What does zero-knowledge mean?
Zero-knowledge means Pigeon's servers never hold the keys to read your messages. Decryption is architecturally impossible for us — not just against policy.
The key never leaves your device
When you send a message in Pigeon, it's encrypted on your device before it goes anywhere. The encryption key — the thing that makes your message readable — is derived from your account credentials and stored locally on your device. Pigeon's servers receive a locked message with no key to open it.
That's zero-knowledge. Not that we choose not to read your messages. That we structurally can't, because we never have the key.
Most apps that describe themselves as encrypted still hold your keys on their servers. That means the company can decrypt your data — to power features, respond to legal requests, or run AI across your history. The data is protected from outsiders but not from the platform itself.
Pigeon is different in that specific way: the server is a delivery and storage system for data it cannot interpret.
Why a promise isn't enough
"We don't read your messages" is a policy. Policies can change — through a product update, a new owner, a legal order, or a quiet terms-of-service revision. Most users won't notice.
Zero-knowledge is an architecture. It doesn't change unless you rebuild the system. Here's what that means in practice:
A subpoena served to Pigeon produces encrypted ciphertext. Without your device keys, it's unreadable. The server doesn't have the keys to hand over.
A data breach on Pigeon's servers exposes ciphertext. An attacker gets the same thing a subpoena would — data they can't decrypt without keys that live on your device.
An AI feature can't summarize your messages or search your history because there's no plaintext on the server to process. This isn't a setting you have to find and disable. There's nothing to disable.
If Pigeon is acquired or changes direction, the architecture doesn't change retroactively. Messages already sent remain unreadable to any new owner.
The value isn't that Pigeon is more trustworthy than other companies. It's that the architecture removes trust from the equation.
The trade-off
Because keys are credential-derived, switching devices is seamless — sign in on a new phone, verify your email, and your keys are derived again. No old device needed, nothing to transfer.
The one deliberate constraint is new member history. When someone joins a chat, the admin controls whether they can see messages from before they joined. This is intentional: history access is a decision, not a default. It's a meaningful difference for teams where controlling who sees what — and from when — actually matters.
See also: Is Pigeon end-to-end encrypted?