Last Modified: March 20, 2017 (view archived versions)
Thank you for using Wickr! Wickr allows you to encrypt and send audio, video, voice, and text messages, so that you can communicate safely, securely, anonymously — and easily.
We work very hard to preserve your privacy and security, and we do our best to be as transparent as possible in explaining how we use your data in providing our Services. Please contact us if you have any questions at firstname.lastname@example.org
Wickr Messenger (Wickr Me App)
Our Privacy Practices in Brief:
Wickr has to collect some information from you in order to provide our Services to you, but we do so in a highly limited, highly secure way.
- We can’t see information you give us. Your information is always disguised with multiple rounds of salted, cryptographic hashing before it is transmitted to our servers. Because of this we don’t know — and can’t reveal to others — anything about you or how you use the Wickr App aside from the date your account was created, the date of last use and the type of device on which such account was installed. Please see our Legal Process Guidelines for more details.
- Wickr deletes all metadata from your messages and media.
- Deletion is forever. When you delete a message, or when a message expires, our “secure shredder” technology uses forensic deletion techniques to ensure that your data can never be recovered by us or anyone else.
- Depending on your device, screenshots may or may not be possible. On Android devices, screenshots are not possible. On iOS and desktop, screenshots are possible. Please note that, if someone you communicate with on Wickr App takes a screenshot of your conversation on his or her iOS device, we will immediately notify you and show what was captured in that screenshot. There are no screenshot notifications available on Wickr desktop.
- There is no magic pill for betrayal and we cannot prevent someone using a camera to take a picture of a message on a screen. Therefore, we strongly encourage you to only send private messages or sensitive information to people you know and trust.
- You own your data. We do not share or sell any data about our users. Period.
What Information Does Wickr Collect and How Is It Used?
We are committed to limiting our collection of your information to what is necessary to provide you with our Services.
We only collect information from users who create Wickr Accounts. You must create a Wickr Account to use the Wickr App.
What We Don’t Collect: Equally important to us is the information we don’t collect. We will NEVER collect any location information or have access to the contents of the communications you send using the Wickr App. After messages are deleted (or after they expire), they are forensically deleted and are not retrievable by us or anyone else. (Remember, however, that if you send a Wickr message to another Wickr user, that message might remain on their device even after you delete it from yours, depending on the value you set for the self-destruct time of that message and whether the recipient took a screenshot of the message.)
User-Provided Information: We collect some very limited information from you after you download the Wickr App in order to allow you to create a Wickr Account, and begin using the Wickr App.
- Your Wickr ID: Your Wickr ID is how you allow others to contact you via Wickr. It does not have to be your real name or provide any reference to your identity. Like other information pertaining to your account, it is disguised with multiple rounds of salted, cryptographic hashing when we associate it with your Device Information (described below). The purpose of this cryptographic representation is to allow you to use our Services without our needing to know who you are.
- Your Password: We require you to have a password to use the Wickr App, but we never store your password on our servers and don’t store it by default in any form on your device. For your own security, we recommend that you use a long, unique password consisting of a mix of upper- and lower-case letters, numbers, and symbols.
Optional User-Provided Information: Within the Wickr App, we provide a few optional features for your convenience. Some of these features, described below, will ask for personal information. If you want to keep your use of Wickr as anonymous as possible, please read these sections carefully in order to understand how we associate information you provide with your Wickr Account.
- Push Notifications: When setting up your Wickr Account, we will ask if you want to receive notifications of new Wickr messages, software updates, and other administrative and technological developments. Push notifications are functions of devices operating system, so if you enable this feature, your devices operating system’s manufacturer will know that you are using the Wickr App, but will not know anything about how you use it or be able to see anything you transmit through it.
- ID Connections: To allow your friends to find you on Wickr without knowing your Wickr ID, you may choose to associate your other contact information — currently, just your phone number or email address — with your Wickr ID. When you use this feature, we disguise your contact information with multiple rounds of salted cryptographic hashing for storage on our servers. This way, you can let your friends search for you on Wickr without revealing your contact information to us. If you use ID Connect to associate your phone number with your Wickr ID, we use a third party service Twillio solely to deliver a confirmation SMS to you, but that party will not receive any information about you other than your phone number, and the SMS message itself will contain no information except a confirmation link.
- Invitations: If you enable Wickr Invitations, the Wickr App will be able to access your device’s contacts in order to invite them to use our Services. We never store your device contacts on our servers in any way. All invitations are generated locally on your device, without sharing any information with us.
- Find Friends: Find Friends allows you to search for contacts who have used ID Connect to associate their phone number or email address with their Wickr Accounts. If you use Find Friends, the Wickr App will send a disguised representation of your contacts phone number and email address to our servers, at which point our server will check that representation against our database to see whether that contact has an associated Wickr ID.
- Encrypting Cloud Data: The Wickr App will allow you to share PDFs and image files you have stored with cloud storage services Google Drive, Dropbox, and Box. The Wickr App will make encrypted copies of such files when sending as Wickr messages, which expire when the message self-destructs. Cloud storage of your files on Google Drive, Dropbox and Box will be governed by these cloud storage services’ terms, conditions, and privacy policies, so please familiarize yourself with those documents before you use this feature.
- Auto-Login: By default, the Wickr App will automatically log out of your account after a set period of inactivity, and in order to use the Wickr App again, you will have to reenter your password. If you enable Auto-Login, you will be able to use the Wickr App after a period of inactivity without having to enter your password each time. While you will still benefit from Wickrʼs security (e.g., deletion, encryption, etc.) and may find that your user experience is more seamless, this option is less secure than the default logout and password requirements, and we suggest that users who enable Auto-Login retain other security measures on their devices, like enabling screen locks and PINs through your device settings. On Touch ID-enabled iOS devices, users who choose to enable Auto-Login may activate Touch ID to open the Wickr App after a period of inactivity. It is important to still remember the password to the Wickr App, as Touch ID only serves as an additional optional protection measure on iOS devices with the enabled Auto-Login feature.
- Crash Log: For the purpose of debugging and error correction as well as for system continuity, users might choose to send crash logs to Wickr when prompted by the app. The logs do not contain any user personal information and they pertain only to the Wickr App. The process is voluntary and users can choose not to send their crash logs to us at any time. Participating in errors/crash reporting will help Wickr improve the quality of the app.
- Key Verification: To validate the identities of your contacts, the Wickr App offers a key verification mechanism. You can send a validation request to one of your Wickr contacts. In response, the contact may provide a hash of their public signature key via either an in-band technique, such as a video provided as an attachment to a Wickr message, or an out-of-band technique, such as a text message or an e-mail. For out-of-band techniques, the contact will have to know your phone number or e-mail address, since Wickr is unable to provide that information to your contact. After receiving the hash, you compare it to a hash your Wickr app generated from the contact’s public signature key obtained from the Wickr server. If the two hashes match, your contact’s identity is validated. Thus, you can verify your contact without the Wickr server’s involvement.
Automatically Collected Information: Wickr collects two types of information automatically during your setup and use of the Wickr App: Device Information and Aggregate Usage Data.
- Device Information: The Wickr App will collect a hashed representation of both your mobile device type and your mobile device’s hardware ID during registration, in order to connect that information with your account and to tie your account to your device.
- Aggregate Usage Data: During the operation of our services, we also collect aggregate, anonymous information about basic usage statistics, such as the number of messages sent by all Wickr users daily, what types of messages our users tend to send (e.g., voice messages more often than text), and so forth. We never attempt to (and cannot) identify users associated with any of this information.
What Information Does Wickr Share with Third Parties?
We do not share any user information we have with third parties, with the exception of the third-party service with whom we share your phone number for the sole purpose of sending you an SMS confirmation if you choose to associate your phone number with your Wickr ID. Please note that the provision of a phone number is completely at the user’s discretion.
Please see our full Legal Process Guidelines, but here are the highlights:
We will always notify our users of any third party requests for their information unless we are legally prohibited from doing so. As soon as legally permissible, we will notify our users of requests for their information. We require a warrant before handing over the contents of communications; however, because of the nature of our technology, the contents of communications will be encrypted and undecipherable if obtained.
You Can Deactivate Your Account
You can deactivate your account at any time. Once deactivated your account will be irrevocably suspended, ensuring that nobody can use that Wickr ID again in order to prevent impersonation. If you wish to deactivate your Wickr account, go to Wickr Settings, Account, tap “Terminate Account” and verify by entering your password.
We Retain As Little Data As Possible, for the Least Time Possible
Data Retention on Wickrʼs Servers: Our servers store the encrypted messages that you send and receive only long enough to ensure their reliable delivery to each device associated to your account. Undelivered messages are deleted after 7 days. We retain certain account data (i.e., types of messages sent and account settings changes) which contain no PII for up to 7 days.
Data Retention on Your Device: All messages are stored in encrypted form on end users’ devices. You choose your own retention policy for your messages by choosing how long a message is viewable before it is deleted (via the self-destruct time for sent messages and manual deletion for your device). Deleted messages cannot be recovered.
We Are Serious About Security
We are concerned about safeguarding the confidentiality of your information. We provide physical, electronic, and procedural safeguards to protect information we process and maintain. For example, we limit access to this information to authorized employees who need to know that information in order to operate, develop, or improve our Services. No sensitive information is in the clear: we take reasonable efforts (as described herein) to ensure that everything we store is not retrievable by us or anyone else.
However, as security experts, we know that no security system can prevent all potential security breaches. Therefore we have limited the potential implications of such a breach by designing our system so that in the event of a breach, we would have the least possible information about you.
Wickr’s network infrastructure and services are maintained in highly secure, strategically located data centers managed by Rackspace. Learn more about Rackspace’s security policies here.
Children and COPPA
We do not maintain any personally identifiable information about our users or their communications. You can learn more about the information Wickr does and doesn't collect in "What Information Does Wickr Collect and How Is It Used?" section of this policy.
Wickr is not directed to children under the age of 13. If we learn that we have collected personally identifiable information from a child under 13, we will take appropriate steps to delete such information as soon as possible.
In an ongoing effort to improve our services and assist our customers with any questions they have about the use of Wickr Messenger (Wickr App), we have developed a comprehensive collection of the most commonly asked customer support questions and answers, which are available here. Any information provided to us by our users voluntarily when they request customer support (e.g., an email address, Wickr App version, or any other details related to user issue) will be used to respond to that individual request and may be logged as part of our effort to improve our customer service and solve any product-related issues. This user-provided information cannot be linked to our users’ Wickr accounts, unless users voluntarily include their Wickr account information in their customer service-related requests. We strongly discourage our users from disclosing their passwords to Wickr accounts to third parties.
Here is an example of how we may use information collected via cookies: we may think that one of our new features would be very useful to the Wickr community, but cookies may tell us that very few users fully read that feature’s description on our site. That insight would prompt us to rethink the way we explain that product on our site or present it in an advertisement so that we can better communicate our services to our users.
To improve Wickr's products, website, or marketing, we may engage with various outside partners that have access to the limited data users voluntarily share with Wickr via web forms, cookies, or customer support and sales inquiries. We carefully select each of our partners based on Wickr’s commitment to user privacy and security. Our security team meticulously vets each prospective partner to ensure its policies and practices are on par with Wickr’s standards.
- To assist Wickr with improving our web content and advertising activities, we partner with Pardot, a B2B Marketing Automation Platform.
- To accelerate resolution of the most frequent customer inquiries, Wickr’s support is automated in collaboration with Zendesk, a customer support platform.
- To deliver a confirmation SMS to our users opting in to connect with friends via ID Connect, we use Twillio.
- To host our website, we use Squarespace.
- To maintain high-security, fast and reliable service delivery worldwide, Wickr partners with Rackspace, a global infrastructure provider.
Each of these companies has its own policies for handling user data. Please review the respective privacy policies for Zendesk, Twillio, Padot, Squarespace and Rackspace for a more complete understanding of their practices.
If you have additional questions regarding our privacy protection practices, please email us at email@example.com.
Users Outside the US
If you use our Services and reside outside the U.S., your information will be transferred to the U.S. and will be processed and stored there under U.S. privacy standards. By using our Services and providing information to us, you consent to such transfer to and processing in the U.S.
You are responsible for complying with any laws or regulations in your country that govern use of applications and services like Wickr.
Contact Us if You Have Questions
If you have any questions regarding privacy while using our Services, or have questions about our practices, please contact us via email at firstname.lastname@example.org.