✏️
The old school part. This is intentional.
a love letter to the early internet
Remember when the internet didn't know who you were?
In the AIM days, your screenname was your identity. You picked it yourself.
You wrote it down in a notebook or on a sticky note on your monitor.
If you forgot it, it was gone — that was the deal. Nobody stored it for you.
Nobody tracked when you logged in. Nobody knew which posts you read.
There was no "last seen 3 hours ago." You were either online or you weren't.
When a conversation mattered, you hit Print Screen. You saved it.
You took ownership of the things that were important to you.
The platform didn't hold your memories — you did.
That's Signoff. Not as a limitation. As a philosophy.
Buddy List — circa 2003
xX_punkr0ck_Xx
brb, getting pizza
stargazer_77
✨ if you're reading this you're amazing ✨
sk8rboi2004
away · at practice
On Signoff, your screenname is yours to remember. We cannot recover
it for you because we built the system so we genuinely don't have enough information
to. Your email is hashed the moment you register — we store a mathematical
fingerprint of it, not the address itself. If you contact us having forgotten
your screenname, we can't help. That's the deal. Write it down.
📸 Screenshots are king
Messages expire from our servers after 30 days. Your device
stores everything locally — your phone is the archive, our servers are the relay.
But if something really matters, screenshot it. Save it yourself. That's how this
works. It's how it always worked before we outsourced our memories to data centers.
🔐
Encryption — two layers, both must fail
Signoff uses hybrid post-quantum encryption — the same approach
now used by Apple in iMessage (PQ3, 2024) and Signal (PQXDH, 2023). It combines
two independent encryption systems working together.
ML-KEM-1024
Key exchange — post-quantum resistant. ML-KEM is a new
standard from NIST (Federal Information Processing Standard 203) designed
to resist attacks from quantum computers. Quantum computers that could
break classical encryption don't exist yet — but they will. ML-KEM is
built for that future.
AES-256-GCM
Message encryption — classically unbreakable. AES-256 is
the standard used by the US military, banks, and governments worldwide.
It has never been broken. It's what encrypts your actual message content
after the key exchange is done.
Hybrid
Both must fail simultaneously to read your messages. If
a quantum computer eventually breaks ML-KEM, AES-256 still holds. If
somehow AES-256 were weakened, ML-KEM still protects the key exchange.
You need both to break at the exact same time. That's the point.
Your secret encryption key never leaves your device. It's stored
in your phone's secure storage, your desktop's OS keychain, or your browser's
local storage — never on our servers. We hold the encrypted ciphertext. Without
your key, it's unreadable noise. Even if someone compelled us to hand over our
entire database, your message content would be meaningless to them.
📋 What Signal handed over in a 2016 grand jury subpoena
Two things: the date an account was created, and the date of last connection.
That was the complete list of data Signal had to give. Everything else — message
content, contacts, groups — they simply did not have. That's the goal. We're a
social platform, not a pure messenger, so we hold more than Signal does. But
the design philosophy is the same: if we don't store it, we can't hand it over.
🗑
What we collect. What we don't. Why.
Most privacy policies are written by lawyers to minimize liability.
This is written by the people who built the system to explain the actual
architectural decisions. Here's the honest inventory.
| Data point |
Most social apps |
Signoff |
| Email address |
Stored plaintext, forever |
Hashed immediately — we store a fingerprint, not your address |
| IP address |
Logged with every request |
Never logged — hashed briefly for rate limiting, then discarded |
| Last seen / last active |
Stored and displayed to others |
Never stored — we show Online / Away / Offline. That's it. |
| Message content |
Readable by platform, often indefinitely |
End-to-end encrypted — we hold ciphertext, not content. Expires in 30 days. |
| When you made friends |
Stored with timestamp |
Not stored — buddy relationships have no creation date |
| Who you searched for |
Logged to "improve recommendations" |
Never logged — search is rate-limited, not recorded |
| Who viewed your profile |
Often tracked for analytics |
Never tracked — no view counts, no profile visit logs |
| What content you read |
Tracked per-post for feed algorithm |
Never tracked — no algorithm means no need to know this |
| Device identifiers |
Collected for ad targeting |
Push notification token only — deleted on logout |
| Payment data |
Often stored in-house |
Held entirely by Stripe — we store only your Stripe customer ID |
📋
Server logs are purged every 7 days. There's no indefinite
server log archive to subpoena. After a week, they're gone.
🔑
Rate limiting uses hashed IPs with a rotating daily salt.
We can tell two requests came from the same source without knowing
what that source is. Yesterday's hashes cannot be correlated to today's.
🔗
Invite links leave no audit trail. When you generate an
invite link to a channel, we don't record who created it or who
used it. When it expires, the record is deleted entirely.
🌐
We run our own real-time infrastructure. Most apps use
third-party services (Pusher, Firebase) that log who connected to what
channel and when. We run Soketi, a self-hosted open-source server, so
no third party sees your connection metadata.
🚫
No algorithm. This is not a feature. It's a structural choice.
Algorithms need data to work. They need to know what you clicked, what you
read, how long you lingered on a post, who you interacted with and when. The
reason social media platforms collect so much behavioral data isn't malice —
it's that the product requires it. The feed algorithm is the product.
The surveillance is the foundation.
Signoff has no algorithm. Your feed shows posts from your buddies
in the order they posted them. Channels are real-time. Nothing is ranked. Nothing is weighted. Nothing is boosted.
There is no engagement score. There is no "recommended for you."
This means we have no business reason to track what you read. We don't need to
know which posts you scrolled past, which profiles you visited, how long you
So we don't. Not because we're generous — because we
architected a system that doesn't need it.
What chronological means in practice
You open the app. You see what your buddies posted while you were away, newest first.
You read what looks interesting. You skip what doesn't. You close the app.
Nobody knows which posts you read. Nobody is tuning future content based on your
behavior. There is no "engagement" being maximized. This is how RSS readers worked.
This is how email works. This is how Signoff works.
⏳
Messages expire. Your device doesn't. Here's why.
Channel messages expire from our servers after 30 days (90 for
Public posts don't expire — you chose to post publicly, so they stay public.
This isn't a storage limitation. It's a legal and privacy decision. Data that
doesn't exist can't be subpoenaed, breached, or misused. The shorter our server
retention, the smaller the window in which anything can go wrong.
But I want my message history
You have it — on your device. The Signoff app stores every message you receive
locally in an encrypted database on your phone or desktop. Scroll back as far
as you want. It's all there. The server expiry only affects syncing to a brand
new device. If you get a new phone without a backup, messages older than
30 days are gone from the server — but they're still on your old device
if you have it. This is how it worked before we handed our memories to
data centers. Your device is the archive.
This also means screenshots are king. If a conversation matters —
if you want to remember something someone said, save it yourself. This is
intentional. It's nostalgic. It puts you in control of your own memories instead
of trusting a company to hold them indefinitely.
🧹
Delete means delete. No asterisk.
When you delete your Signoff account, everything is removed from our servers
immediately. Your posts, buddy relationships, channel memberships,
"deactivation" that keeps your data around. No backup retention.
The moment you confirm deletion, our system runs a cascading hard delete across
every table in our database that holds your data. We cancel your Stripe
subscription. We delete your push notification token. We purge your cache.
Then your user record is deleted.
⚠️ This is permanent and immediate
There is no undo. There is no recovery. We can't restore your account after
deletion because we don't keep the data. If you delete your account,
your screenname is gone. If you want to come back, you start over with
a new screenname. This is by design. Write down your screenname.
🔗
Third parties we use. Honest inventory.
We use some external services. Here's what each one knows and why we use them.
💳
Stripe — processes Gold membership payments and tips.
Stripe is a regulated financial institution and holds payment data as
required by law. We do not store card numbers, billing addresses, or
payment history ourselves — Stripe is the source of truth. Their privacy
policy applies to payment data.
📧
Resend — sends transactional emails (password resets,
account confirmations). Resend sees your email address briefly for delivery.
We do not store your plaintext email in our database — it's hashed before
being stored. Resend does not receive the hash.
📁
Uploadthing / AWS S3 — stores media you upload (photos,
videos, GIFs). These files are stored on your behalf. If you delete your
account or a post, we delete the associated files. Media files are
user-generated content you chose to upload.
⚡
Soketi (self-hosted) — powers real-time messaging.
Unlike Pusher or Firebase, Soketi runs on our own servers. No third-party
company sees who connected to which channel or when. We chose to run our
own infrastructure specifically to avoid this.
🔴
Upstash Redis — rate limiting only. We store hashed
rate limit keys (not raw IPs) with a 24-hour TTL. After 24 hours
they're gone automatically. Upstash does not receive user IDs, screennames,
or any identifiable data — only anonymous hashed keys.
We do not use Google Analytics, Meta Pixel, or any advertising or tracking
technology. We do not sell data. We do not share data with advertisers.
We make money from $4/month Gold memberships and a 10% cut of tips.
That's the entire business model.
the short version
What can actually be subpoenaed from Signoff.
If a valid legal order required us to hand over data about a user,
here is what we would be able to provide after our system is fully built:
— A hashed email identifier (not the email itself)
— A screenname
— The current status (Online / Away / Offline)
— A list of buddy screennames (no timestamps of when the friendships formed)
— Channel membership (not message content — that's encrypted)
— Public post content (it was public, that's what the user intended)
— A Stripe customer ID (payment history lives at Stripe)
What we cannot provide: message content (encrypted, key on device),
IP addresses (never logged), status history (never stored), search history
(never recorded), profile view logs (never tracked), messages older than
30 days (expired and hard deleted), or data from a deleted account (gone).
We will notify users of legal requests where we are legally permitted to do so.
Questions? hello@signoffchat.com
· Last updated March 2025