Some mainstream chat apps claim to prioritize privacy while quietly building user profiles in the background. EXTRA SAFE takes a different approach: it’s designed so the platform is simply unable to know who you are, even if we wanted to.

That distinction is essential. Regulatory pressure, data breaches, and legal demands rarely target live conversations. They target stored data: identities, logs, metadata, histories. And many popular platforms retain all this long after messages “disappear” or calls end.

Between 2020 and 2024, many of the most visible privacy incidents in messaging apps weren’t caused by broken encryption, but by retained data:

• In 2020, the Pegasus spyware exploited a WhatsApp calling vulnerability to compromise journalists and officials without answered calls.

• In 2021, the Telegram user database scrape and the Facebook leak, which affected over 500 million users, exposed phone numbers and identifiers that could easily be linked to Messenger accounts.

• In 2022, unencrypted WhatsApp cloud backups and third-party tools leaked chat metadata and contacts.

• By 2023, insecure APIs and bots became a recurring source of private chat exposure, particularly on platforms with rich integrations.

• In 2024, 361 million stolen accounts leaked on Telegram.

Across these incidents, the pattern stayed the same: attackers targeted identities, metadata, backups, and logs – the data platforms chose to keep, long after supposedly private conversations.

That is why data minimisation isn’t an ideology – it’s a risk-reduction strategy.

Why Privacy Might Fail Before Encryption Breaks

When user privacy fails, it’s rarely because encryption was broken. More often, it’s because the system remembered too much.

Even after a message or a call is “gone,” many platforms still retain technical traces such as:

• timestamps and delivery confirmations,

• session and connection records,

• persistent identifiers,

• communication logs.

None of this reveals message content, but together, it shows patterns:

• who talks to whom,

• how often,

• at what times,

• and from which environments.

That metadata can expose workplaces, activist groups, negotiation structures, or personal routines. In real life, it often becomes equally revealing as the messages themselves.

This is why privacy depends less on what a platform claims and more on what it is architecturally capable of storing.

What Data Minimisation Means in a Chat App

In this type of product, data minimisation doesn’t mean “collect less information and protect it better later.” It means don’t collect it at all.

In operational terms, this is what it looks like:

• 1.

  Personal, real-life identifiers, such as email addresses or phone numbers, are not tied to communication.

• 2.

  There are no permanent user profiles.

• 3.

  There are no historical message archives.

• 4.

  No behavioral tracking is linked to individuals.

If a system doesn’t need this data to function, storing it only creates future risk.

Designing a System That Works Without Knowing Users

EXTRA SAFE is built around the idea that secure communication should work without a user identity as a prerequisite.

That means:

• anonymous cryptographic identifiers instead of accounts linked to personal data,

• cryptographic verification instead of logins and passwords,

• peer-to-peer calls instead of server-routed,

• ephemeral (encrypted and temporary) storage instead of long-term retention policies.

True ephemerality isn’t a setting you turn on – it’s what the system offers you by default, because it was built this way.

How EXTRA SAFE Applies Data Minimisation in Practice

Data minimisation looks different depending on how you use EXTRA SAFE, but the principle is the same.

1. Anonymous identity:

• Mobile app: an anonymous EXTRA SAFE number; no real-world identifiers (e.g., email address or phone number) are required to use the app,

• Browser Lite: session-based identity, no sign-up or software downloads.

2. Chats:

• messages and files shared in the standalone chats are auto-deleted on your timer by default, and are never stored afterward,

• end-to-end encrypted – only you and the other person can see it.

3. Calls:

• peer-to-peer by default: the direct device-to-device connection for voice and video streams,

• in-call chat messages are encrypted and deleted immediately after the session.

4. Metadata:

• high-level,

• non-identifying,

• aggregated,

• never used to build user profiles.

This isn’t about trusting policies. It’s about making sure the platform simply can’t collect more than it needs.
For a detailed breakdown of how these principles are implemented across the system, see the complete Data Minimisation Statement.

Why This Matters for Your Safety And Privacy

For users, data minimisation – less stored data – means:

• smaller breach impact,

• fewer legal and coercive risks,

• no profiling or analyzing your past activity.

The simplest rule still applies: data you never create can’t be leaked, sold, or misused later.

Data minimisation isn’t about doing less. It’s about designing systems that can’t accumulate power over users.

That’s what EXTRA SAFE is built on, and why, by design, it doesn’t know who you are.

Try it now: download the app for iOS and Android. Prefer desktop? Start a video chat from your browser at extrasafe.chat