application or contact us through our contact page.
The foundation: U.S. law.
The encrypted messenger Mold is operated from the United States and is subject to U.S. and California state law. If you use Mold outside the U.S., your data is processed in the United States and may transit through CDN nodes in other jurisdictions.
We will notify.
On material changes to this Privacy Policy, we will update the effective date above on the page and publish notifications in the newsletter and in the application itself. Continued use of Mold, the encrypted messaging app, after a change means acceptance of the updated policy. The previous version will remain available in the archive of our transparency report for comparison.
Your data is always yours.
We created an end to end encryption messenger without a phone number, that does not collect personal data and encrypts absolutely everything that passes through it. To get more familiar with the rest of the legal aspects, choose a link below.