Flash takes your security very seriously. We aim to provide the best security and privacy coupled with the easiest user experience.
We follow industry best practices and are actively improving our security.
We use encryption to secure your communications with your loved ones. We believe your messages are only yours to see.
- All connections with the Flash servers are using HTTPS/TLS, to protect you from man-in-the-middle attacks, and provide authenticity.
- We use asymmetric (also known as public key) cryptography (RSA) to prove others your authenticity, and for exchanging keys for symmetric encryption
- Symmetric encryption (AES) is used to encrypt and send messages, makes sure messages are read by who they were intended for
- We use one-way hashing to authenticate your password, and only let you in your account
We store essential user profile information such as but not limited to:
- Username & display name
- Hashed password (client-side hashed, we never see your password) & salt
- Public key
- Account creation time
- Avatar (if set)
- Encrypted private key (client-side encrypted, we never see your private key, only stored when using sync)
- User blocked statuses
Conversations & Messages
A conversation can be between 2 or more users (group), and are core to Flash. We store data such as:
- Conversation members
- Conversation creation time
- Conversation name (if set)
- Conversation nicknames (if set)
- Conversation colors (if set)
- Conversation avatar (if set)
- Conversation mute status
- Message sent time
- Message sender & recipients
- Encrypted message content (client-side encrypt, we never see your message contents, include files such as images, or GIFs)
Once a message has been stored for over 1 month, we automatically delete it from the server. If it has been delivered to devices, it will stay on the devices until manually deleted, or cleared by settings.
A message will also be deleted from the server if all recipients delete it locally. Deleting also deletes associated files (such as images).
We use anonymised analytics to improve the service over time. All analytics are always anonymised, and can be opt-out at any time in your settings. We track events like:
- Registration & sign up (includes processing time, trying to speed up the initial encryption and setup)
- App openings
- Screen/page visit