Privacy Policy — Zimmer Messenger

Last updated: June 23, 2026 · Effective date: June 23, 2026

Zimmer Messenger is operated by ZimmerMessenger Inc., a Delaware corporation headquartered in California ("ZimmerMessenger Inc.," "Zimmer," "we," "us," "our"). Zimmer is a notification-first messaging app built around channels and private direct messages. This Privacy Policy explains what information we and our service providers collect, how it is used, how it is protected, how long it is kept, and the rights you have. It applies to everyone who uses Zimmer, anywhere in the world. Please read it together with our Terms of Service.

The short version. The text, photos, and videos in your messages are end-to-end encrypted before they leave your device — we cannot read them. We don't sell your data, and we don't currently show ads — and if that ever changes we'll update this Policy first and will never use your encrypted message content to target ads. We collect the minimum needed to run the app. Some data (like message metadata and IP addresses captured by our infrastructure providers) is not encrypted and is described below. This summary is not a substitute for the full policy.

1. Who this policy covers and international scope

This policy applies to all users of Zimmer Messenger, including anonymous users and registered users, and to users in every country in which the app is available. Zimmer is operated from the United States, and your information is processed and stored on servers in the United States. If you use Zimmer from outside the United States, you understand that your information will be transferred to, and processed in, the United States and other countries that may have different data-protection laws than your own. Where required, we rely on appropriate safeguards (such as the European Commission's Standard Contractual Clauses) for these transfers. If you don't agree with this policy, please don't use the app.

2. Age requirements

Zimmer is intended for users who meet the minimum age in their country and in all cases are at least 13. In the United States, you must be at least 13 (consistent with COPPA), and we do not knowingly collect personal information from children under 13. In the EEA, UK, and Switzerland, you must be at least 16, or the lower minimum digital-consent age set by your country (never below 13), and below that age only with the consent of a parent or guardian. If we learn we have collected information from a child below the applicable age without proper consent, we will delete it promptly. To report such a case, contact privacy@zimmermessenger.com.

3. What we collect

3.1 Information you give us directly

Account information — if you register: your email address, password (stored only as a salted hash by Firebase Authentication — we never store your plaintext password), phone number (for verification), and optional first and last name.
Channel data — channels you create, channel names, descriptions, photos, codes, settings, and member lists.
Messages and media — text, photos, videos, reactions, and replies you send. See Section 5 for how encryption applies to each.
Profile data — your username, display name, and avatar in each channel.
Reports and support — information you submit when you report content or contact us.

3.2 Information collected automatically

Identifiers — an anonymous user ID from Firebase Authentication, a OneSignal subscription identifier for push delivery, and your encryption public keys.
Device and connection data — basic device metadata (operating system version, device model, language) needed to run and support the app.
IP address and log data — see Section 4 for a dedicated explanation of IP-address logging.
Usage and message metadata — message timestamps, sender and recipient/channel identifiers, delivery and read state at the channel level, pinning and mute state. This metadata is not end-to-end encrypted (the system needs it to route and deliver messages), even though message content is.
Crash diagnostics — if a crash occurs, a crash report through the platform's standard reporting (Apple or Google) or our diagnostics provider. Crash reports do not include message content.
Product analytics (if enabled) — we may use first-party, privacy-respecting analytics to understand which features are used and to improve the app (for example, counts of actions like creating a channel or sending a message). Any analytics are tied to app/device identifiers, never to the content of your end-to-end-encrypted messages or media, and we will name any analytics providers in Section 9.

3.3 Information we do NOT collect

We do not access your contacts or address book.
We do not access your location or collect GPS/precise-location data.
We do not access your microphone except while you are actively recording a video to send (and, if we add voice messages in the future, while you are actively recording a voice message — see Section 3.4).
We do not read your photo library — you choose what to attach through your device's system photo picker, and only that selection is shared.
We do not track you across other apps or websites for advertising, we do not currently show third-party ads, and we do not sell or rent your personal information. See Section 6 about possible future advertising.

3.4 Features we may add in the future

So you are aware in advance, we may add features that involve additional data or device permissions. We will request your permission through your device's standard prompts when a feature needs it, will use the data only for that feature, and will update this Policy before launching anything materially new:

Location — we do not collect location today. We may add optional, location-aware features such as geofenced channels. If we do, we will request location permission, use it only for that feature, and let you turn it off; we will not sell location data or use it for advertising.
Voice messages — we may add the ability to record and send voice memos. Like other message media, voice messages you send would be end-to-end encrypted, and the microphone would be used only while you are actively recording.
Biometric app lock (Face ID / Touch ID / Android biometrics) — we may add an option to lock the app with your device's biometrics. Biometric authentication is performed entirely by your device's operating system; we never receive, see, or store your biometric data — the device simply tells the app whether authentication succeeded.

4. IP addresses and server logs

We want to be clear about IP-address logging, because it is a common question:

Zimmer does not store IP addresses in your message data, profile, or channel records, and we do not use IP addresses to build advertising or cross-app tracking profiles.
Our infrastructure providers automatically log IP addresses and connection metadata as part of operating, securing, and protecting the Service. Specifically, Google Firebase (Authentication, Firestore, Cloud Functions, and Cloud Storage) and Apple Push Notification service / OneSignal receive and may log the IP address your device connects from, along with timestamps and request information, to authenticate requests, prevent fraud and abuse, enforce rate limits, and maintain security and reliability. This is standard for cloud-hosted services.
These provider logs are retained for a limited period under the providers' own policies and our configuration (typically days to a small number of months), after which they are deleted or aggregated. See Google's practices at policies.google.com/privacy and OneSignal's at onesignal.com/privacy_policy.
We may access these logs to investigate security incidents, abuse, fraud, denial-of-service attempts, or violations of our Terms, and we may disclose them under valid legal process (see Section 12).

5. End-to-end encryption — what is and isn't protected

Zimmer uses true end-to-end encryption ("E2EE"): content is encrypted on your device with keys we do not hold, and only the intended recipients can decrypt it.

Encrypted end-to-end

Direct messages between two users — text, reply previews, and the photos and videos you send (including their thumbnails).
Messages in private channels — text and media, encrypted with a per-channel key the broadcaster wraps individually for each member using that member's public key.
Messages in public channels — text and media are also encrypted with a per-channel key. Public channels are discoverable and joinable, but message content is only readable by users who have joined the channel and received the channel key.

Per-channel encryption is applied to all channels, whether they are public or private and whether replies are limited to the broadcaster (one-way) or open to everyone (two-way).

NOT end-to-end encrypted

Message metadata — who is messaging whom, timestamps, channel/thread/account identifiers, delivery and read state, and similar routing data. Metadata can be revealing, and we hold it in order to operate the Service.
Channel metadata — channel names, descriptions, member counts, photos, and codes, so channels can be searched and previewed before joining.
A short plaintext preview of the most recent message on each channel/DM home-row, so the home list can render without every device deriving the channel key on launch. The full message body in the message record itself is encrypted.
Reactions — stored alongside the message as the chosen emoji.
Messages sent before a key is established — to make sure a message is never lost, if an encryption key has not yet been set up for the sender in a channel (for example, just after a channel is created or right after a new member joins, before the broadcaster's app has wrapped the key for them), that message may be sent without encryption as a fallback. Once keys are in place, sends are encrypted automatically. In public channels, remember that anyone can join and receive the channel key, so encryption stops us from reading content but not other members.
IP addresses and connection logs captured by our infrastructure providers (Section 4).

Caveats you should understand

Because content is encrypted with keys we don't hold, we cannot read it, cannot recover it if you lose your keys, and cannot proactively scan or remove it. Encrypted content can only be acted on after a report, and then only via account/channel metadata.
E2EE protects content in transit and on our servers. It does not protect content once it is decrypted on a device — anyone with access to a participant's unlocked device, or any member of a channel, can read the messages there. It also does not protect content you choose to screenshot, copy, forward, or back up elsewhere.
Encryption protects content, not metadata. Under valid legal process we may be compelled to produce metadata we hold (Section 12).
Public keys are distributed through our servers, and we do not yet offer an in-app key-verification ("safety number") feature. In principle this means our infrastructure could be used to substitute a key; we do not do this, but you should understand the trust model. We also do not currently provide "forward secrecy" (a feature that would prevent a future key compromise from exposing past messages). We may add these protections in the future.

Key storage and recovery

Your X25519 private key is generated on your device and stored in your device's secure key store — the iOS Keychain on Apple devices (marked synchronizable so that, if you enable iCloud Keychain, it propagates to your other Apple devices end-to-end encrypted by Apple — we never see it), or the Android Keystore on Android devices. For recovery on a device without an encrypted key backup, an encrypted copy of your private key — wrapped with a key derived from your password via PBKDF2-SHA256 (600,000 iterations, random salt) — is stored on our servers. We cannot decrypt this wrapped key; only you, by signing in with your password, can unlock it. If you reset your password via the email reset link, the previous backup becomes inaccessible and old encrypted messages may not be readable on devices that haven't already loaded your key. We warn you about this in the password-reset flow.

Local message cache

To open chats instantly, Zimmer keeps a copy of messages you've already decrypted in a private file inside the app's sandboxed storage. This cache is plaintext on disk (it has already been decrypted for display), isolated by the operating system's app sandbox from other apps, excluded from cloud device backups, deleted when you delete the app, and clearable anytime from Channel Settings → Chat History → Clear Chat History or from a DM's overflow menu. Clearing affects only your device.

6. How we use your information

Provide the Service — deliver messages and media, organize channels, and surface notifications.
Authenticate you and recover your account via email or phone.
Send push notifications you can mute per-channel and per-thread.
Maintain security; detect and prevent fraud, abuse, spam, and attacks (including denial-of-service).
Investigate technical problems and reports of abuse or illegal content.
Comply with law and enforce our Terms.

We do not sell or rent your personal information, and we do not currently show advertising. We may introduce advertising or other commercial features in the future. If we do, we will update this Policy first, explain what data (if any) is used, and we will never use the content of your end-to-end-encrypted messages or media to select or target ads — we cannot, because we cannot read it. Nothing in this Policy is a promise that the Service will remain free of advertising forever.

7. Push notifications

We register your device for push delivery through OneSignal, using Apple Push Notification service on iOS and Firebase Cloud Messaging on Android. OneSignal assigns a subscription ID linked to your Firebase user ID. Because message content is end-to-end encrypted, the push payload carries the encrypted content and identifiers — never readable plaintext to our servers or providers — and your device decrypts the preview locally before displaying it. You can disable notifications anytime in your device Settings, or mute individual channels or DM threads in the app.

8. Camera and photo library access

We request camera and photo-library permission only when you attach a photo or video. We use your device's system photo picker and see only the item you select. We use the camera only while you are taking a photo or recording a video to send, never in the background.

9. Where your data is stored and who processes it

Zimmer is built on Google Firebase. Our processors include:

Firebase Authentication — login and password management.
Firebase Cloud Firestore — channels, members, encrypted messages, public keys, and encrypted backup bundles.
Firebase Cloud Storage — encrypted photos and videos and channel avatars.
Firebase Cloud Functions — server-side triggers for notifications and safety checks.
OneSignal, with Apple Push Notification service (iOS) and Firebase Cloud Messaging (Android) — push delivery.
Apple App Store / Google Play — app distribution and, if you make a purchase, payment processing (we never receive your full payment-card details).

Data is stored on Google's secure U.S. infrastructure and encrypted in transit (TLS) and at rest. Review Google's policy at policies.google.com/privacy and OneSignal's at onesignal.com/privacy_policy. If we add a product-analytics provider, we will list it here.

10. What we store and what we don't — summary

For clarity, here is a plain summary of the categories we hold:

We store: your account identifiers and (if registered) hashed password, phone, email, and name; your public keys and the password-wrapped backup of your private key (which we cannot decrypt); channels, members, and channel metadata; encrypted message text and media; message metadata (timestamps, participants, delivery state); reactions; and the short plaintext home-row preview.
We do not store: your plaintext password; the decrypted content of your messages or media; your encryption private key in a form we can read; your contacts, location, or photo library.
Our providers transiently log: IP addresses and connection metadata for security and operations (Section 4).

11. Data retention

Account and profile data is kept while your account is active.
Messages remain until the sender deletes them, a broadcaster deletes the channel, or you leave the channel. When a message is deleted, its encrypted content (and any encrypted reply preview and media links) is removed from the message record; the underlying encrypted media file may remain in storage and in provider backups for a period afterward.
When you delete your account, we delete your account record, identity keys, memberships, and the channels you solely own promptly (typically immediately). Residual copies may persist in encrypted provider backups and operational logs for up to 90 days before they expire.
Provider security and connection logs (including IP logs) are retained only for the limited period set by the provider and our configuration, then deleted or aggregated.
We may retain limited information longer where necessary to comply with law, resolve disputes, prevent abuse or fraud, or enforce our Terms.

12. Law-enforcement and legal requests

We comply with the law. We may preserve, access, and disclose information when we believe in good faith it is reasonably necessary to comply with a valid subpoena, court order, warrant, or other lawful request from law enforcement or a government authority; to comply with applicable law; to protect the safety of any person; to prevent fraud, abuse, security threats, or attacks; or to protect our rights and property. Because of end-to-end encryption, we cannot produce the content of encrypted messages or media — we do not have the keys. In response to valid legal process we can generally provide only the categories of information we actually hold, such as account and registration data, message metadata, and (where retained, including via our providers) connection logs and IP addresses. We may also be legally required to preserve information on request.

13. Your rights and choices

At any time you can: view and edit your profile; edit or delete your own messages (deleting removes the encrypted message content, any encrypted reply preview, and the links to attached media from the message record — a minimal record such as the sender and timestamp remains so the deletion can sync to other devices, and as noted in Section 11 the underlying encrypted media file may persist for a period in storage and provider backups); clear chat history locally; leave a channel; delete a channel you own (removing its messages and members); block, mute, or decline DM threads; and delete your account entirely.

Depending on where you live, you may have additional legal rights over your personal data. Sections 14 (EEA/UK) and 15 (California) describe those rights and how to exercise them. To make any request, contact privacy@zimmermessenger.com; we will verify your request and respond within the timeframe required by law (generally 30 days under GDPR, and 45 days under California law, each extendable as the law allows). We will not discriminate against you for exercising your rights.

14. Your rights in the EEA, UK, and Switzerland (GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and equivalent UK/Swiss laws apply, and Zimmer's operator is the "controller" of your personal data (see Section 16 for the controller identity and any EU/UK representative).

Legal bases for processing. We process personal data only where we have a lawful basis to do so:

Performance of a contract — to provide the Service you request: creating your account, delivering your messages and media, organizing channels, and sending notifications.
Legitimate interests — to keep the Service secure and reliable; to detect, prevent, and investigate fraud, abuse, spam, and attacks; to debug and improve the app; and to enforce our Terms. We balance these interests against your rights.
Consent — where we ask for it, such as optional permissions (camera, photos, notifications) or any future optional features; you may withdraw consent at any time.
Legal obligation — to comply with applicable law and valid legal process (Section 12).

Your GDPR rights. Subject to the law's conditions, you have the right to: access your data; rectify inaccurate data; erase data ("right to be forgotten"); restrict or object to processing (including processing based on legitimate interests); data portability; and withdraw consent. You also have the right to lodge a complaint with your local supervisory authority. Note that, because of end-to-end encryption, we cannot access, export, or correct the content of your encrypted messages or media — only you and your recipients can.

International transfers. Your data is processed in the United States. Where required, we rely on appropriate safeguards — such as the European Commission's Standard Contractual Clauses and the UK Addendum — for transfers out of the EEA/UK.

15. Your California privacy rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the CPRA, gives you specific rights over your personal information. This section is our "notice at collection."

Categories of personal information we collect, why, and whether we sell or share it. In the past 12 months we have collected the following categories (defined by California law) from users:

Category	Examples	Purpose	Sold / Shared?
Identifiers	User ID, push subscription ID, public keys, email, phone (if registered)	Provide and secure the Service; authentication; notifications	No
Customer records	Name (optional), hashed password	Account creation and recovery	No
Internet / network activity	Message metadata, device metadata, IP/connection logs (via providers)	Routing and delivery; security; abuse prevention	No
User-generated content	Your messages and media (end-to-end encrypted), reactions, channel info	Deliver and display your content to intended recipients	No
Commercial information	Purchases or subscriptions (processed by Apple/Google)	Provide paid features	No

We do not sell or share your personal information as the terms "sell" and "share" (cross-context behavioral advertising) are defined under California law, and we have not done so in the past 12 months. We do not knowingly sell or share the personal information of consumers under 16. If this ever changes, we will update this Policy and provide a "Do Not Sell or Share My Personal Information" control and the right to opt out.

We do not use or disclose sensitive personal information for purposes that would trigger the CPRA right to limit; we use the limited data we hold only to provide and secure the Service.

Your California rights. You have the right to: know/access the personal information we have collected; delete it; correct inaccurate information; opt out of any sale or sharing (not applicable today, as we do none); limit the use of sensitive personal information; and not be discriminated or retaliated against for exercising these rights.

How to exercise them. Email privacy@zimmermessenger.com. We will verify your request using information associated with your account. You may use an authorized agent to submit a request on your behalf with your written permission and our verification of their authority.

"Shine the Light" (Cal. Civ. Code § 1798.83). We do not disclose personal information to third parties for their own direct-marketing purposes.

16. Security

End-to-end encryption (X25519 key agreement + HKDF-SHA256 + AES-256-GCM) for message text and media in DMs and channels.
Per-channel symmetric keys are wrapped for each member using their published public key, and a removed member's wrapped key is deleted so they can no longer fetch the channel key from our servers. Note that channel keys are not automatically rotated when a member leaves, so a former member who already obtained the key may retain the ability to read messages encrypted with it until that key is rotated.
Server-side Firestore security rules restricting reads and writes to authorized users.
TLS in transit; at-rest encryption of all Firebase data by Google.
Private keys stored in the device's secure key store — the iOS Keychain (optionally synced via iCloud Keychain, end-to-end encrypted by Apple) or the Android Keystore.
Sandboxed, backup-excluded local cache.

No system is perfectly secure. If we experience a breach affecting your personal data, we will notify you and the appropriate authorities as required by law.

17. Changes to this policy

We reserve the right to change, modify, add to, or remove parts of this Privacy Policy at any time and for any reason, in our sole discretion. If we make material changes, we'll make reasonable efforts to notify you inside the app or by email (if provided), and, where required by law, before they take effect. The "Last updated" date above always reflects the current version. Your continued use of the Service after a change takes effect means you accept the updated Policy.

18. Contact us and who we are

For privacy questions, to exercise your rights, or to report a security issue, email privacy@zimmermessenger.com. For legal or dispute notices, email legal@zimmermessenger.com. For copyright (DMCA) notices, email dmca@zimmermessenger.com. For general help, email support@zimmermessenger.com.

Zimmer Messenger is operated by ZimmerMessenger Inc., a Delaware corporation headquartered in California, which is the data controller for the purposes of GDPR. We respond to verified requests within the time required by law.