Messenger privacy and security

Equipment trading conversations have real money attached, and your messages can include contracts, prices and counter-offers. This page is the honest description of who can see what — what Haubot guarantees, what it doesn't (yet), and the policies behind both.

Who can see a chat

Only the people in the chat. Specifically:

• Direct messages — both participants.
• Listing inquiries — both participants (the buyer who asked, the seller who owns the listing).
• Group chats — every active member. People who left the group cannot see new messages, but they keep what they saw before they left in their own client copy.
• Saved Messages — only you. Always.
• Support threads — you, plus the support staff member who joined. Support agents must explicitly join a chat to see it; we don't have a "read every chat" admin view.

A platform admin cannot read your chats by default. Admins can join a conversation as a support agent — at which point you'll see them appear in the chat header and a system notice will appear in the thread. There's no silent observation.

How authentication works

Every connection to the messenger is authenticated. Concretely:

• Each browser tab opens a dedicated WebSocket connection for realtime messages.
• That connection sends your sign-in token immediately on opening — no token, no connection. There's no "anonymous read".
• If your token is invalid (expired, revoked, signed-out elsewhere), the connection is rejected and your client falls back to a 5-minute safety-net poll. Re-signing in fixes it.
• The connection is permitted only from the official Haubot domains. A malicious page on another website cannot open a hidden tab and tap into your messenger — the server enforces an origin allow-list.

If you're worried about your account being signed in somewhere you don't recognise, the active sessions view in Account & security lets you sign each session out individually.

Voice calls and SecureCall

The messenger has two voice-call modes (see Voice calls and SecureCall for the full mechanics). The privacy properties of each:

Regular voice call

• No recording, ever. The audio is relayed between the two participants and discarded as soon as the call ends. Nothing is stored on Haubot's servers beyond the lifecycle metadata (when it started, when it ended, who hung up).
• Transport is encrypted.
• A platform admin cannot drop into an active call. There is no "monitor mode".

SecureCall (recorded)

SecureCall is the one place in the messenger where we deliberately store more about a conversation than the bare metadata — that's the whole point of it. The guarantees:

• Both sides consent before recording starts. The caller sees the consent dialog when they pick Secure call; the callee sees the same disclosure on the incoming popup. Accepting is consent. There is no silent recording; if either side refuses, no recording exists.
• Both parties have equal access to the recording. It is mirrored to both. You don't have to ask the other person to share it — it's already in your Calls tab too.
• Neither party can edit or delete a recording. There is no UI for either operation. A SecureCall is an honest, shared record. If you regret what you said, you regret it on the record.
• Recordings are stored on Haubot's servers, not pushed through a third-party recording vendor.
• Playback and download URLs are short-lived and scoped to you. When you press play on a Calls-tab entry, the server signs a URL valid for a few minutes; if you copy and share that URL it'll expire by the time anyone else opens it. To share a recording outside Haubot, use the download button and share the file itself.
• Recording status is visible. A SecureCall in flight shows a Recording badge on the call popup for the whole call. There's no "I forgot we were recording" failure mode — the badge is always there.

The only platform-level paths that can remove a SecureCall recording are:

• A failure during upload or processing — surfaced as the Failed status in the Calls tab; nothing is hidden.
• A legal compulsion — if a court properly orders deletion, we comply, the same as for any other piece of user-generated content. We'll tell you about it where we're permitted to.

If you need confidentiality stronger than this — say, an NDA conversation where you don't want a recording to exist on any server — use a separate end-to-end-encrypted channel for that conversation. SecureCall is built to be a faithful shared record, not a secret.

Per-event authorisation

This is a small detail with big practical effect.

Every realtime update — a new message, a deletion, a "marked as read" notice — is authorised individually before being sent to your client. So:

• If the admin removes you from a group while you have the chat open, you stop receiving updates immediately. You don't have to refresh; the very next message someone posts is filtered out before it ever reaches your tab.
• If a chat is archived or its access changes mid-session, the same applies.

We do this because authorisation that's only checked once at "connection time" is brittle: it's good for the first second of a session and stale for the next eight hours. Per-event checks keep the model simple and trustworthy.

What Haubot does not do with your messages

Plain language:

• We do not sell, share, or publish your message content.
• We do not read it for advertising. There is no advertising in Haubot.
• We do not train AI models on your messages. If we ever change this we will say so loudly and you'll be able to opt out.
• We do not push your messages through third-party message brokers (Twilio, Sendbird, Pusher, etc.). The transport is our own infrastructure.

What we do do:

• Store messages and attachments in our own database and object storage so the search and media library work, and so you can come back to a six-month-old conversation and find what you wrote.
• Apply spam and abuse heuristics — automated, not based on a human reading your chats. We don't have an "open this user's inbox" button on the staff side.
• Honour legal requests if they're properly served. If law enforcement compels disclosure, we follow the law, but we'll tell you about it where we're permitted to.

What's NOT yet end-to-end encrypted

Honest disclosure: Haubot Messenger is not end-to-end encrypted as of v1.

• Transport is encrypted (TLS) — nobody on the network between you and our servers sees the content.
• Storage is encrypted at rest at the disk level.
• But the database contains plaintext messages, which is what makes search and the media library work.

If you need the strongest possible secrecy for a particular exchange (like a final price negotiation under NDA), use a separate E2E-encrypted channel for that one conversation, and use the messenger for everything around it.

We're tracking E2E as a long-term goal — it'd require fundamentally rebuilding the search and media tools as client-side operations. We'll write a separate page when there's a path forward.

Blocking another user

If you don't want to hear from someone, you can block them. The block is one-directional — you block them, no admin involved.

Where to do it. Open a 1-on-1 chat with the person and use the Block user action in the Privacy footer at the bottom of the info panel. You can also reach the same control from a counterparty's profile.

What happens when you block someone:

• They can't send you direct messages anymore — the send-side is enforced by the server.
• You don't get notifications about them (their posts, mentions or related activity stop poking your bell).
• Group chats you both belong to are unaffected. The block is for direct messaging and notification noise, not a platform-wide exile. If you want out of a group, leave the group.
• Existing chat history stays in your inbox as-is — we don't retroactively delete what was said.

What happens when the other person blocks you:

• Trying to send them a new direct message will fail server-side. We don't reveal a specific "you have been blocked" reason; the message simply won't go through. This is deliberate — surfacing the block detail makes it a tool for harassment.
• The existing chat history stays visible in your inbox.

Managing your blocked list. Click the small shield icon at the top of the conversations list (left rail). A Blocked users modal opens with every person you've blocked. Each row has an Unblock button; unblocking is instant and restores normal DM and notification behaviour.

If a block isn't enough — harassment, fraud, a clearly malicious counterparty — that's the time to contact support. Blocking handles the day-to-day "don't ping me"; support handles things that need an admin in the loop.

What happens to your messages when…

…someone deletes their account

The user's account is soft-removed from your view (their name shows as a placeholder), but the messages they sent stay in the chat as a record of the conversation. We don't retroactively rewrite history — what was said was said.

…you delete your own account

Your account is soft-deleted. Your name in old chats is replaced with a placeholder; the messages themselves remain visible to other participants because they're part of their record too. Attachments stay; we don't blanket-purge them because forwards and group history depend on them.

If you want full removal beyond soft-delete, contact support — there's a procedure for harder deletion that we'll walk you through on a case-by-case basis.

…a group is dissolved

Groups don't formally "dissolve" in v1. The closest thing is everyone leaves; the chat then sits in your Left groups archive on the staff side but isn't visible in any active inbox. Messages from before are still in the soft-archived state.

Recap

• Only people in a chat see the chat. Admins must join explicitly to see anything; you'll be told.
• The connection is authenticated; per-event re-checks make removed members stop receiving updates instantly.
• Voice calls aren't recorded. SecureCall is recorded with explicit consent on both sides, both parties get the same file, and neither can edit or delete it.
• Content stays in Haubot. We don't share, sell, train on, or broker your messages.
• Transport is encrypted; storage is plaintext (so search works). E2E is on the roadmap, not in v1.

If you have a specific concern that isn't covered here — about a chat, a counterparty, an attachment, a session — write to support and an admin will look at it.