Privacy Policy — Zimmer Messenger

Last updated: May 13, 2026 · Effective date: May 13, 2026

Zimmer Messenger ("Zimmer," "we," "us") is a notification-first messaging app built around channels and private direct messages. We take privacy seriously and we've designed Zimmer so that the data we hold about you is the minimum needed to make the app work. This Privacy Policy explains what information we collect, how we use it, and the rights you have over it.

The short version. Every text message you send — in any channel (public or private) and in any direct message — is end-to-end encrypted on your device before it reaches our servers. We cannot read your messages. We don't sell your data, we don't show you ads, and you can use the app without registering an account.

1. Who this policy covers

This policy applies to everyone who downloads or uses Zimmer Messenger on iOS, including users who sign up with an email and phone number and users who choose to remain anonymous. If you don't agree with this policy, please don't use the app.

2. Age requirement

Zimmer is intended for users aged 13 and older. If you are under 13, you may not use the app. If you are between 13 and 18, you should use Zimmer only with the involvement of a parent or guardian. We do not knowingly collect personal information from anyone under 13. If we learn that we have collected information from a child under 13, we will delete it promptly.

3. What we collect

3.1 Information you give us directly

Account information — if you choose to register, your email address, password (stored as a salted hash by Firebase Authentication), phone number (for verification), and optional first and last name.
Channel content — the channels you create, channel names, descriptions, photos, codes, and member lists.
Messages — text, photos, videos, reactions, and replies you send. See Section 5 for how encryption applies to each kind of message.
Profile data — your chosen username, display name, and avatar in each channel.

3.2 Information we collect automatically

Device identifiers — an anonymous user ID assigned by Firebase Authentication, a OneSignal subscription identifier used for delivering push notifications, and basic device metadata (iOS version, model, language) needed to support the app.
Usage information — timestamps of messages, read receipts at the channel level, and pinning state. We don't track screen-by-screen analytics.
Crash diagnostics — if a crash occurs we may collect a crash report through Apple's standard crash reporting or our diagnostics provider. Crash reports do not include the content of your messages.

3.3 Information we do NOT collect

We do not access your contacts.
We do not access your location.
We do not access your microphone unless you are recording a video to send.
We do not read your photo library — when you attach a photo or video, you select it through Apple's system picker, and only that selection is shared with the app.
We do not track you across other apps or websites.

4. How we use your information

We use the information described above only to:

Provide the core messaging service — delivering messages, organizing channels, and surfacing notifications.
Verify identity when you sign in or recover your account via email or phone.
Send you push notifications when you receive a new message, reaction, or DM request — these can be muted per-channel and per-thread from inside the app.
Investigate technical problems and reports of abuse.
Comply with applicable law.

We do not sell or rent your personal information to anyone. We do not show advertising in Zimmer.

5. End-to-end encryption

Zimmer uses true end-to-end encryption ("E2EE") to protect your messages. This means the content is encrypted on your device with keys we don't have, and only the intended recipients can decrypt it.

What is encrypted end-to-end

Direct messages (DMs) between two users — text, replies, and DM previews.
Messages inside private channels — text bodies are encrypted with a per-channel symmetric key that the broadcaster wraps individually for each member using that member's public key.
Messages inside public channels — text bodies are also encrypted with a per-channel key. Public channels are still discoverable and joinable by code, but the message contents are only readable by users who have actually joined the channel and received a wrap of the channel key.
Reply previews for any of the above are encrypted alongside the message body.

What is NOT end-to-end encrypted

Photos, videos, and other media attachments — these are uploaded to Firebase Storage and are not encrypted with your personal keys at this time.
Channel names, descriptions, member counts, channel photos, and similar metadata so they can be searched and previewed before joining.
A short plaintext snippet of the latest message on each channel's home-screen row, so the home list can show a readable preview without forcing every device to derive the channel key on launch. The full message body in the message document itself is encrypted.
Reactions — stored alongside the message as the chosen emoji.

We are committed to expanding the scope of E2EE in future releases.

How key recovery works

Your X25519 encryption private key is generated on your device and stored in the iOS Keychain. The Keychain entry is marked synchronizable, so if you have iCloud Keychain turned on it propagates to your other Apple devices end-to-end encrypted by Apple — we never see it.

To allow recovery on a device that doesn't have iCloud Keychain, an encrypted copy of your private key — wrapped using a key derived from your Firebase Authentication password through PBKDF2-SHA256 with 600,000 iterations and a random salt — is stored on our servers. We cannot decrypt this wrapped key. Only you, by signing in with your password, can derive the wrap key needed to unlock it.

Important: if you reset your password via the email reset link, the previously wrapped backup becomes inaccessible. Old encrypted messages will not be readable on devices that haven't already loaded your private key. We surface this warning in the password-reset flow inside the app.

Local message cache

To make opening a chat instantaneous, Zimmer keeps a copy of the messages you've already decrypted in a private file on your iPhone, inside the app's protected Application Support directory. This local cache:

Is stored as plaintext on disk because it has already been decrypted for display, and iOS sandboxes prevent other apps from reading it.
Is excluded from iCloud device backups, so it will not be transferred from one phone to another during a restore.
Is deleted automatically when you delete the Zimmer app from your phone.
Can be cleared at any time from Channel Settings → Chat History → Clear Chat History for any channel, or from the overflow menu inside any direct message. Clearing only affects your phone; the messages stay on our servers and on other members' phones, and new messages still come through.

The on-disk cache grows as you receive messages and is rendered one page at a time as you scroll, similar to iMessage. If the cache gets large, Clear Chat History gives you a one-tap reset.

6. Where your data is stored

Zimmer is built on Google Firebase. The following services process your data on our behalf:

Firebase Authentication — account login and password management.
Firebase Cloud Firestore — channels, members, messages, identity public keys, and encrypted backup bundles.
Firebase Cloud Storage — photos, videos, and channel avatars.
Firebase Cloud Functions — server-side triggers that send push notifications and perform safety checks.
OneSignal — delivery of push notifications to your device via Apple Push Notification service (APNs). OneSignal receives a generic "new message" body for end-to-end encrypted messages and never receives the message content.

Data is stored on Google's secure infrastructure in the United States. Firebase encrypts data in transit (TLS) and at rest. You can review Google's privacy practices at policies.google.com/privacy and OneSignal's at onesignal.com/privacy_policy.

7. Push notifications

To deliver notifications, we register your device with Apple Push Notification service through OneSignal. OneSignal assigns your device a subscription ID linked to your Firebase user ID. Because every text message in Zimmer is end-to-end encrypted, push notifications carry a generic body (such as "New encrypted message") along with the channel or thread identifier — the actual message content is never sent to OneSignal or Apple. When the notification is tapped, the app fetches the encrypted message from Firestore and decrypts it locally before rendering the bubble.

You can disable Zimmer notifications anytime from your iOS Settings, mute or turn off individual channels from each channel's settings screen, or mute individual DM threads from the overflow menu inside the conversation.

8. Camera and photo library access

Zimmer requests your permission to use the camera and photo library only when you attempt to attach a photo or video to a message. We use Apple's standard system picker; the app sees only the item you select. We use the camera only while you are taking a photo or recording a video to send. We do not access your camera or library in the background.

9. Your rights

You can, at any time:

View and edit your profile from the Account screen.
Edit or delete your own messages within 15 minutes of sending. Deleted messages are replaced with a "Message deleted" placeholder; the original text and ciphertext are wiped from our servers.
Clear chat history locally from any channel's settings screen, or from the overflow menu inside any direct message. This wipes the on-device cache and hides older messages on your phone going forward, without affecting the server copy or other members' devices.
Leave a channel from its settings screen.
Delete a channel you created, which wipes the channel and all its messages and members.
Block, mute, or decline private DM threads.
Delete your account entirely by emailing us at the address below. Account deletion is permanent and removes your member entries from every channel; messages you've sent in public channels remain visible (attributed to your former username) unless the channel broadcaster removes them.

If you live in a jurisdiction with additional rights (the EU's GDPR, California's CCPA, etc.), you also have the right to request access to, correction of, or deletion of your personal data, and to lodge a complaint with your local data protection authority. Contact us at the address below to exercise these rights.

10. Data retention

We keep your data for as long as your account is active. Messages remain in channels until the message sender deletes them, a broadcaster deletes the channel, or you leave the channel. When you delete your account, your member entries are removed within 30 days; backups and logs may take an additional 60 days to fully expire.

11. Security

We protect your data with a defense-in-depth approach:

End-to-end encryption (X25519 key agreement + HKDF-SHA256 + AES-256-GCM) for text messages in DMs, private channels, and public channels.
Per-channel symmetric keys that the broadcaster wraps individually for each member using each member's published X25519 public key — adding a member requires the broadcaster's device to be online, but a removed member can no longer decrypt future messages.
Server-side Firestore security rules that restrict reads and writes to authorized users only.
Server-side Cloud Functions that handle privacy-sensitive paths like password-protected joins and channel previews, so client-side queries don't need to read sensitive fields directly.
Transport encryption (TLS) for all communication between your device and our servers.
At-rest encryption of all Firebase data by Google.
Private encryption keys stored in the iOS Keychain, optionally synchronized across your Apple devices via iCloud Keychain (which is itself end-to-end encrypted by Apple).
Local message cache stored inside Zimmer's sandboxed Application Support directory, isolated by iOS from other apps and excluded from iCloud device backups.

No system is perfectly secure. If we ever experience a breach that affects your personal data, we will notify you and the appropriate authorities as required by law.

12. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we'll notify you inside the app or by email (if you've provided one) at least 7 days before the change takes effect. The "Last updated" date at the top of this page always reflects the current version.

13. Contact us

If you have any questions about this Privacy Policy, want to exercise your data rights, or need to report a security issue, please email us at:

privacy@zimmermessenger.com

Zimmer Messenger is a product of its creator(s) and is currently operated as an independent service. We will respond to verified requests within 30 days.