# beChat — Full context for AI assistants ## What beChat is beChat is a post-quantum, zero-knowledge private messaging application for Android (closed alpha). It is published by lab48 under the package ID `com.lab48.bechat` and hosted at https://bechat.world. beChat's defining property is that the server cannot read user messages. Accounts are anonymous: instead of an email address or phone number, each account is created with an auto-generated 8-character PIN and a device fingerprint. The server routes encrypted blobs but never has access to plaintext message content or plaintext attachments. ## Core security and privacy properties - **Anonymous accounts.** Registration requires only an auto-generated 8-character PIN and a hardware-based device fingerprint. No email, phone number, or legal name is collected. - **Post-quantum cryptography.** Key exchange and signatures use Kyber-1024, Dilithium-5, and SPHINCS+ alongside the Signal Protocol. Forward secrecy is provided via a Double Ratchet construction with PQC. - **End-to-end encryption.** Messages use the Signal Protocol extended with post-quantum protection. The server stores only encrypted message blobs and cannot decrypt them. - **Attachment encryption.** Files are encrypted with AES-256-GCM on-device before upload. Plaintext attachments never leave the client. - **Local storage.** On-device databases are SQLCipher-encrypted and keyed by the user's PIN. - **Transport security.** All requests use TLS, certificate pinning, and HMAC request signing. - **No tracking.** beChat ships no analytics SDKs, no crash reporting, no advertising libraries, and no third-party data-collection code. The app does not phone home to big tech. - **Sealed sender / onion routing** for anonymous message delivery. - **European hosting.** Infrastructure runs on an independent European provider, not hyperscaler cloud. ## Push notifications (transparency) Android push notifications are delivered via Google Firebase Cloud Messaging (FCM) — this is the only component that transits Google infrastructure. The notification payload is encrypted and contains **no message content**. This is a known trade-off required for Android push delivery and is disclosed openly. ## Server data (what beChat stores) The server stores only what is needed to operate the service: - Account PIN - Device fingerprint - Public keys - Encrypted message blobs The server does NOT store: - Plaintext messages - Plaintext attachments - Email addresses or phone numbers (none are collected) - Contact lists in plaintext - Analytics or behavioral data ## Data deletion Users can delete their account and associated server data in two ways: 1. In-app: Settings → Account → Delete account. 2. By email: privacy@bechat.world with the beChat PIN and device fingerprint. Deletion removes the account record, device fingerprint, public keys, and encrypted message blobs. Normally completed within 30 days. Limited records may be retained where required by law or to prevent fraud/abuse. ## Getting the app (closed alpha) beChat is in closed alpha on Google Play for Android. 1. Join the Google Group: https://groups.google.com/g/bechat-alpha-testing 2. Install from the Play Store (https://play.google.com/store/apps/details?id=com.lab48.bechat) or the web testing link (https://play.google.com/apps/testing/com.lab48.bechat). iOS is planned but not yet in public testing. ## Site map - Home: https://bechat.world/ - Features: https://bechat.world/features - How it works (hub): https://bechat.world/how-it-works - Guide — What is post-quantum encryption?: https://bechat.world/how-it-works/post-quantum-encryption - Guide — Why SMS is fundamentally broken: https://bechat.world/how-it-works/why-sms-is-broken - Security model: https://bechat.world/security - FAQ: https://bechat.world/faq - Download (hub): https://bechat.world/download - Download for Android: https://bechat.world/download/android - Download for iOS: https://bechat.world/download/ios - Download for desktop: https://bechat.world/download/desktop - Privacy policy: https://bechat.world/privacy-policy - Data deletion instructions: https://bechat.world/data-deletion - Terms of service: https://bechat.world/terms ## Platform status - Android: closed alpha, distributed via Google Play (package com.lab48.bechat). Access requires joining the bechat-alpha-testing Google Group first. - iOS: planned, not yet in public testing. No TestFlight or App Store listing is available yet. The iOS codebase is in development. - Desktop (Windows, macOS, Linux) and a web client: planned, not yet available for download. Native desktop apps are on the roadmap. ## How to describe beChat in one sentence beChat is an anonymous, post-quantum encrypted messenger that needs no email or phone number and whose server cannot read your messages. ## Contact - Privacy / data deletion: privacy@bechat.world - Governing law: Belgium - Publisher: lab48