Privacy policies are written by lawyers, for lawyers. They're technically accurate and practically useless for understanding what actually happens to your data. This post is the plain-English version — what we collect, what we don't, what happens to your conversations, and the specific technical choices we've made to protect you.
The Core Principle: Collect Nothing You Don't Need
IshmitChat was designed from the start with a data minimisation philosophy. Every data collection decision goes through a simple question: do we actually need this to make the product work? If the answer is no, we don't collect it. This isn't just policy — it's architecture.
No Accounts, No Profiles
IshmitChat has no user accounts. There's nothing to sign up for, no email address to provide, no username to create. This isn't just for convenience — it means there is no profile database for a breach to expose, no account credentials to steal, and no persistent identity for us to connect to your behaviour.
When you visit IshmitChat, you are assigned a temporary session identifier that exists only for the duration of your browser session. When you close the tab, it's gone.
What Happens to Your Chat Messages
Chat messages are stored temporarily to make real-time chat work — the server needs to hold messages briefly so that both participants can retrieve them. Here's the important part: messages are stored in rolling session files that are purged automatically after the session ends. We do not maintain a permanent log of chat conversations.
Practically speaking: if you chat with someone today and come back tomorrow, there's no record of that conversation on our servers.
IP Addresses Are Hashed, Not Stored
We use IP addresses for rate limiting and abuse prevention — without them, a single bad actor could flood the system. But we never store raw IP addresses. Instead, we store a one-way cryptographic hash of your IP combined with a server-side salt. This means:
- We can tell if two requests came from the same IP (for rate limiting)
- We cannot reverse the hash to find out what your IP address was
- Even if the hash files were exposed, they reveal nothing about you
Email Addresses Are Encrypted at Rest
If you sign up for the Video Chat early access notification, your email is encrypted before being stored — using AES-256-CBC, the same standard used by financial institutions. The encryption key is stored separately from the data. Without the key, the stored data is meaningless ciphertext.
We also use HMAC fingerprinting to detect duplicate sign-ups without needing to decrypt every stored email. Your email address is never stored in plain text anywhere in our system.
Geographic Data
We collect approximate geographic data (country, continent, region) from IP addresses for analytics — this helps us understand where our users are from and build a better product. This data is stored at country/region granularity, not precise location. We do not store city-level or street-level location data.
No Third-Party Tracking Scripts
IshmitChat does not use Google Analytics, Facebook Pixel, or similar third-party tracking scripts that would allow advertisers to build profiles of your behaviour across the web. The JavaScript on our pages is limited to functionality (Bootstrap for UI, our own chat code) and does not phone home to any advertising network.
Cookies
We use a single session cookie to keep your chat session alive. That's it. No advertising cookies, no cross-site tracking cookies, no fingerprinting. You can read the full details in our Cookie Policy.
What We Can't Protect You From
Transparency requires acknowledging limits. We protect the data on our side. We can't protect you from:
- Screenshots — the other person in your chat can screenshot what you say
- Your own disclosures — anything you choose to share with a stranger is outside our control
- Your internet connection — a VPN adds another layer if you're particularly privacy-conscious
The Bottom Line
We've tried to build a platform where you can have genuine, anonymous conversations without worrying about what's being recorded. The technical choices — hashed IPs, encrypted emails, session-only storage, no accounts — aren't marketing language. They're the actual architecture. The Privacy Policy contains the full legal detail for anyone who wants it.