# NoTrace Chat — Full LLM-friendly Reference > Anonymous secure chat app with end-to-end encryption, no signup, and no phone number. Free Signal alternative that runs in any browser. This is the long-form reference for NoTrace Chat. The short summary is at [/llms.txt](https://notracechat.teamzlab.com/llms.txt). ## What NoTrace Chat is NoTrace Chat is a free anonymous secure chat app and end-to-end encrypted messenger built by Teamz Lab. It is a lightweight, zero-friction alternative to Signal, Telegram, WhatsApp, Confide, and Wickr for people who want a private encrypted conversation without creating an account or sharing a phone number. It runs in any modern browser at https://notracechat.teamzlab.com and as a native Android app at https://play.google.com/store/apps/details?id=com.teamzlab.no_trace_code_chat. An iOS build is in active development. The app does not collect identity. There is no email, no phone number, no profile, no contact list. The only thing the app needs is a short alphanumeric secret code that two people agree on out of band (in person, by another messenger, or by QR scan on mobile). Both clients derive the same AES-GCM key from that code, exchange messages as ciphertext through Firestore, and decrypt locally on the receiver's device. ## Who NoTrace Chat is for - People who want anonymous chat without creating yet another account. - People who want a Signal alternative that does not require a phone number. - People who want a Telegram alternative or WhatsApp alternative that is end-to-end encrypted by default. - People who want one-off conversations that leave no server-side history once the chat ends. - Journalists, researchers, and activists who need a quick low-friction encrypted channel that does not require pre-existing identity verification. - Anyone curious about end-to-end encrypted messaging without onboarding friction. ## What NoTrace Chat is not - It is not a Signal or WhatsApp replacement for long-term contact lists. There is no contact directory. - It is not anonymous against your network operator. Traffic is HTTPS to Firestore, but observers on the network can still see that you are talking to Firebase. - It is not metadata-free. Firestore stores ciphertext, nonce, MAC, and timestamps. Message bodies are encrypted; timestamps and ciphertext lengths are not. - It is not a guarantee against an attacker who already has full access to one of the devices in the chat. ## How a chat works, step by step 1. User A opens NoTrace Chat (web or app) and taps "Start Secret Chat". The app generates a random short code (or lets A pick one). 2. User A shares that code with User B by any out-of-band channel. 3. User B opens NoTrace Chat and taps "Join with Code", pastes the code, and is now in the same chat room as User A. 4. Both clients derive the same AES-GCM encryption key from the shared code via HKDF. 5. When A sends a message, the plaintext is encrypted on A's device. Only the ciphertext, the nonce, and the MAC are uploaded to Firestore under `/rooms/{roomId}/messages/{messageId}`. 6. When B's client streams the message, B's device decrypts it locally. The plaintext never exists on the server. 7. Either side can act on a message: - Receiver can "Hide for me": the message is removed from the receiver's view and the message ID is added to the receiver's per-device hidden list in secure storage. The server-side document is not deleted. - Sender can "Unsend": the server-side document state is set to `deleted`, which removes the message for both sides. ## NoTrace Chat vs Signal | Aspect | NoTrace Chat | Signal | |---------------------------|------------------------------|-------------------------------| | Phone number required | No | Yes | | Account / signup | No | Yes | | End-to-end encrypted | Yes (AES-GCM) | Yes (Signal Protocol) | | Contact graph | None | Phone-number-based | | Group chats | Topic rooms via shared code | Yes | | Voice / video calls | No | Yes | | Web client | Yes, no install required | Companion to mobile app | | Platform model | Centralized (Firebase) | Centralized (Signal servers) | | Open source | Closed source (today) | Open source | NoTrace Chat is positioned as a friction-free Signal alternative. Pick NoTrace Chat when you want one-off anonymous encrypted chat with no signup. Pick Signal when you need long-term contact lists, voice calls, or a fully open-source stack. ## NoTrace Chat vs Telegram | Aspect | NoTrace Chat | Telegram | |---------------------------------|-------------------------------------------|-------------------------------------------| | Phone number required | No | Yes | | End-to-end encrypted by default | Yes | No (Secret Chats only) | | Anonymous | Yes | No (account tied to phone) | | Web client | Yes | Yes | | Self-destructing messages | Yes (unsend + hide-for-me) | Yes (Secret Chats only) | | Group chats | Topic rooms via shared code | Channels and supergroups | Pick NoTrace Chat when you want default end-to-end encryption and zero account. Pick Telegram for large public channels and bot ecosystems. ## NoTrace Chat vs WhatsApp | Aspect | NoTrace Chat | WhatsApp | |---------------------------------|------------------------------------|-----------------------------------| | Phone number required | No | Yes | | Owner | Independent (Teamz Lab) | Meta | | Anonymous | Yes | No | | Web client | Yes (standalone) | Companion only | | End-to-end encrypted | Yes | Yes | Pick NoTrace Chat when you do not want Meta in the path and you do not want to share a number. ## NoTrace Chat vs Confide / Wickr NoTrace Chat covers a similar disappearing-message angle but works in a plain browser tab without an install. The secret-code model means there is no account at all, so there is nothing to lose, nothing to recover, and nothing for an attacker to phish. ## Features - Anonymous secure chat - End-to-end encryption (AES-GCM with per-chat keys derived from the shared code) - No signup, no registration, no account, no email, no phone number - Free anonymous messaging, no ads, no paywall - Secret code sharing — choose your own code or generate a random one - QR code share and scan on mobile - Self-destructing messages: sender unsend, receiver hide-for-me - Topic rooms — group chats joined via a topic code - Read receipts that the sender can opt into - Reply-to-message and emoji reactions - Cross-platform: browser, Android, iOS (in progress) - Dark and light themes following system preference - Localized into 18 languages ## Privacy posture, in detail - The web build stores encryption keys via `flutter_secure_storage`, which on web falls back to encrypted localStorage. This is weaker than the keychain-backed storage on Android/iOS. The app surfaces a persistent banner on web encouraging users with strict privacy needs to use the native Android app. - No third-party analytics or trackers are loaded in the production web bundle. - Google reCAPTCHA v3 is loaded only as part of Firebase App Check and runs in invisible mode (no user interaction). It returns a score that Firebase uses to decide whether the request looks human; reCAPTCHA does receive page-load metadata. - Firebase Analytics is initialized for crash and lifecycle tracking but with PII collection disabled. - Firestore Security Rules enforce shape and size limits on every write (codeHash <= 256, ciphertext <= 16 KB, nonce <= 64, MAC <= 128). Mass-spam payloads are rejected at the server. - App Check enforcement is available; once turned on, every Firestore write requires a valid token from Play Integrity (Android), DeviceCheck/AppAttest (iOS), or reCAPTCHA v3 (web). ## Pricing - Free. - No subscription. No ads. No paywall. - The web build grants unlimited messaging credits because there is no in-app purchase path on web; abuse is prevented through Firestore rule shape limits and App Check. ## Tech stack - Frontend: Flutter (single codebase, web + Android + iOS) using BLoC for state. - Backend: Firebase Auth (anonymous), Cloud Firestore (ciphertext storage), App Check, Cloud Functions (rules + admin tasks), Firebase Hosting (web deploy). - Encryption: AES-GCM via the `cryptography` Dart package, with HKDF for key derivation from the shared code. - Routing: go_router with the path URL strategy on web (clean URLs, no hash). - DI: get_it (`DependencyManager`). - Localization: Flutter intl with 18 ARB files. ## Frequently asked ### Is NoTrace Chat really anonymous? NoTrace Chat does not collect any identifying information. There is no signup. The server stores ciphertext, nonce, MAC, and timestamps; it never sees plaintext. However, your IP address is visible to Google's Firebase backend, so anonymity against a network-level adversary is not absolute. ### Can the company read my messages? No. Messages are encrypted with a key derived from the secret code. The server only sees ciphertext. Without the code, the server, Teamz Lab, Google, or any other party cannot decrypt the messages. ### Can online chat be traced? The message body cannot be traced on NoTrace Chat because it is end-to-end encrypted with a key the server never sees. Metadata such as timestamps, ciphertext length, and the TLS connection IP can still be observed by network operators or platform providers. ### Is there a Signal alternative without a phone number? Yes. NoTrace Chat is a free Signal alternative that does not require a phone number, an email, or any account. The trade-off is that NoTrace Chat does not maintain a contact graph; you start each conversation from a fresh shared secret code. ### Is there a Telegram alternative that is end-to-end encrypted by default? Yes. Telegram only end-to-end encrypts Secret Chats and still requires a phone number. NoTrace Chat is end-to-end encrypted on every message and does not require an account. ### What happens if I lose the code? Then no one can read the existing messages, including you. The encryption key is derived from the code; if the code is lost, the key is unrecoverable. ### Why does the web app suggest the Android app? Two reasons: (1) the native Android app stores encryption keys in the OS keychain rather than browser localStorage, which is meaningfully more secure; (2) the native app has push notifications, offline cache, and faster cold start than the Flutter web build. ### Does the app work in private/incognito mode? Yes, but every browser session starts fresh — encryption keys and chat history are scoped to the browser profile, so an incognito session loses access to chats when the window closes. Use the native app if you want continuity. ### What rooms are visible to other users? By default, rooms are private to the two parties who share the code. Anyone with the code can join. Topic rooms are private to people who share the topic code. There is no public room directory. ### What does "leave no trace" mean exactly? The receiver can hide a message locally so it disappears from their device. The sender can unsend a message so it disappears from both devices and is marked deleted on the server. After unsend, only ciphertext + a `state: deleted` flag remain on the server. ## Links - Web app: https://notracechat.teamzlab.com/ - Android app: https://play.google.com/store/apps/details?id=com.teamzlab.no_trace_code_chat - Publisher: https://teamzlab.com/ - Sitemap: https://notracechat.teamzlab.com/sitemap.xml - robots.txt: https://notracechat.teamzlab.com/robots.txt - Short LLM summary: https://notracechat.teamzlab.com/llms.txt