Privacy Policy

This explains what TillTom does and doesn’t do with your information. It’s written to be honest, including the inconvenient parts.

No account

TillTom needs no registration. There are no usernames, passwords, or profiles. A temporary nickname you enter for a chat is a display label, not a verified identity.

What is stored on your device

Your browser stores a random device token (to group your chats and apply rate limits), and, for each chat, a participant token, the chat’s encryption key, your nickname, and the latest message position. These live only in this browser. There is no backup and no cross-device recovery: if you clear browser data, use a private window that you then close, or switch devices, access to those chats is lost.

What is stored on the server

The server stores each room’s lifecycle state and timers, the two participants’ nicknames in plain text as display labels, and the encrypted message payloads. The server does not store the chat’s encryption key, and cannot read your message content.

Encryption, stated plainly

Messages are encrypted and decrypted in your browser; the server relays and stores only encrypted payloads and does not store the key. Because there is no out-of-band identity check, we don’t claim this rules out an active man-in-the-middle, and we don’t use the unqualified phrase “end-to-end encrypted.” See the Encryption Explainer.

Metadata and logs

Some metadata necessarily exists: the timing and existence of messages, room state, and the nicknames. IP addresses and server logs may exist for security and abuse prevention; where stored in our database they are kept only as a salted hash, not as raw addresses. Metadata may be processed to run and protect the service.

Lifecycle and deletion

Unused QR waiting rooms expire after 5 minutes. Active chats expire 24 hours after the second person joins, unless either person ends the chat earlier. Either participant can end the chat for both people. After a chat ends or expires, its encrypted messages are deleted by routine cleanup — targeted immediately, and at most within 24 hours.

Removing a chat from your device

“Remove from this device” deletes local access and the dashboard entry for ended or expired chats in your browser only. It does not affect the other participant or the server’s room state.

What we don’t do

We don’t require or verify contact details or real identity, and we don’t offer structured contact matching or exchange. Images, files, attachments, voice notes, and video are not supported. There is no report-submission or moderation-review flow. You can still screenshot, copy, photograph, or otherwise save what you see — no app can prevent that, and we don’t claim to.

Questions? tilltom.com