Privacy

Your number. Your data. Full stop.

pingwa exists to text one phone: yours. Here is exactly what that means for your data — stated plainly, and checkable in the open-source client.

What we never do

  • We never log message text. Logs carry only internal ids (user_id, message_id, billing class) — never the body of what you send.
  • We never log your API key or your phone number. Not in request logs, not in error traces.
  • We never store your API key in plaintext — only its SHA-256 hash. A leak of our database does not leak a usable key.
  • We never send analytics or your data to third parties. There is no tracker, no ad SDK, no data broker.
  • We never message anyone but you. There is no "recipient" field; pingwa can only text the number that joined.

What we do store

  • Your phone number (to know where to send) and account settings.
  • Passwords, if you set one, hashed with argon2id — never reversible plaintext.
  • Message metadata and content you send through the API, so history and the 24h reply window work. You can erase all of it (below).
  • Monthly usage counters for billing/quota.

How your number is verified

Only by a message you actually send from WhatsApp — texting join, or verify <code>. A number is never taken as self-reported. Reply stop at any time and sending is hard-disabled immediately.

Where your data lives

On the operator's own homelab hardware — not a public cloud, not a SaaS backend. The only outbound connections pingwa makes are to Meta's WhatsApp API (to actually deliver your message) and to Stripe (only if you upgrade to a paid plan). Nothing else leaves the box.

Deleting your data

Two levels, both in your hands:

  • Pause: reply stop on WhatsApp — sending is disabled, your account is kept so you can re-enable with join.
  • Erase: call DELETE /v1/me with your API key — your account and all associated data (messages, usage, idempotency records) are permanently deleted. Irreversible; a new join starts fresh.

Open by design

The client you run (CLI + MCP server) is open-source under the MIT license, so every claim on this page about what leaves your machine is auditable. See About for who runs this and how to reach them.

Plain-text version for agents: /privacy.txt