1-to-1 Chat
Buzzio 1-to-1 chat is private two-person messaging designed so that even we cannot read your messages. Encryption happens on your device; servers move encrypted envelopes for delivery, then delete them; your readable history stays in a locally encrypted database on your devices.
The same private surface includes encrypted voice and video calls, plus tools like Secure View, Vanish, disappearing timers, once-view, and view-once media.
We do not sell your data — not messages, not who you talk to, not your Buzzio ID. Details: /privacy · overview: /introduction.
How private chat works
In plain terms:
- Your message is encrypted on your phone before it leaves.
- Our servers only move an encrypted envelope — enough to deliver it, never enough to read it.
- Only the other person’s device can unlock it.
- After delivery, that server copy is deleted.
- Your chat history lives in a locally encrypted database on your devices — not as a Buzzio archive we can open.
| Promise | What you get |
|---|---|
| We can’t read your chats | End-to-end encryption on device |
| No lasting “who talks to whom” graph | When nothing is waiting to deliver, we don’t keep a server social graph of that private chat |
| No permanent cloud inbox | Delete-on-delivery + short safety purge for undelivered traffic |
| History stays yours | Readable thread on your devices |
| Extra locks when you need them | Vanish, Secure View, disappearing, once-view |
End-to-end encryption
Buzzio 1-to-1 uses modern private-messaging cryptography. Naming how the lock works is transparency — not a backdoor. Private keys and your 12-word phrase never leave your control.
| Piece | What it means for you |
|---|---|
| X3DH | Secure way two devices agree on secrets when a chat starts — without shipping a password over the network |
| Double Ratchet | Keys keep evolving as you chat |
| Per-message keys | Each message gets its own derived key — not one static password for the whole conversation |
| Forward secrecy | If one message key were ever exposed, past (and normally future) messages stay protected because keys move on |
| AES-GCM | Industry-standard authenticated encryption for the message blob (and for media file contents) |
| secp256k1 + HKDF | The elliptic-curve / key-derivation foundation under that stack |
In one sentence: keys are negotiated with X3DH, then ratchet forward so every message is sealed tighter than “one shared chat password.”
How a private chat starts
- You create an account. Keys are derived on your device from your 12-word recovery phrase. We never receive that phrase or your private messaging keys.
- Only public key material is published so others can encrypt to you.
- On first contact, devices run X3DH, then switch to the Double Ratchet for ongoing chat.
- Photos and files get their own encryption keys; those keys ride inside the already-E2E message — not as something Buzzio can open.
Sessions can recover from a lost first delivery without weakening the model. You do not need to understand that detail to trust the result: your private keys stay on your devices.
What servers see (and don’t)
While a message is waiting to deliver, servers see an encrypted blob plus the minimum routing info needed to wake the right account (for example who it is for / from, timing, and delivery flags).
They never see the readable text, photos, or voice content.
You can verify safety numbers / fingerprints in-app when you want out-of-band confirmation that you’re talking to the right person.
Delete-on-delivery — no permanent inbox
Buzzio is not building a cloud folder of your private chats.
- While the other person is offline, an encrypted copy may sit briefly on the relay.
- When their device takes delivery (decrypts and stores it locally), that relay copy is removed.
- “Delivered” means the recipient’s device processed the message — not merely that they opened and read it.
- If someone never comes online, undelivered envelopes are safety-purged after about 3 days. Stale traffic does not live forever.
Multi-device note
Delivery is to the account, not an infinite cloud mirror. The first device that successfully receives the message consumes the server copy. Your readable history stays on each device (unless you restore an optional encrypted backup you control). That is intentional privacy — not a bug.
Zero metadata — no social graph of private chats
This is one of Buzzio’s strongest product claims.
If there are no undelivered messages left on our relay for that private conversation:
We do not have a server-side social graph of who you privately talk to for that chat.
We don’t keep a lasting record of “User A chats with User B.”
Your conversation list and message contents stay on your devices — not in a Buzzio address book of your private relationships.
What that means for users
| After delivery (nothing left undelivered) | |
|---|---|
| Do we keep a durable “who talks to whom” graph for that private chat? | No |
| Do we keep a searchable archive of what you said? | No |
| Can we open your private transcript later? | No — we never had plaintext |
| Where is your chat list? | On your devices |
What exists only while a message is undelivered
A short-lived encrypted delivery envelope (routing + ciphertext). Once delivery completes, that envelope is gone. That momentary hop is how push delivery works — it is not a permanent relationship database.
What “zero metadata” does not mean
It does not mean Buzzio stores zero bytes anywhere. Accounts need an ID, public keys so encryption can start, push tokens so notifications work, and safety tools (blocks, reports) so abuse can be handled. Those are operational and safety — not a private chat social graph.
Other Buzzio surfaces (Communities, Broadcast, open-history groups, etc.) store more by design because those products need shared rooms and discovery. Private 1-to-1 is the sealed lane.
Privacy tools
Secure View
Mutual mode: both people agree to harden the chat against screenshots / screen recording while sensitive bubbles are on screen.
- Pending requests expire in about 2 hours.
- Android: strong OS-level block.
- iOS: Apple does not let apps fully block screenshots — Buzzio detects and mitigates in-app.
- Web: browser limits apply; treat capture blocking as best-effort.
Use it when you want to share something private without leaving a casual screenshot trail.
Vanish mode
Short timers that start after the message is seen — from seconds up to hours (5s → 6h options). Mutual request/agree flow. Session setting; each message gets its own countdown once seen.
Disappearing messages
Chat-level timers: 24 hours · 7 days · 90 days. Countdown starts when you send (not when they read). Applies to text and media. Either side can turn it on.
Kept messages let you exempt specific ones until you unkeep them — without creating a Buzzio-readable cloud transcript.
Once-view & view-once media
| Tool | What it does |
|---|---|
| Once-view mode | Chat-level: messages designed to leave ~5 seconds after seen, with stronger screenshot policy |
| View-once media | That photo/video/voice opens once, then is removed from the experience (viewer uses screen security; images auto-clear after a short open window) |
Encrypted voice & video calls
Private calls ride the same privacy story:
- Setup signaling is encrypted — not parked as a permanent call dossier.
- Audio/video uses peer-to-peer WebRTC when possible (relay only when networks need help).
- We do not record calls. We can’t play back your call from a Buzzio server archive.
- The call list you see in the app lives on your device (local history ages out ~24 hours in the UI).
- When nothing remains for setup, private calls are treated as a zero durable call-metadata surface — no lasting “who called whom” server file for browsing.
Everyday chat features
| Feature | How it fits the promise |
|---|---|
| Typing indicators | Ephemeral; you can turn them off globally or per contact |
| Delivery & read receipts | Short-lived ticks for UX; you can limit read receipts |
| Reactions | Shared emoji state for that message — not a full chat backup for Buzzio to read |
| Reply / forward | Forward re-encrypts to new people (limits apply; media types may be blocked) |
| Shared pins | Optional; both sides see the same pin for a set duration — a small shared exception, not your whole transcript |
| Delete for everyone | Coordinates removal of pending / local copies |
| Block & report | Safety only. Reports may use limited evidence already on your device (e.g. last few messages). |
| Backup (optional) | Default = no Buzzio-readable cloud inbox. Optional encrypted export / paid cloud backup uses a recovery key you control |
There is no first-class “edit message” for 1-to-1 today — send a correction or delete if needed.
How a message moves
You encrypt on device → Blind relay holds ciphertext briefly
→ Their device unlocks & saves locally
→ Relay copy deleted
→ If nothing left undelivered: no who-you-talk-to graph for that chat
Offline friend? The encrypted envelope waits (up to the ~3-day safety window), then is purged if never collected.
Summary
1-to-1 chat is end-to-end encrypted with X3DH and Double Ratchet, per-message keys, and forward secrecy. We cannot read your private messages. Delete-on-delivery means we are a courier, not a filing cabinet. When nothing is undelivered, there is no durable server social graph of who you privately talk to. Your history lives on your devices. Extra modes — Secure View, Vanish, disappearing, once-view — and encrypted calls harden the same private lane.
Related: /introduction · /whisper · /groups · /privacy · /terms