No phone number. No email. No accounts. Your key is any file, password or link — and it never leaves your device. The server only ever sees noise.
Who reads what is decided entirely by who holds the key — never by an account, a role, or a list on our side. We couldn't hand over your conversations if we tried.
A password, any file (PDF, photo, MP3), a URL — or a Shamir split across several files. It's hashed locally and never transmitted.
No phone number, no email, no username. Your identity is a keypair that lives only on your device — never on our servers — and you share it with a contact only when you choose, by scanning in person.
Every message can use a different key. The same room looks different to each person — some lines are text, others are just .
It stores opaque blocks and timestamps — nothing else. No senders, no key hints, no "who talks to whom". Seized, it reveals noise.
Lock a message so it only opens when K of N people combine their keys. One infiltrator with one share is useless.
By default, keys are exchanged offline — in person, by file, or by QR scan — never negotiated over the network. That eliminates an entire class of man-in-the-middle attacks.
Your identity and keys are created on-device and stored encrypted behind your biometrics. Nothing leaves without a deliberate decision.
Agree on a key with the people who matter — a file you both have, a password, a QR scanned in person. Never through the server.
Anyone without the key sees a locked block — or, in stealth rooms, nothing at all. No error, no hint, no oracle.
Choose how each conversation is protected — three levels, no default →
Security that survives a bad day is layered — and honest about where each layer ends. Here's ours, and what each one does (and doesn't) do for you.
Reach the network over Tor v3 (the server never learns your IP or where you are), over Tor bridges where Tor itself is blocked, or over a standard connection when hiding your location isn't the point. The app states plainly what each mode reveals — the choice, and the trade-off, are always yours.
A key you swap face-to-face can't be tampered with — you watched it happen. Set one up remotely when you can't meet, and the app marks it as such, with a fingerprint to verify later. Trust is shown, never assumed.
Messages wait, encrypted, until you reconnect — even across a dropping Tor circuit. Neither of you has to be online at the same moment for a message to land.
Read the full trust model — what we protect, and where it ends →
YGOOW began two decades ago with one idea: sharing data freely, anonymously, without surveillance. The world finally caught up.
YGOOW for Android is on its way. Your key, your rules — everything else is redacted.
Get it on Android — soon