buzzio
IntroductionHome
Introduction1-to-1GroupsCommunitiesBroadcastWhisper
PrivacyTerms

Whisper

Whisper is Buzzio’s time-limited, QR-started anonymous chat mode — built for moments when you want a sealed conversation without adding someone as a permanent contact, and without leaving a lasting “who talked to whom” archive on our servers.

In plain terms:

  1. You create a Whisper session and share a QR code or deep link.
  2. A fresh session key is generated on your device and handed to joiners only through that QR / link — not uploaded as plaintext to Buzzio.
  3. Every message is encrypted on-device before it hits our relay.
  4. Joiners appear as anonymous slots — not as Buzzio IDs in the chat stream.
  5. When the timer ends (or you close the session), session data, keys, and relay paths are deleted.

We do not sell Whisper messages, session metadata, or who scanned your QR. Legal detail: /privacy · overview: /introduction · compare with: /one-to-one-chat.

Not the same product: Whisper Questions
Whisper Questions is a separate feature. It is anonymous Q&A via share links — someone posts a question link; strangers answer; the link owner reads replies. It is not end-to-end encrypted like Whisper private chat, and it stores answers so the owner can read them. This page is about Whisper private chat (QR sessions) only.


What Whisper gives you

PromiseWhat you get
Anonymous by protocolChat labels are creator / scanner — not Buzzio IDs exchanged between participants
Ephemeral session cryptoA new session key per Whisper room — not your long-lived 1-to-1 identity keys
We can’t read the transcriptAES-256-GCM on-device; servers relay ciphertext
Hard timerYou choose 1 hour → 168 hours (7 days); then delete
Zero durable Whisper graph after expirySession records + relay paths are purged — no lifelong Whisper address book on our side
Optional Vanish + Secure ViewExtra disappearing / anti-capture tools for the active window

How a Whisper session is established

The user story

  1. Create — Name the session, pick duration and max members, optionally turn on Vanish / Secure View.
  2. Share — Show a QR code or share a deep link. The link carries the session token and the session key.
  3. Join — Scanner validates the key against a hash we store server-side (so a forged key can’t enter). An atomic join assigns a slot index.
  4. Chat — Each scanner gets a private 1-to-1 lane with the creator (not a group free-for-all among all scanners). The creator sees an inbox of anonymous member slots.
  5. Expire / close — Timer hits, or creator closes early → wipe.

Where data lives during the session

LayerRole
Your devicePlaintext session key, local messages/media, nicknames you assign
Session recordOperational metadata (expiry, scan limits, settings, status) — not a readable chat archive
Encrypted relayShort-lived encrypted message relay per slot
Live countersScan count, status, expiry for atomic joins

End-to-end session crypto

Whisper is end-to-end encrypted. The crypto model is intentionally different from Buzzio 1-to-1 chat.

What Whisper uses

PieceWhat it means
Ephemeral session keyCreator generates 32 cryptographically random bytes on-device for this session only
Out-of-band key deliveryThe key rides inside the QR / deep link — people who scan get the key; Buzzio servers store only a hash to verify joins
Per-slot key (HKDF)Each anonymous member lane derives its own key from the session key and slot index
AES-256-GCMMessage bodies (and media file contents) encrypted with the slot key before upload / relay
Optional compressionPayload may be compressed before encryption (size efficiency — not a privacy downgrade)

In one sentence: a brand-new session secret is shared via QR; each anonymous lane derives its own key; every message is AES-GCM sealed before Buzzio ever touches it.

What Buzzio stores for crypto integrity (not for reading you)

  • A hash of the session key, so joiners prove they have the real key without us storing the key itself.
  • The plaintext session key never lives on our servers as a decryptable message secret. It stays on creator/joiner devices (and in the QR/link you deliberately share).

How this differs from standard 1-to-1 chat encryption

1-to-1 chatWhisper private chat
Identity modelTied to durable Buzzio IDs and long-lived messaging keys derived from your recovery phraseTied to a temporary session token + ephemeral session key
HandshakeX3DH + Double Ratchet (per-message evolving keys, forward secrecy across an ongoing relationship)Shared session key via QR/link; HKDF per slot; AES-GCM per message
Key lifetimeKeys persist with the account / conversation relationshipNew key every Whisper session; designed to die with the timer
AddressingYou message a known Buzzio ID / contactYou message an anonymous slot inside a QR room
After it endsLocal history can remain on devices; server durable “who talks to whom” graph empties when nothing is undeliveredSession + relay paths deleted; not meant to become a permanent contact thread

Both are E2E. Whisper optimizes for anonymous, time-boxed meetings. 1-to-1 optimizes for ongoing private relationships with ratchet-style forward secrecy.

Forward secrecy note (honest)

Whisper’s secrecy model is session-scoped: compromise of one session’s key does not unlock other Whisper sessions or your 1-to-1 keys. Within a live slot, messages share that slot’s derived keying material (not a Double Ratchet step). If you need continuous ratchet evolution for a long-term contact, use 1-to-1 chat. If you need “this room dies in 6 hours,” use Whisper.


Anonymity model

Whisper is built so participants do not exchange Buzzio identity as chat addresses.

What participants see / don’t see

CreatorScanner (joiner)
Sees the other’s Buzzio ID in-chat?No — members show as anonymous slots (optional local nicknames the creator sets on-device)No — creator identity is not shown as a Buzzio ID
Sender label on encrypted messagesCreator or scanner onlySame role labels
Your Buzzio ID shared to peer on join?Not published into the chat protocol for peersJoin path does not write the scanner’s Buzzio ID into the session as a peer identity

Joiners see an explicit notice: your Buzzio ID will not be shared; the creator’s identity is hidden from you.

How anonymity is enforced

  1. Message envelopes carry role labels (creator / scanner), not peer Buzzio IDs.
  2. Join does not attach scanner account IDs to the public session graph — scanners get a numeric slot and optional push token for that slot.
  3. Creator-facing inbox is slot-based (“Anonymous Member #3”), not a contact lookup of who scanned.
  4. Optional nicknames the creator types are local labels on the creator’s device — they do not become the other person’s Buzzio ID.
  5. When the session ends, the creator’s identity was never revealed as a durable peer address for that room.

Honest operational note

During an active session, Buzzio still needs enough operational data to deliver pushes and expire the room (see metadata below). That is session plumbing, not “you both become permanent contacts,” and it is deleted after expiry. Participant-to-participant anonymity in the chat stream is separate from momentary server routing needs.


Zero metadata after expiry

What “zero metadata” means for Whisper

After a Whisper session expires (or is closed) and cleanup runs, Buzzio does not keep a durable, searchable server archive of:

  • that Whisper room’s message bodies (we never had plaintext),
  • a lasting “these people Whisper-chatted” graph for that session,
  • the live relay trees for that token.

That is the product claim: meet → talk securely → leave no lasting Whisper trail on our servers.

What exists during an active session

DataWhy it exists
Session token + status (active / full / closed)Address the room; know if it’s joinable
Expiry and created timesEnforce the timer
Max scans / scan countCap how many people can enter (presets up to 50)
Optional session nameCreator label for managing the room
Vanish / screenshot setting flagsEnforce rules joiners agreed to
Session key hashVerify the QR key without storing the key
Encrypted creator routing fields needed for pushNotify creator of joins / messages
Creator and per-slot scanner push tokensWake phones for new encrypted traffic
Encrypted relay ciphertextRelay until devices store locally (courier cleanup after delivery)
Receipt / view-once pathsDelivery / seen / once-view UX
Blocked-slot markers (if creator removes someone)Safety / moderation inside the room

Message bodies stay E2E ciphertext. Operational fields exist to run and delete the session — not to build advertising profiles.

What is purged once the session expires / closes

Server cleanup removes the session record and related relay trees — encrypted chats, receipts, scanner push tokens, live counters, and related notification paths for that token — plus scheduled safety-net jobs for expired or closed sessions.

On devices: local session rows, local messages, and session media folders are cleaned on expiry / leave / close.

After cleanup: we are not sitting on a Whisper social graph you can query later.


Vanish & Secure View

These are the same product ideas as in 1-to-1 — but how they attach differs.

Vanish mode (Whisper)

DetailWhisper behavior
When setAt session creation (creator chooses) — applies to the room
What it doesMessages auto-delete after seen, for both sides
TTL options5 seconds · 1 minute · 5 minutes · 1 hour · 6 hours
Join transparencyJoiners see Vanish listed under Security & Rules before they enter

Secure View (Whisper)

DetailWhisper behavior
When setAt session creation — session-wide rule
What it doesStrengthens protection against screenshots / screen recording while viewing the chat
Platform realityStrong OS-level block on Android; detection / mitigation on iOS; browsers are best-effort
Join transparencyShown on the join confirmation when enabled

Differences from 1-to-1

1-to-1Whisper
VanishOften a mutual request / agree flow inside an existing chatCreator sets at create; room rule for the whole Whisper lifetime
Secure ViewMutual mode — both sides agree; pending requests expire (~2 hours)Create-time session rule; not a bidirectional request handshake
Disappearing chat timers (24h / 7d / 90d)First-class on 1-to-1Whisper’s main clock is the session duration (1h–7d); Vanish is the short post-seen layer
Once-view / view-once mediaAvailable on 1-to-1Also available inside Whisper (open once; short auto-clear window in viewer)

Delete-after-expire

Exact expiry trigger

Whisper expiry is time-based from creation:

  1. Creator picks a duration: 1, 2, 3, 6, 24, 48, 72, 96, or 168 hours.
  2. Server stores an expiry timestamp.
  3. Joins are rejected once the timer has passed.
  4. Deletion is scheduled for that timestamp.
  5. Daily safety-net jobs also sweep anything already expired or closed.

Also early end: the creator can close the session immediately, which notifies joiners and tears the room down without waiting for the clock.

What gets deleted

ArtifactDeleted?
Encrypted messages on the relayYes
Receipts / related relay trees for that sessionYes
Session recordYes
Scan / slot linkage & scanner push tokensYes
Operational metadata (expiry, counts, settings, status)Yes
Session key on devicesYes — wiped with local session cleanup
Local messages & media for that WhisperYes — per leave / close / expiry cleanup
Creator ↔ slot participant linkage for that roomYes — no durable Whisper relationship row left after purge

Not deleted by Whisper expiry: your Buzzio account itself, your normal 1-to-1 contacts, or unrelated features. Only that Whisper room’s world ends.


Other Whisper features

FeatureWhy it matters
Creator inbox of anonymous slotsOne QR can admit many people (up to your max); each gets a private lane with you
Max members presets1 / 5 / 10 / 25 / 50 — control how wide the QR is
Session nameOrganize active Whispers (“Event desk”, “Meetup”) without revealing IDs
Local nicknames for slotsCreator-only labels so you can manage chaos — still not their Buzzio ID
QR + deep-link sharePass the session key out-of-band: show the code
Courier-style relayAfter a device stores a message locally, the relay copy is deleted
Delivery statesSending → sent → delivered → seen ticks for UX (still on ciphertext envelopes)
View-once mediaOpen once; viewer auto-clears after a short window (~20s in-app)
Reply / reactions / delete-for-me / delete-for-everyoneEveryday chat controls that still respect the session crypto
Forward (text) into normal chatsBridge a line out to a real contact if you later choose to — without turning Whisper into permanent history by default
Creator remove (block slot)Kick a lane; wipe that slot’s relay data
Scanner leaveVoluntarily exit; free a scan slot; wipe local + that slot’s relay
Push without doxxing the chatNotifications wake devices; content remains E2E
Freemium creation gateFree accounts: create on a ~7-day cooldown; Buzzio Premium unlocks unlimited Whisper creates

Voice/video calls remain a 1-to-1 private-surface story; Whisper is the QR anonymous messaging room.


How a Whisper message moves

Creator generates session key → embeds in QR / link
         ↓
Joiner proves key via hash → gets anonymous slot
         ↓
Device derives slot key → AES-GCM encrypts message / media
         ↓
Blind relay holds ciphertext briefly
         ↓
Peer device decrypts → stores locally → relay copy deleted
         ↓
Timer ends or creator closes → session + keys + linkage purged

Summary

Whisper is anonymous QR private chat — talk without exchanging Buzzio IDs in the protocol. Crypto is ephemeral E2E: a fresh 32-byte session key, HKDF per slot, AES-256-GCM. It is not the long-lived X3DH/Double Ratchet stack of 1-to-1; it is built to expire. After expiry, messages, keys, session record, and participant linkage are gone. Vanish and Secure View are available as create-time room rules. Max members: up to 50 anonymous slots per session; duration: 1 hour to 7 days.

Related: /introduction · /one-to-one-chat · /groups · /privacy · /terms

HomeFeaturesHow to useGuidesCompanyPrivacyTermsReport Bug

Buzzio © 2026