Messenger by Chattriix Sign in to web app

Privacy Policy

Last updated: 9 May 2026 Effective: 9 May 2026

This Privacy Policy explains how Nexa Lucent Technologies Ltd ("Chattriix", "we", "us", "our") collects, uses, and protects your information when you use Messenger by Chattriix (the "Service"). We've written this in plain English wherever possible.

If you have questions, contact us at privacy@chattriix.com.

1. Who we are

Nexa Lucent Technologies Ltd is a company incorporated in the United Kingdom. We provide Messenger by Chattriix — an end-to-end encrypted messaging service for teams and organisations.

For UK GDPR purposes, Nexa Lucent Technologies Ltd is the data controller for personal data that we collect about you when you use the Service directly, and a data processor when we process data on behalf of an organisation that has deployed the Service for its members.

Contact for data protection matters: privacy@chattriix.com

2. The short version

We've built Messenger so that, by design, we cannot read the contents of your messages, calls, or shared media. Encryption happens on your device before anything leaves it.

The information we do hold about you is operational — what's needed to deliver messages to the right device, keep accounts secure, and run the service. We don't sell data, we don't run advertising, and we don't analyse the contents of your communications.

3. What information we collect

3.1 Information you provide

  • Account information. Your email address (used as your identifier and for sending login codes), and any display name or avatar you choose to set.
  • Organisation membership. If you join an organisation that uses Messenger, we associate your account with that organisation.
  • Device information. When you sign in on a new device, we associate that device with your account so messages can be routed to it.

3.2 Information generated by your use of the Service

  • Encrypted message content. Messages, voice notes, calls, and media you send through the Service are encrypted end-to-end. We store the resulting ciphertext on our servers so we can deliver it to your recipients, but we cannot read it. We hold encrypted message content for the time needed to deliver it across all your recipients' devices and (subject to your retention settings) for offline access.
  • Metadata. To deliver messages, we necessarily process a limited amount of metadata: who is participating in a conversation, when messages are sent, and similar routing information. We minimise this and keep it for as short a time as is operationally necessary.
  • Cryptographic keys. We hold the public portions of your device keys (used by other users to encrypt messages to you). We never have access to your private keys — those are generated and stay on your device.
  • Authentication and session data. Login attempts, session tokens, refresh tokens, and similar details needed to keep you logged in safely.

3.3 Information collected automatically

  • Technical telemetry. Error reports, crash logs, performance metrics, and similar information that helps us keep the Service reliable. This telemetry does not include the contents of your messages and is not used to track you across other services.
  • Connection metadata. IP address, approximate location derived from IP, browser/OS type, and similar information that's standard to any web service. We use this to detect and prevent abuse and to keep the Service available.

3.4 What we explicitly do NOT collect

  • The plaintext contents of your messages, voice notes, calls, or media. Encryption happens on your device.
  • Your private cryptographic keys.
  • Your contact list (we never upload it).
  • Behavioural advertising profiles.
  • Cross-site tracking identifiers.

4. How we use your information

We use the information described above to:

  • Deliver the Service. Route messages between participants, sync across your devices, deliver push notifications, place voice and video calls.
  • Keep accounts secure. Detect suspicious sign-ins, rate-limit abuse, recover compromised sessions.
  • Provide customer support. When you contact us, we use account information to identify you and the issue.
  • Improve the Service. Use aggregate, non-content telemetry to understand performance bottlenecks and reliability issues.
  • Comply with legal obligations. Respond to lawful requests from authorities, retain records where required by law.

We do not use your information to:

  • Build advertising profiles about you.
  • Sell to data brokers, advertisers, or any third party.
  • Analyse the content of your communications.

5. Legal bases for processing (UK GDPR)

We process your personal data under the following legal bases:

PurposeLegal basis
Delivering the Service to youPerformance of a contract (Article 6(1)(b))
Keeping the Service secureLegitimate interest in security (Article 6(1)(f))
Complying with legal obligationsLegal obligation (Article 6(1)(c))
Sending account-related emails (e.g., login codes)Performance of a contract (Article 6(1)(b))
Marketing communications (if any)Your consent (Article 6(1)(a)) — withdrawable at any time

6. Who we share your information with

We share your personal data only in the following limited circumstances:

  • Other Service users. When you send a message, the encrypted content is delivered to your recipient's devices. Your display name, avatar, and account email visible to your recipients are by definition shared with them.
  • Service providers. We use trusted infrastructure providers (cloud hosting, push notification gateways, email delivery, error tracking) to operate the Service. These providers process data on our behalf under contracts that meet UK GDPR requirements.
  • Your organisation administrators. If you use Messenger as part of an organisation, that organisation's administrators may have access to account-level information about you (e.g., your account email, when you joined, whether you're active). They cannot access the content of your messages.
  • Legal authorities. We comply with valid legal process in the United Kingdom. Because we cannot decrypt your message content, what we can produce in response to such requests is limited to the metadata described in Section 3.2.

We do not sell your personal data to anyone.

7. International transfers

We are a UK-incorporated company and our primary infrastructure is in the European/UK region. Some of our service providers (for example, push notification gateways operated by Apple and Google) are based outside the UK. Where we transfer personal data internationally, we rely on appropriate safeguards under UK GDPR (such as adequacy decisions or Standard Contractual Clauses).

8. How long we keep your data

  • Account data: for as long as your account is active, plus a reasonable period after deletion to handle billing reconciliation, abuse prevention, and legal-compliance requirements (typically up to 30 days for routine data, longer for billing/audit records where law requires).
  • Encrypted message content: delivered to recipient devices, then retained for offline access according to the retention settings of your account or organisation. We honour deletion requests promptly.
  • Operational telemetry: aggregated and pseudonymised within 30 days of collection.
  • Authentication logs: typically 90 days, longer where required for security investigation.

When you delete your account, we permanently remove your personal data from our active systems within 30 days, except where law requires longer retention. Encrypted message backups are scrubbed beyond decryption — even with our cooperation, the content cannot be reconstructed.

9. Your rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Access — request a copy of the data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure ("right to be forgotten") — ask us to delete your data.
  • Restriction — ask us to stop processing your data while a query is resolved.
  • Portability — receive your data in a structured, commonly used format.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — for any processing based on consent.

To exercise any of these rights, email privacy@chattriix.com with the request and the email associated with your account. We respond within 30 days.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at https://ico.org.uk if you believe we have not handled your personal data properly.

10. Security

Securing your data is foundational to how we built the Service. Highlights:

  • End-to-end encryption for messages, calls, voice notes, and media. The encryption key for each conversation never leaves the participating devices.
  • Forward secrecy — keys rotate automatically so that compromise of a current key does not expose past communications.
  • Encrypted at rest — what we do hold is stored on encrypted infrastructure.
  • Transport security — all connections use TLS 1.2 or higher with strict cipher suites.
  • Multi-device verification — adding a new device to your account is logged and visible to you.
  • App-level lock — biometric (Face ID, Touch ID, fingerprint) protection on top of device security.
  • Responsible disclosure — security researchers can report vulnerabilities at security@chattriix.com per our security.txt.

No security system is perfect. If we ever become aware of a personal data breach affecting your information, we will notify you as soon as practicable and in any event within the time limits required by UK GDPR.

11. Children

Messenger is designed for use by adults and by individuals aged 16 and over (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal data from children below that age. If you believe a child has provided us with personal data, contact us and we will take appropriate action.

12. Cookies and similar technologies

The Service uses a small number of strictly necessary cookies and local-storage entries to keep you signed in and to remember your preferences. We do not use third-party advertising cookies, cross-site tracking pixels, or analytics that build profiles of you across websites. See our Cookie Notice on the website for details.

13. Self-hosted deployments

If you use a copy of Messenger that has been deployed by your organisation on its own infrastructure, that organisation is the data controller for your data, not Chattriix. Different terms may apply. Speak to your organisation's administrator for the applicable privacy notice.

14. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you in-app and/or by email and update the "Last updated" date at the top. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

15. How to contact us

For privacy questions, requests under UK GDPR, or any other data-protection matter:

Email: privacy@chattriix.com Postal: Nexa Lucent Technologies Ltd, Office 16394, 182-184 High Street North, East Ham, London, E6 2JA, United Kingdom Company number: 12282058 (registered in England and Wales)

For security vulnerabilities specifically: security@chattriix.com.

This Privacy Policy is governed by the laws of England and Wales.