Elon Musk’s XChat is hoping to take on WhatsApp and Signal with its own end-to-end encrypted app on iOS and Android. The XChat iOS app is earmarked for launch on April 27, allowing you to use the X direct message service as long as you have an account. A release date for Android has not been set.
If you use X, you might want to try out XChat to conveniently speak to your contacts. But is the XChat app safe from a privacy and security point of view?
Some experts say no. Security researcher Tommy Mysk posted Apple’s iOS privacy label on X, detailing the information XChat collects. “No ads. No tracking. Fully end-to-end encrypted. But it collects all this data,” he wrote.
What Data Does XChat Collect And How Does It Impact Privacy?
XChat requires an existing X account, so your identity, device information, IP, and behavioral history on the parent platform “are already part of the graph before you send your first message,” says Varun Badhwar, CEO and founder, Endor Labs.
Two concerns stand out, Badhwar says. “Keys live on X’s servers. X stores users’ private encryption keys on its own infrastructure, protected by a four-digit PIN. X has itself acknowledged that this architecture could allow ‘a malicious insider or X itself’ to access conversations. That’s a remarkable admission — and it means the end-to-end encryption claim depends on X’s policies, not on math.”
At the same time, image metadata is not stripped. Reports indicate that images sent through XChat retain GPS coordinates and camera details, points out Badhwar. “So even when message content is encrypted, a shared photo can leak your location and device fingerprint,” he warns.
Although XChat encrypts the content of messages, its App Privacy Notice reveals that it collects “several types of data” — including metadata and usage activity, says Luke Dixon, a partner at Freeths who specialises in IT and data law.
This has implications for user privacy, Dixon warns. “For example, metadata reveals who you are communicating with, when, and for how long. Usage activity includes product interaction records, search history, and information that reveals how you use the app.”
In the U.S., there is no federal privacy baseline. CCPA gives California users some rights, but there’s no GDPR-equivalent forcing X to disclose third-party recipients or processing purposes.
In the UK and EU, XChat will face a very different regulatory environment. UK GDPR requires disclosure of lawful basis, retention periods, and third-party sharing, says Badhwar.
But X has already collided with European regulators — Ireland’s Data Protection Commission investigated X’s use of user data to train Grok, and X agreed to suspend processing of EU/EEA user data on a permanent basis.
What XChat Data Is Shared And With Whom?
XChat shares account, usage and device data with third parties, including service providers, partners, “and potentially advertisers”, says Neil Thacker, global privacy and data protection officer at Netskope.
“This can include contact details, activity data, and communication metadata. Data may also be disclosed to authorities where legally required. Once data is shared, users have limited visibility and control over how it is used, increasing the risk of profiling, tracking and misuse.”
Metadata — who talked to whom, when, how often, from where — is not encrypted on any mainstream messaging platform, including XChat, says Badhwar. And X’s broader privacy policy already allows sharing user data with third-party “collaborators” unless users opt out, with those recipients free to use it for their own purposes, including training AI models, says Badhwar. “This matters because XChat lives inside the same corporate envelope as Grok.”
Can You Increase Your Privacy on XChat?
You can boost privacy in XChat, but “within real limits,” says Badhwar. He recommends practical steps such as stripping metadata from photos before sending using a privacy-focused camera app or a metadata scrubber.
Another tip is to turn on disappearing messages via XChat’s 5-minute vanish feature.
Don’t let your X account be your identity anchor for sensitive conversation, adds Badhwar. “If your X account is compromised, your XChat is compromised.”
XChat gives users the ability to toggle on encryption within DMs by selecting the padlock icon, which indicates end-to-end encrypted communication. They can also access, correct, or modify the information provided to it by editing their profile and adjusting your account settings, Dixon adds.
Users have some control via their settings, Dixon says. However, X provides certain third parties with information to run its products and services, he warns. “It may share also share information with third parties that perform functions and provide services on its behalf, including those that help X understand the use of its services.”
The app also includes a mechanism to block screenshots or alert users if a screenshot is attempted, according to Dixon.
For anyone using XChat, the practical guidance is “the same that applies to every messaging app,” says Adam Boynton, senior enterprise strategy manager at Jamf. “Keep your operating system current, be deliberate about which devices you link to your account, and remember that metadata tells a story even when message contents are encrypted.”
I have contacted X for a comment and will update this article if the firm responds.
How Does XChat Compare To WhatsApp And Signal?
XChat offers similar privacy guarantees to WhatsApp, says Thacker. “WhatsApp uses end-to-end encryption but still collects metadata and shares some data within its wider ecosystem.”
But it has one advantage over WhatsApp in that it does not require the user’s phone number, says Dixon. “However, as you would expect from such an established service, WhatsApp is a more mature platform with a huge level of user adoption. XChat has a lot of catching up to do in that regard.”
Signal is the gold standard because “the math is public, the keys live on your phone, and the company couldn’t read your messages even if subpoenaed,” says Badhwar. “XChat doesn’t clear any of those three bars. WhatsApp has the Signal protocol but lives inside Meta’s ad ecosystem. Signal has the Signal protocol and doesn’t. XChat has neither.”
For anything you’d be embarrassed, endangered, or exposed by if leaked — don’t use XChat. “Use Signal,” says Badhwar. “The best privacy setting in XChat is the decision to use a different app for sensitive conversations.”
Should You Use XChat?
So the all-important question is: Should you use XChat when the app launches? For casual conversation with friends you already follow on X? “It’s fine — probably no worse than SMS, and meaningfully better for group chats and media,” says Badhwar.
For anything involving your business, your health, your family’s safety, or your legal exposure? “Absolutely not — not in v1, and not until the code is open-source and independently audited,” says Badhwar.
XChat is coming, but the consensus is, the app isn’t as safe as WhatsApp or Signal. Therefore, feel free to use XChat for chats you wouldn’t care about becoming public. Otherwise, use Signal instead.
