Pollis — FAQ

What is Pollis?

A desktop messaging app with group channels and direct messages, like Slack, but your messages are encrypted on your device before they leave it. The people running Pollis can't read them.

Tauri 2 desktop client (Rust + React) that connects directly to a Turso/libSQL backend. Messages are end-to-end encrypted with MLS (RFC 9420) via openmls; the server only stores ciphertext envelopes plus routing metadata. No intermediate app server.

How is it different from Slack, Signal, or Discord?

Slack and Discord can read your messages. Signal can't read yours either, but it's phone-number based and built for personal chats. Pollis is built for group workspaces like Slack, but with Signal-style privacy.

Slack/Discord: plaintext server storage. Signal: Double Ratchet, phone-number identity, optimized for 1:1 + small groups. Pollis: MLS-based group ratchet, username + email identity, Slack-style multi-channel workspaces, native desktop only.

Is it really end-to-end encrypted?

Yes. Messages are encrypted on your device using the same kind of cryptography banks and secure messengers use. Your private keys never leave your computer.

The server can see who is messaging when, but not what.

Client-side MLS encryption (RFC 9420) via openmls. Private keys live in the OS keystore (macOS Keychain / Windows Credential Manager / Linux Secret Service) through the keyring crate — never on disk, never sent anywhere.

Server sees: user IDs, group/channel membership, message timestamps, sizes, public keys. Server does not see: plaintext, file contents, private keys.

What happens to my messages if I get a new device or reset my account?

You will likely lose your old messages. This is on purpose.

A new device only sees messages sent after it's added. Resetting your account wipes prior messages. We don't back up your history to the cloud, because doing so would be a target for attackers and subpoenas.

If you need a permanent archive of everything you've ever said, Pollis isn't the right tool.

Message history is not a product guarantee. A new device joining an existing MLS group receives keys for the current epoch only — no historical backfill. Identity reset wipes local message storage. No encrypted cloud backup (no Megolm-style key-backup), and none is planned. This is explicit in CLAUDE.md as a design principle: simpler model, smaller attack surface, no key escrow.

Which platforms are supported?

macOS, Windows, and Linux.

macOS (universal binary — Apple Silicon + Intel), Windows x64, Linux (.deb, .rpm, .AppImage, AUR). Built with Tauri 2.

Is there an iOS or Android app?

No.

No. Voice/media is implemented directly in Rust (not in the webview), so mobile isn't a UI-only port — it would require native clients.

Is Pollis open source?

The source is public on GitHub. You can read it, build it, and check our work.

Source lives at github.com/actuallydan/pollis. Check the repo for the current license.

Is it free?

Yes.

Why MLS instead of Signal Protocol?

Pollis is built around group chats. MLS is a newer standard designed for groups; Signal's protocol is great for 1:1 but gets slow and expensive at group scale.

MLS (RFC 9420) provides a single group key ratchet with O(log n) membership changes. Signal's Double Ratchet pairwise-ratchets between every member, so a group of N costs O(N) per sender per message. For a Slack-style product with large channels, MLS is the right primitive.

Do you store my email address?

Yes — we need it to send you sign-in codes. No phone number required.

Yes. Email OTP is the auth primitive, so the email is stored server-side to deliver the OTP and bind it to the account. Session tokens are held in the OS keystore.

How do I create or join a group?

Anyone can create a group inside the app. To add someone, invite them by their Pollis username — they need an account already.

Groups are created via the create_group Tauri command; members are added by username via invite_to_group. Adding someone generates an MLS Welcome that seeds their device into the group ratchet at the current epoch. DMs are implemented as 2-person MLS groups.

What happens if the server goes down?

You won't be able to send or receive new messages until it's back, but you can still open the app and read what you already have. A server outage is never a privacy problem — only a reachability one.

The server is required for message delivery, MLS commit routing, and R2 uploads. Read-only operation against the local encrypted SQLite store still works during an outage. Because the server can't decrypt, downtime has no confidentiality impact.

Where do my files go when I attach something?

Files are encrypted on your device before upload. The storage provider only ever sees scrambled bytes; only people in the group can decrypt them.

Attachments are encrypted client-side and uploaded to Cloudflare R2. The decryption key travels inside the MLS-encrypted message, so R2 only ever holds ciphertext. Recipients fetch by key and decrypt locally.

Should I trust Pollis with my life?

Pollis is in open preview and has not been independently audited. If your physical safety depends on unbreakable communication, use a mature, audited tool built for that threat model.

Open preview status — no third-party cryptographic audit yet. Protocol choices (MLS, keystore-backed identity, client-side encryption) target a Slack-style workspace threat model, not a nation-state adversary. For high-risk use, pick a tool with a documented audit history.

Frequently Asked Questions