Live DB schemaOpen book

What exactly do we
store in the database?

No marketing fluff. Below is the actual schema — every table, every column, every piece of data. Tap any column to see a real example and explanation.

Private rooms: the DB is just a dead-drop

Private room messages are never stored in the database. The DB is only used for the WebRTC handshake (offer/answer SDP) — a one-time coordinate exchange lasting seconds. Once peers connect directly (P2P), the handshake rows are deleted and all messages travel peer-to-peer over an encrypted channel. We don't even store the encrypted ciphertext because the data never touches our server. Furthermore, if you use BYODM, even these handshakes bypass our global server entirely.

Database tables (4)

Columns (tap to expand)

What we DON'T store

Your IP address in plaintext
Your real name
Message content (all E2E encrypted)
Device fingerprint

Can govt get message content?

No. AES-256-GCM E2E encrypted. Server only sees ciphertext. Keys never leave your browser.

Private room connection flow

Creator generates offer

WebRTC SDP + ICE candidates gathered locally in browser

AES-256-GCM key created

Encryption key generated in-browser — never sent to server as plaintext

Offer + encrypted key → DB

Stored in room_signals. Key is wrapped, payload is opaque to the server

touches DB

Joiner fetches offer

Reads the SDP from DB, decrypts the key client-side, generates answer

Answer → DB

Joiner's SDP answer stored in room_signals

touches DB

Creator fetches answer

Reads the answer, ICE negotiation completes in browser

P2P connected — DB rows deleted

room_signals rows wiped. All future messages are direct P2P, never touch DB

DB wiped
SQL Injection

All queries use parameterized args — zero raw string interpolation in DB calls. Inputs are stripped of SQL metacharacters client-side before storage.

XSS Prevention

All user text is HTML-entity encoded before render. Message sanitizer strips <, >, ", ', ` and backticks. Markdown parser is regex-only — no innerHTML from untrusted source.

Bring Your Own DB

Incogniq supports custom Turso/Supabase/Firebase nodes. Your data stays on your infrastructure. The default DB is isolated per deployment.

Warrant Canary · Q2 2026

Zero government requests · Zero gag orders · Zero backdoors · Zero data disclosures

If this section disappears, assume we are under legal constraint.

By utilizing Incogniq, you authorize secure runtime transport channels and agree to our EULA & License, Terms, Privacy Policy, and Responsible Use guidelines. Zero identity remains stored.