TheFlow is built so your most sensitive communication stays readable only by you and the people you choose to talk to. Not by us. Not by our infrastructure providers. Not by anyone served a subpoena. This page explains exactly how, what the limits are, and what control you have.
We care about being honest with you. Cryptography is a field where it is easy to make impressive-sounding claims that do not hold up. We will tell you what is actually true, where our guarantees end, and when you should use a different tool.
The Short Version
Your direct messages, group messages, and attachments are end-to-end encrypted using libsodium, the cryptographic library behind Wire, 1Password, and ProtonMail. We use X25519 for key exchange, the same elliptic curve used by Signal, WireGuard, and modern TLS. Your video and voice calls are encrypted peer-to-peer via WebRTC. We cannot read any of these, and we cannot be compelled to produce what we do not have.
You choose how your messages are handled. Your account default can be Saved (messages kept on our servers in encrypted form, synced and recoverable) or Off the Record (messages deleted from our servers after delivery). If your account is Saved, you can also mark individual conversations as Off the Record, giving you per-chat control without changing your account-level posture.
For the highest-risk work, such as protecting confidential sources as a journalist, we recommend Signal. Signal is purpose-built for that threat model and makes architectural choices we cannot match while also serving as a music platform with artist payouts. Off the Record on TheFlow is meaningfully stronger than any mainstream social platform. It is not a replacement for Signal.
Direct Messages
Every direct message on TheFlow is end-to-end encrypted using libsodium. We use X25519 for key exchange and XSalsa20-Poly1305 for authenticated encryption with 256-bit keys. These primitives have been peer-reviewed for over a decade and are considered secure by contemporary cryptographic standards. They are equivalent in security to AES-256-GCM and come from the same cryptographic family used in Signal, WhatsApp, WireGuard, and TLS 1.3.
To be specific about the Signal comparison: we use the same elliptic curve (X25519) that Signal uses for key exchange. We do not yet use the full Signal Protocol. The Double Ratchet construction that provides per-message forward secrecy is on our roadmap. Our current encryption is strong against the threats that matter for most users. The Double Ratchet would close a specific class of risk (past messages becoming readable if your key is ever compromised) that matters more for users facing sophisticated adversaries.
When you send a message, your device generates a fresh random nonce, encrypts the message using your private key and the recipient's public key, and sends the ciphertext to our servers. We forward the ciphertext to the recipient's device, where it is decrypted with the recipient's private key and your public key.
What this means concretely:
TheFlow's servers never see the plaintext of your messages. Our databases store only ciphertext. Our backups contain only ciphertext. If we are legally compelled to hand over your messages, we provide ciphertext, which is useless without the recipient's private key. If we are breached, attackers get ciphertext, which is useless without private keys.
What this does not protect against:
The person you are messaging. If they screenshot, save, or share your message, no platform can prevent that.
Someone with full control of your device. If an attacker is reading your screen or has extracted your private key, they can decrypt your messages.
Future cryptographic advances. The primitives we use are strong against current known attacks. They are not post-quantum. If an adversary is recording your encrypted messages today to decrypt after future quantum computers exist, we cannot protect against that today. We are tracking the NIST post-quantum standards (ML-KEM, ML-DSA) and will adopt them in line with industry consensus, following the hybrid approach that Signal and Apple have established with PQXDH and iMessage PQ3.
Group Messages
Group messages work like direct messages, applied to each recipient. When you send a message to a group of N people, your device encrypts it separately for each recipient's public key, producing N ciphertexts, and sends all of them to our servers for routing. Our servers see that a group message was sent and to whom, but never the content.
Adding someone to a group gives them access to future messages only. They cannot read messages sent before they joined. Removing someone from a group stops them from receiving future messages, but does not erase messages already on their device.
Attachments
Media attached to direct or group messages (photos, audio clips, short videos) is encrypted the same way as message text. Your device encrypts the file with a random symmetric key, uploads the ciphertext to our media storage, and sends the decryption key inside the encrypted message. The recipient's device fetches the ciphertext and decrypts locally.
Neither we nor our storage provider can read attachment contents. Our CDN delivers opaque encrypted blobs to recipient devices.
Media you post publicly (profile photos, cover art, announcements, songs uploaded to your catalog) is stored unencrypted because it is meant to be seen or streamed. Our servers can see this content, as can anyone you have granted visibility to.
Video and Voice Calls
All calls on TheFlow use WebRTC, which mandates end-to-end encryption of media streams via DTLS-SRTP. This is not optional in the WebRTC specification. Your browser's WebRTC implementation encrypts call content by default using ephemeral keys negotiated directly between participants.
Voice and video content flows peer-to-peer, encrypted with keys our servers never see. When a direct peer-to-peer connection is impossible due to network restrictions, calls may be relayed through a TURN server. The relay handles already-encrypted packets and cannot decrypt them.
We do not record calls. We do not have the technical ability to record calls even if compelled. We see call signaling metadata: who called whom, when the call started, when it ended, and how long it lasted. This metadata is necessary to route calls and may be retained briefly for operational purposes.
Announcements (Beams)
Beams are one-to-many broadcasts from an artist to their followers or subscribers. They are not end-to-end encrypted, because encryption would defeat the purpose of content intended to reach thousands of people. Beams are transmitted over TLS and stored on our servers, with access controlled by the visibility setting you choose.
If you want to communicate privately with specific followers, use direct messages or group messages. Beams are public or semi-public by design.
Saved and Off the Record
TheFlow offers two options for how your messages are handled. Both use the same end-to-end encryption. What differs is what TheFlow keeps after delivery.
Saved
Saved keeps your encrypted messages on our servers in encrypted form. Your conversation history syncs across your devices. If you use account recovery to regain access after losing your devices and password, your message history comes back with your account.
We hold encrypted ciphertext that we cannot read. Metadata about who you messaged, when, and how often is retained under conventional policies. A subpoena can compel us to provide ciphertext (useless without the recipient's private key) and metadata.
The residual risk with Saved is this: if your password is ever compromised, your encrypted backup could theoretically be decrypted offline. We defend against this by enforcing strong passwords at signup (zxcvbn score 3 or higher, checked against known breach corpora, stretched with Argon2id), but the defense is probabilistic, not absolute.
For most users, Saved is the right choice. The convenience of cross-device history and recoverable messages outweighs the residual risk.
Off the Record
Off the Record means your messages are encrypted, delivered, and then removed from our servers. Your conversation history lives only on your own devices. We retain metadata about who you are communicating with only for the brief window needed to deliver messages (up to 72 hours for undelivered messages to offline devices, then dropped).
A subpoena served for your message history returns essentially nothing. There is nothing historical for us to hand over. Not because we are hiding anything, but because we did not keep it. If our systems are breached, there is nothing for attackers to steal about your communications. If your password is compromised, there is no encrypted backup on our infrastructure to decrypt offline.
The tradeoffs are real. If you lose your device without a backup, your message history is gone. Adding a new device requires either QR-code linking from an existing device or starting with a clean slate. Cross-device sync is less seamless than Saved. Customer support cannot help you recover messages we do not have.
Off the Record is meaningfully stronger than any mainstream social platform for metadata protection. It is not a replacement for Signal. For source protection in journalism, human rights work, or activism where communication patterns could endanger people, we recommend Signal. Off the Record on TheFlow is for users who want strong privacy on a platform that also serves their creative and social life.
Account Default and Per-Conversation Overrides
Your account-level setting is your default. It determines what happens to messages unless you override it for a specific conversation.
If your account is set to Saved, you can mark individual conversations as Off the Record. In those conversations, messages are deleted from our servers after delivery and excluded from your encrypted backup, even though your other conversations remain Saved. This is useful if you want most of your messages preserved but certain conversations (personal, sensitive, time-bound) to leave no trace on our infrastructure.
If your account is set to Off the Record, all your conversations are Off the Record. You cannot mark individual conversations as Saved, because Off the Record means we have no backup infrastructure for your account at all. This is the stronger guarantee, consistent across every conversation.
In a conversation, each participant controls their own side independently. If you mark a chat as Off the Record, your server-side records are purged. The other participant's server-side records follow their own settings, which may or may not be Off the Record. The conversation UI shows each participant's setting so you always know the context.
A reminder: Off the Record means TheFlow does not retain the message. It does not mean the other person does not retain it on their own device. Anyone you message can screenshot, save, or share what you send. No platform can prevent this.
Switching Your Account Default
You can switch your account default in Privacy Settings. Switching to Off the Record deletes all your existing server-side message history immediately and irrevocably, including any conversations you had marked Saved. Switching back to Saved begins server-side retention from that point forward but does not recover history that was never stored.
Per-conversation Off the Record settings persist across account default changes. If you had specific conversations marked Off the Record while your account was Saved, those conversations stay Off the Record if you switch your account default.
Your Privacy Tools
These tools are available regardless of storage mode:
Disappearing messages. You can set a timer on any conversation (1 hour, 1 day, 1 week, 30 days, or off). When the timer expires, messages are deleted from your device, the recipient's device, and our servers. This is additive to Off the Record: in a disappearing Off the Record chat, messages are purged from servers on delivery AND from all devices on timer expiry.
Delete individual messages. You can delete any message you have sent. It is removed from our servers immediately and from the recipient's device the next time their app connects. If the recipient has already read or screenshotted the message, we cannot undo that.
Delete all your messages. You can wipe your entire message history from TheFlow's servers at any time. This removes all ciphertext of every message you have sent or received. Recipients may still have copies on their own devices.
Delete your account. You can permanently delete your TheFlow account. All account data is removed from our live systems immediately and purged from our backups within 30 days. Earnings records are retained for legal and tax purposes as required by law, with your identity minimized where possible.
Verify fingerprints. Each account has a short cryptographic fingerprint derived from its public key. For sensitive conversations, you and the person you are messaging can compare fingerprints through a different channel (in person, by phone) to confirm that no key substitution has occurred. Most users will not need this, but it is available for those who do.
Account Recovery
TheFlow is a platform where artists' livelihoods depend on account access. We made a deliberate choice: rather than follow Signal's model (lose your device, lose your account, no exceptions), we offer identity-verified account recovery for users who have lost their password and all their devices.
Recovery requires identity verification through liveness check and government ID, includes a 24-hour cooling-off period during which notifications are sent to all your existing devices and email address, and results in a password reset and device re-enrollment. Recovery gives you back your account. It does not restore message history that was end-to-end encrypted under keys you no longer have. With Saved enabled, your encrypted message history returns if the password-derived key can be reconstructed. Conversations you had marked Off the Record, or an account that was Off the Record, come back with a clean slate.
If you prioritize maximum surveillance resistance over account recoverability, you can disable identity-verified recovery in your security settings. If you lose your password and all your devices with recovery disabled, your account is permanently unrecoverable.
What We Can Provide Under Legal Process
We receive and respond to lawful legal requests. We will publish a transparency report annually.
We can provide in all modes:
Account metadata (creation date, last connection, email address, profile information you have made visible). Payment and earnings records as required by financial regulations. Public posts and announcements. Your encrypted account recovery blob, useless without your password.
We can provide for Saved conversations:
Ciphertext of messages in those conversations within our retention window, useless without the recipient's private key. Metadata about when those conversations occurred.
We cannot provide for Off the Record conversations, in any mode:
Ciphertext, metadata, or any record that the conversation occurred beyond the active delivery window (up to 72 hours for messages still in transit).
We cannot provide for any mode:
Plaintext of direct or group messages. Plaintext of message attachments. Content of voice or video calls. Your private keys. The plaintext contents of your recovery blob or encrypted backup.
If you are compelled by legal process to reveal your password, authorities could potentially decrypt your recovery blob offline (expensive but possible with weak passwords) and, for Saved conversations, use the recovered private key to decrypt any message ciphertext they obtained from us. The mitigations are strong password enforcement, marking sensitive conversations Off the Record, disappearing messages, and disabling recovery entirely if your threat model requires it.
Our Commitments
We will not add backdoors, escrow mechanisms accessible to TheFlow, or law-enforcement-accessible decryption for end-to-end encrypted content.
We will publish transparency reports annually detailing legal requests we have received and how we responded.
We will commission independent security audits of our encryption implementation and publish the results.
We will disclose promptly any compromise of our systems that could have exposed user data.
We will notify users of legal process affecting their accounts whenever legally permitted.
If you find a security issue, please report it to security@theflow.com. We operate a responsible disclosure program and credit researchers who find and responsibly report vulnerabilities.
What Is Coming
The Signal Protocol. Our current encryption uses long-lived keys. If your private key is ever compromised, historical messages become readable by the attacker. The Signal Protocol's Double Ratchet solves this by rotating keys per message, so each message uses a unique key that is deleted immediately after use. We plan to adopt the Signal Protocol for a future release. This is the same mechanism used by Signal and WhatsApp.
Post-quantum cryptography. We will adopt the NIST post-quantum standards in hybrid schemes as the ecosystem matures, following the model established by Signal's PQXDH and Apple's iMessage PQ3.
Client-to-client device sync. Currently, if you use one of your devices rarely, it may miss messages that arrived during its offline period beyond our 72-hour delivery window. We plan to add direct device-to-device sync so your own devices can catch each other up without relying on server retention.
The Honest Summary
TheFlow provides strong end-to-end encryption for private communication. With Saved, your encrypted history is on our servers, giving you cross-device sync and recoverable messages at the cost of having ciphertext we retain. With Off the Record, whether set account-wide or on a per-conversation basis, your encrypted history lives only on your devices, giving you metadata privacy at the cost of convenience.
Both modes protect your message content from us, from breaches of our infrastructure, and from legal process to a degree that exceeds any mainstream social platform. Neither mode is Signal. Signal is Signal, and it is the right tool for the narrow threat model it was designed for.
If you trust us, it is because we are being specific about what we protect, where our guarantees end, and what you should do when our guarantees are not enough. That is the honest shape of cryptography in a real product. We will not tell you otherwise.
