Download

FAQ

Frequently asked questions about Umbrella X · Last updated April 19, 2026

Practical answers to the questions people ask most often. For the formal versions of any of this, see the Privacy Policy and the Terms of Service. If your question is not here, write to support@umbrellax.io and a person will reply.

We do NOT scan your messages. We do NOT report to authorities automatically. Moderation acts only on reports from a specific user. NCMEC reporting requires verified victim-side standing. The full privacy pledge is published on our warrant canary page.

General

What is Umbrella X?

Umbrella X is a private messenger. You install the app, generate an account (no phone number required), and chat with people. Your account is identified by a cryptographic key pair that the app generates on your device — the private key never leaves the device, and we never see or store it. Every chat runs in one of two modes. Cloud mode (the default) is convenient — messages sync across your devices, bots work, groups scale up to two hundred thousand, channels reach millions — and we still cannot read your messages, because the keys are split across five sealed key servers in five countries under a 3-of-5 threshold and we destroyed our own administrative access to them in a notarised, publicly verified ceremony (the "master key destroyed and publicly verified" commitment). Secret mode (opt-in per chat) is pure end-to-end encryption with MLS (Messaging Layer Security, IETF RFC 9420) — keys never leave the participants' devices, even our sealed servers never see them, at the cost of not syncing to other devices and a smaller group size. You choose the mode when you start the chat. The Service is built and operated by UmbrellaX TOO, a small team registered in the Republic of Kazakhstan under BIN 260440006927.

Is Umbrella X free?

Yes. The app and the basic Service are free of charge. We do not show advertising and we do not sell user data. The bills are paid by the founders for now; if we ever introduce a paid feature, it will be optional and the basic messenger will stay free.

Where are your servers located?

UmbrellaX TOO is a Kazakhstan company, but your data physically lives in one of three regional cells, auto-assigned at sign-up based on where you are: Cell EU in Germany (Hetzner, for СНГ, Iran, Turkey, and the European Union — GDPR applies), Cell UAE in Dubai (for the Middle East and South Asia), or Cell BVI in the British Virgin Islands (for everyone else, offshore default). We deliberately do not store СНГ user data in Kazakhstan — the separation between company jurisdiction (KZ) and data residency (EU) protects you if local law shifts. Push notifications briefly transit Apple (APNs) and Google (FCM); the payload is an encrypted wake-up ping, not your message content. See section 7 of our Privacy Policy for the full framing and how to migrate cells.

How is Umbrella X different from WhatsApp, Signal, or Telegram?

Same family, different priorities. Like Signal, we treat message privacy as the first design constraint and we collect almost nothing — the modern MLS protocol (IETF RFC 9420, ratified in 2023, used in production by Wire, Cisco Webex, and others) powers our Secret-mode chats, and a hybrid of classical X25519 plus NIST-ratified post-quantum ML-KEM-768 protects every chat from day one against "harvest now, decrypt later" attacks. Unlike Signal, we do not require a phone number to register — your account is a cryptographic key pair; a phone is an optional add-on stored only as a one-way cryptographic fingerprint if you want to be findable by contacts — and we also offer a Cloud mode that keeps the conveniences of a normal messenger (multi-device sync, bots, groups up to two hundred thousand, channels) without letting us read your messages: the per-conversation keys are split across five sealed key servers in five countries and we have no administrative way to retrieve them. Unlike WhatsApp, we are not owned by an advertising company and we do not link your messenger usage to a parent platform. Unlike Telegram, we cannot read even your ordinary (cloud) chats — Telegram's cloud chats are server-side encrypted with keys Telegram controls, ours are sealed so that we physically cannot unwrap them. We are a smaller team and we make no claim to feature parity with any of these — we are focused on private messaging done well.

Your account

How do I sign up?

Install the app from the App Store or Google Play (or directly from umbrellax.io). Open it. The app generates a cryptographic key pair on your device and shows you a 24-word recovery phrase — write it down and keep it safe, this is the only way to restore your account on another device. The app then asks you to confirm 5 of those words at random. You pick a username (auto-suggested, you can change it) and you are done. No phone number, no email, no SMS. The whole process takes about a minute.

Optionally, after sign-up you can attach a phone number in Settings if you want friends with your number in their address book to find you. We store it as a salted hash, never the raw number.

What is the minimum age to use Umbrella X?

13 years old in most of the world. 16 years old in the European Union, the European Economic Area, and the United Kingdom (or the lower digital-consent age set by your country under Article 8 of the GDPR). If you are under the age of majority in your jurisdiction, you may only use the Service with the consent and involvement of a parent or guardian. We do not knowingly create accounts for anyone below the applicable minimum age, and we delete the account if we discover one was created.

How do I add, change, or remove my phone number?

Your account is not tied to a phone number — the phone is an optional add-on for contact discovery. In Settings → Account → Phone Number you can attach one (confirm with an SMS code, then the number is hashed and the plaintext discarded), replace the attached number with a different one (same flow), or remove it entirely. Removing the phone number deletes the hash and the account stays intact — your chats, groups, and history are unchanged.

How do I delete my account?

From inside the app: Settings → Account → Delete Account. The request is signed with your private key on the device, so we know it is genuinely you without any SMS or email verification. If you have lost the device but still have your 24-word recovery phrase, you can restore the account on a new device and delete it from there — no support ticket needed. If you attached a phone number, a deletion-by-SMS path is also available as a secondary option. If you have lost both the device and the recovery phrase and did not attach a phone, we cannot verify that the deletion is coming from you, so we cannot act on it — this is the honest trade-off of an account system with no central password reset. Full step-by-step instructions and what we delete are on the Account Deletion page.

Can I recover a deleted account?

No. Deletion is immediate and final on our side — there is no tombstone, no holding period, no "I changed my mind" window. The moment you confirm, your account record is gone and we cascade a delete-conversation command to your contacts' apps. We do this on purpose: a recovery window would mean we kept your data "just in case" for some period, which contradicts our privacy posture and would create a target for legal demands during the holding window. The deletion confirmation flow asks you to type your username explicitly to prevent accidental taps, but once confirmed there is no undo. If you change your mind a minute later, you can register a fresh account on a new key — but the old account, history, and your zone share of the phone fingerprint are gone for good.

Privacy and security

What does end-to-end encryption mean, and what's the difference between your two chat modes?

Traditional end-to-end encryption means the content of your messages is scrambled on your device using a key that only the participants have, and the scrambled version travels through our servers without us ever seeing the key. That is how our Secret mode works, using MLS (Messaging Layer Security, IETF RFC 9420), the modern international standard ratified by the IETF in 2023 and used by Wire, Cisco Webex, and other privacy-focused messengers. Secret chats live only on the device that created them; they do not sync to your other devices because the keys physically do not exist anywhere except on those devices.

Our default Cloud mode takes a different route to the same result. Messages are encrypted on your device with a per-conversation key; the key itself is then split across five sealed key servers in five different countries (Germany, Finland, Netherlands, UAE, British Virgin Islands) under a 3-of-5 threshold, and our administrative access to those sealed servers was destroyed in a notarised ceremony — we describe this as the "master key destroyed and publicly verified" commitment. When you open a chat on any of your authorised devices, three of the five sealed servers independently verify your device's signature and hand pieces of the key directly to that device; our normal cloud stack only ever holds ciphertext and a wrapped key it cannot unwrap. The practical effect is the same as end-to-end encryption — we cannot read your messages and a court order for content has nothing to give — but Cloud mode lets multi-device sync, bots, and very large groups work, which pure E2E cannot.

You pick the mode when you start a chat. Every chat is one mode or the other; you cannot convert an existing chat between modes (the underlying key architecture is different), but you can always start a new chat in the other mode with the same contact. Regardless of mode, every key exchange uses a post-quantum hybrid (X25519 combined with NIST-ratified ML-KEM-768) so that ciphertext captured today stays unreadable even against future quantum attackers. Calls in either mode are always end-to-end encrypted.

What data does Umbrella X collect about me?

The smallest amount we can. Your public cryptographic key (generated on your device — we never see the matching private key). A username (auto-suggested, you pick it). A region of storage (one of three values: EU / UAE / BVI) so your data lives physically close to you; we do not store the country itself, only this region. Optional display name, avatar, and bio stored end-to-end encrypted (only your contacts can decrypt; section 2.5). Optional one-way cryptographic fingerprint of your phone number if you want contacts to find you — never the raw number, never a reversible hash. Brief envelope information for messages in transit (sender address, recipient address, time, size — like a postal envelope), discarded as soon as the delivery is finished, typically minutes. Notification address issued by Apple or Google to wake your device. Short device-authenticity proof (Apple App Attest, Google Play Integrity, or WebAuthn) confirming you are not a script. App version and operating system for compatibility and security updates. That is the complete list. We do not collect your IP address, your email, your real name, your country, your address book in plaintext, your precise location, your browsing history, advertising identifiers, or biometric data. The full description with retention periods is in section 2 of the Privacy Policy.

Can governments read my messages?

The content of your messages, no — it is end-to-end encrypted and we do not have the keys, so we cannot hand it over even if compelled. Your IP address, no — we do not store IP addresses at all, so a court order asking for "the IP history of user X" is something we cannot answer because we do not have it. Your phone number, no — we do not store numbers or reversible hashes; we only store a one-way cryptographic fingerprint, and a subpoena asking "is this phone number a user?" is physically unanswerable by us without the user's own authenticated device (see ADR-22 in our technical docs). Your display name or avatar, no — they are end-to-end encrypted in a profile blob we cannot decrypt (unless you chose the optional "Public profile" mode, in which case they are public by your own choice). The envelope information of your messages (sender address, recipient address, time, size — like the address on a postal envelope), almost never — we discard it within minutes of delivery, so a request for "who did X chat with last week" finds nothing because nothing was kept. We do not have a backdoor and we will not build one. If you want a more formal account of how we handle law enforcement requests, see section 6 of the Privacy Policy, and for a per-request public log of every demand we have received, see the Transparency Log.

Who can see my display name and avatar?

By default, only the people you have mutually added as contacts. When you set your display name or upload an avatar, your device wraps them in a sealed envelope using a profile key that never leaves your phone (it is backed up inside your 24-word recovery phrase, never on our server). We store the sealed envelope; we cannot open it. Whenever you add a contact (mutually — both sides agreed), your device hands that contact a copy of the profile key through a secure channel, so their app can decrypt your card and show your name and avatar. People who look you up by username but have not been added as contacts see only the handle like @bright_falcon_42, not your name or photo. If you are a blogger, journalist, business, or channel operator who deliberately wants public visibility, go to Settings → Privacy → Public profile and confirm the on-screen warning; from that moment your name and avatar become visible to anyone searching you. You can revert to "Contacts only" at any time; screenshots already taken cannot be undone. See ADR-21 in our technical docs.

Does the other person see my IP address during a call?

No, by default. Voice and video calls default to routing through our relay (TURN server), which forwards encrypted packets between the two of you without revealing either party's IP to the other. Added latency is about 50–100 milliseconds compared to a direct connection — imperceptible for voice. If you want the minimum possible latency and accept that your IP will be exposed to the other participant, turn on "Fast direct calls" in Settings; the app will show a warning before the first direct call. For high-stakes conversations (journalist-source, lawyer-client, activist coordination), turn on "Maximum call privacy" — your call goes through two relays in two different jurisdictions, so neither relay alone knows the "caller ↔ callee" association. The per-contact override lets you mark a specific chat as "sensitive contact" and always use the strongest mode for that one contact, even if your global setting is relaxed. Group calls (3+ people) always run through a Selective Forwarding Unit that architecturally hides every participant's IP from every other participant. See ADR-23.

How long do you keep my data after I delete my account?

Essentially, we do not. When you confirm account deletion, every trace of you on our servers is purged in the same moment — account record, end-to-end encrypted profile, every reference to you in any other user's envelope information, any ciphertext still queued for delivery, your notification address, your device-authenticity proofs, your zone share of the phone fingerprint. No tombstone, no recovery window, no holding period. Your public Ed25519 key is mathematically unique (256 bits) — there is no replay risk that requires us to remember "this key was once used". Your account is gone. We also automatically cascade a delete-my-conversation command to every one of your contacts' apps — their app removes its local copy of your conversation without further dialogs (online contacts get the command immediately; offline contacts get it the next time they open the app). What we cannot do, honestly: erase screenshots, forwarded copies, or backups your contacts may have stored to iCloud or Google — those are outside our reach and we say so plainly rather than pretend otherwise. So: removal is immediate and total on our side, and propagated everywhere we technically can; what survives is what physically lives on devices we do not control.

How do I report a security vulnerability?

Email security@umbrellax.io with a clear description of what you found, how to reproduce it, and any proof-of-concept code or screenshots. We respond as fast as we can and treat responsible disclosure as a contribution to the project, not an attack. If the issue is genuinely urgent (active exploitation) say so in the subject line.

Does Umbrella X have backups?

We keep encrypted backups of operational systems for up to 30 days for disaster recovery (shortened from 90 days in April 2026 as part of our aggressive retention policy — see ADR-24), then they are overwritten on the regular schedule. We do not back up the content of your messages because we cannot — we never had it in plaintext. The app may offer you, separately, a personal backup option that you control with your own passphrase; if that is enabled, the backup is encrypted on your device with that passphrase before it leaves the phone, and we cannot decrypt it.

Can I use Umbrella X on more than one device?

Yes, up to ten devices at the same time. Install the app (or open the web client) on a second device, pick Link to an existing account, and the new device shows a QR code containing its freshly generated device key. On your primary device, open Settings → Devices → Link new device and scan the QR. Your primary signs the new device's public key with your account key and registers the authorisation with our directory service; the new device then asks the five sealed key servers for the keys to your Cloud-mode chats, and — after the servers check that the new device is indeed authorised — three of them hand pieces of the keys directly to the new device. After a few seconds your history is visible on the second device and new messages arrive on all authorised devices at once. You can see, rename, or remove devices at any time from Settings → Devices; a device you have not used for 90 days is revoked automatically as a safety measure.

Why don't my Secret chats appear on my other devices?

Secret chats exist only on the devices that were part of the chat when it was created, because pure end-to-end encryption means the keys were generated on those devices and never written down anywhere else. There is no server-side copy of the key to hand to a new device — that is the whole point of the mode. If you want the same conversation on a second device, start a new Secret chat with the same person from that device. If you want a chat that does follow you across devices, use Cloud mode instead: Cloud chats work on every device you link because the five sealed key servers can hand the keys to any authorised device on demand. Losing the only device where a Secret chat lived loses that chat — we cannot restore it even if you want us to.

What happens if I lose my phone?

If you have written down your 24-word recovery phrase, install the app on a new device, choose Restore from recovery phrase, and enter the 24 words. The recovered device waits 48 hours before taking over as your primary — that grace period exists so your existing devices have a chance to cancel the recovery if they detect it is not you. After the grace period, the five sealed key servers hand the keys for your Cloud-mode chats directly to the new device and your history loads from the cloud. Secret chats cannot be restored because their keys only existed on the lost device. If you have not written down your recovery phrase and have no second device currently linked, the account is not recoverable — we deliberately have no customer-support password-reset path, because any such path would be a back door we could be compelled to use.

Safety and moderation

How do I report abusive content or users?

From inside the app, long-press the message (or right-click on desktop), tap Report, choose a category (spam, harassment or abuse, illegal content, child sexual abuse material, impersonation or scam, other), add an optional comment if it helps, and tap Submit. The report goes to a human reviewer on our Trust & Safety team. If you cannot use the in-app flow (because you uninstalled the app, for example), email abuse@umbrellax.io with the offending account's phone number or username, the type of violation, and a short description.

How do I block someone?

Open the chat with the user, tap their name at the top to open their profile, and tap Block User. Or, from any message they sent you, long-press and choose Block. Blocking is instant, you do not need to wait for anyone to review anything, and the blocked user is not told that you blocked them. After they are blocked they cannot send you messages, see your online status or last-seen, or create new chats with you. To unblock, go to Settings → Privacy → Blocked Users.

What happens after I report?

Every report is reviewed by a human. You get an acknowledgement within 24 hours and a decision within 7 calendar days for routine cases. Reports involving child sexual abuse material are reviewed 24 hours a day, 7 days a week, with action typically taken within hours. Credible threats of imminent physical harm are also treated as urgent and reviewed around the clock. If we take action against an account, the affected user can appeal within 14 days as described below.

Can I appeal a ban?

Yes, in most cases. Write to appeals@umbrellax.io within 14 days of the action. Include the phone number on the account, the approximate date and time of the action, and a brief explanation of why you believe the decision was wrong. We aim to respond within 7 days. If we agree the action was wrong, we reverse it. If we do not agree, we tell you why. Appeals are not available for permanent bans related to child sexual abuse material or for accounts banned as a result of a lawful order from a competent authority.

How do you handle child safety reports?

Zero tolerance, no exceptions. Accounts found to be sharing or soliciting child sexual abuse material are permanently banned on first offence. The content is deleted from our servers and its perceptual hash is stored so the same file cannot be re-uploaded. A report to the National Center for Missing and Exploited Children (NCMEC) is filed only at the explicit request of the victim or their legal representative, and only after our legal team verifies the requester's identity and standing. A single in-app checkbox click does not trigger a NCMEC report; the click creates a verification ticket, our legal team contacts the requester and asks for documents proving they are the victim, the victim's parent or guardian, the victim's lawyer, or a law enforcement officer with an active case. Only after that verification do we file. Documents and the dedicated channel are at /victim-portal. We do not perform automated reporting because doing so would identify victims to authorities without their consent and would expose accused users to investigation on the strength of an unverified click. The minimum data required to support a verified victim-requested report, and no more, is preserved. CSAM reports themselves (in-app or by email) are reviewed around the clock, every day of the year; the verification step for NCMEC adds a few days but happens in parallel with the immediate content removal and account ban.

Website

Does umbrellax.io use cookies or trackers?

The website stores two small items in your browser's local storage and that is the entire list. theme remembers whether you last chose light or dark mode, so the page does not flash the wrong colour on reload. lang remembers your language preference on the landing page. Both are stored on your device only and never sent anywhere. We do not use Google Analytics, Facebook Pixel, session replay, third-party widgets, or any other tracking. Our fonts are self-hosted. Because everything we store is strictly necessary to remember your own choices, we do not need a consent banner under the GDPR and we do not have one. The full version of this answer is section 10 of the Privacy Policy.

Why is the site dark by default?

Design choice. Most people who visit the site visit it on a phone in the evening, and a dark interface is easier on the eyes in low light. If you prefer light mode, click the sun icon in the header — your choice is remembered for next time.

What languages does the site support?

78. The landing page auto-detects your preferred language from your browser settings and falls back to English if your language is not in the list. You can also pick a language manually from the dropdown next to the theme switch. The language selector affects only the landing page interface; the policy and FAQ pages stay in English so that the legal text has a single canonical source.

Still can't find an answer?

Write to support@umbrellax.io for general questions, privacy@umbrellax.io for privacy-specific ones, legal@umbrellax.io for legal or contract matters, and security@umbrellax.io for security disclosures. A real human reads the inbox.