Communications Privacy

WIGGWIGG is a zero-knowledge platform. We wish we could check less of your communications, but telecommunications regulations require certain safety checks. Here's exactly what we must do--and how we minimize data collection.

Not Our Choice

Regulatory Requirements for Phone Services

Canadian (CRTC) and US (FCC) telecommunications regulations require all phone service providers to check for safety issues. This isn't optional--carriers will block services that don't comply.

Prevent Illegal Content

CSAM Detection

Everyone

Federal law requires phone service providers to have systems in place to detect and report child sexual abuse material when found.

Fraud Prevention

Everyone

Detect and block SMS phishing attempts and scams.

Spam & Abuse Prevention

SMS Spam Filtering

Personal (P2P)

Identify bulk messaging and commercial spam patterns.

SHAFT Content Rules

Business (A2P) - Future

SHAFT (Sex, Hate, Alcohol, Firearms, Tobacco) keyword filtering required by carriers for business messaging. Will apply when we launch business features.

What We Must Keep

Metadata Retention

Everyone

Call/SMS timestamps and phone numbers--required for billing disputes and legal requests.

Emergency Services (911)

911 calls only

Free built-in E911 on every <span class="brand-name">WIGGWIGG</span> number. Your encrypted address is registered with Telnyx and shared with 911 dispatchers during emergency calls only. <a href="/en/features/e911/">See how E911 works on <span class="brand-name">WIGGWIGG</span></a>.

Personal (P2P)

Person-to-Person

Light filtering for personal messages only

Business (A2P) - Future

Application-to-Person

Stricter rules for business/automated messages only. NOT your personal texts

Important Legal Context

These are not WIGGWIGG policies. They are regulatory requirements for operating phone services in North America. We do the minimum required by regulators.

Privacy-First

How We Minimize Data Collection

We check only what's legally required and store nothing beyond what we must keep.

Zero-Knowledge Storage at Rest

SMS Messages

Messages transmitted through standard phone networks (visible to carriers like all SMS, unavoidable for any phone service that interoperates with the public network). Once received, content is sealed with your X25519 public key on Canadian servers using elliptic-curve key agreement plus XChaCha20-Poly1305 authenticated encryption. A fresh ephemeral keypair is generated for every message and discarded immediately, so each stored message has its own forward-secret seal. Only your device can open it. We can't decrypt SMS content at rest, even if asked.

MMS Images

Images screened for illegal content (CSAM detection, malware scanning) before storage. The image is then sealed with your X25519 public key using the same per-message ephemeral keypair as SMS, so even a future key compromise cannot decrypt past media. Only your device can open them. We can't decrypt your photos at rest, even if asked.

Voicemail Audio

Recorded on Telnyx servers for a few seconds, then pulled to our Canadian servers, sealed with your X25519 public key (audio + transcript both forward-secret), and deleted from Telnyx. We can't decrypt voicemails at rest. Only your device can play them back.

Automated Systems Only

No Human Review

Your communications aren't seen by WIGGWIGG staff.

No AI Training

We don't use your data to train machine learning models.

No Marketing Analysis

Zero profiling, targeting, or behavioral tracking.

What We Don't Do With Your Communications

No Live Call Recording

We never record your live phone conversations. Voicemail is only saved when you explicitly choose to enable it, and you control when recordings are deleted.

No Contact List Access

We don't access your device contacts or build relationship graphs. Who you communicate with stays private.

No Location Tracking

Your location is only shared during 911 emergency calls as required by law. We don't track where you are otherwise.

No Behavioral Profiling

No marketing analytics, ad targeting, or behavioral tracking. We don't profile your communication patterns or sell your data.

No Third-Party Sharing

Your communications content is never shared with advertisers, data brokers, or analytics companies. We only share what's legally required (court orders, emergency services).

Our Commitment

What Remains Zero-Knowledge

Everything else about your WIGGWIGG account uses zero-knowledge encryption.

Identity Information

Names, birthdates, addresses, notes--all encrypted client-side.

Saved Passwords

Your password vault is encrypted with keys only you control.

Personal Details

Organizational data, tags, highlights--encrypted before upload.

Account Settings

Preferences and configurations encrypted server-side. We can access these for support purposes.

Privacy Commitment

Your identity data, vault, and communications content (SMS, MMS, voicemail) all use zero-knowledge encryption at rest. Once stored, only your device can decrypt them. Inbound communications use X25519 elliptic-curve key agreement with a fresh ephemeral keypair per message, so each stored message has its own forward-secret seal: even a future compromise of your private key cannot decrypt past messages. We scan SMS/MMS for safety in real time as required by law, then seal the content with your key. Carrier-network transit (SS7/SIP) is unavoidable for phone services and is visible to carriers like all SMS. We minimize what we collect to the legal minimum.

Learn more about how we protect your data at rest: Application Security

See how the inbound spam filter works (and how you control it): Spam Filter

Common Questions About Communications Privacy

Why do carriers need my call metadata?
Carriers (like Bell, Rogers, AT&T) must have call detail records to bill you accurately and route calls correctly. This is required by telecommunications regulations in both Canada (CRTC) and USA (FCC). Think of it like your internet provider needing to know which websites you visited to route traffic--they can't deliver calls without knowing from/to numbers. This is true for every phone service, not unique to WIGGWIGG.

Can I avoid carrier data collection?
No. Call detail records are inherent to how telephony works (SS7/SIP protocols). Even end-to-end encrypted messaging apps like Signal must use carrier infrastructure to send data, meaning carriers see connection metadata. The best you can do is choose services (like WIGGWIGG) that minimize what the application layer stores, but carrier routing is unavoidable for phone calls and SMS.

Why can't you make phone services fully zero-knowledge?
Telecommunications laws in Canada (CRTC) and USA (FCC) require real-time content checks for safety and fraud prevention. Phone/SMS services must comply with carrier regulations that mandate spam filtering and CSAM detection. We can't end-to-end encrypt SMS in transit (telco protocols predate that), but our stored copy is already zero-knowledge: sealed with your key, decryptable only on your device. For end-to-end privacy in transit too, use Signal or WhatsApp with your WIGGWIGG phone number.

Do CASL and SHAFT rules apply to my personal texts?
No. CASL and SHAFT are A2P (Application-to-Person) rules for businesses sending automated/marketing messages. If you're using WIGGWIGG for personal calls and texts (P2P), these don't apply to you. We only check for basic spam patterns and illegal content on personal messages. Those checks run in memory at receive time; we never persist a plaintext copy. When we launch business features, those identities will be subject to A2P rules including CASL opt-in requirements and SHAFT content restrictions.

Do you read my messages?
No. Scanning is automated and real-time. No human ever sees your communications unless you report abuse or request support. Our systems check for spam patterns and illegal content using algorithms, not people. Imagine it like airport security scanners: automated systems check bags, but TSA agents don't manually inspect every item unless the scanner flags something.

Does Telnyx see my message content?
Telnyx is our telecommunications infrastructure provider. As a carrier, they process calls and messages for routing and delivery. Content moderation (spam and safety checks) happens on our servers before delivery.

What happens if I delete my identity?
When you delete an identity from WIGGWIGG, we immediately remove all associated data (contacts, settings, metadata). However, data already sent to carriers (call detail records) remains with them per their retention policies (6-24 months). This is similar to deleting your email account--past emails already delivered can't be 'un-sent' from recipients' servers.

Why 90 days retention? Why not less?
90 days balances privacy with practical needs: billing disputes typically surface within 60 days, and carriers require us to retain delivery confirmations for troubleshooting. We chose 90 days (vs industry standard 6-12 months) as the minimum viable window. If you need immediate deletion, you can delete your identity which purges data early.

Can law enforcement access my communications?
With a valid warrant, law enforcement can request metadata from us (90 days), carriers (6-24 months), and Telnyx. We do NOT store call audio. SMS, MMS, and voicemail content are stored zero-knowledge (sealed with your X25519 public key, with a fresh ephemeral keypair per message). We can produce the encrypted bytes under legal compulsion, but the decryption key is on your device, so we cannot read the content ourselves. The forward-secrecy property means even producing your private key on a future warrant cannot decrypt past messages: the per-message ephemeral keys were discarded when the message was sealed. If carriers or providers stored content during transit, it may be accessible through them separately. We comply with lawful requests but fight overly broad warrants.

What about emergency services (911)?
Emergency calls (911 in USA, 911/988 in Canada) bypass all content moderation and privacy features to ensure immediate connection. Location data is shared with emergency services as required by law. This is a safety feature--lives come first. Emergency call metadata (location, timestamp, duration) may be retained longer than standard 90-day retention as required by telecommunications regulations for public safety purposes.

Ready for Secure Communications?

Get started with WIGGWIGG and keep your personal life separate with enterprise-grade security.