Everything a working trade needs from a messenger.
A full picture of what TradesMen Messenger ships today, the privacy choices behind each feature, and what we're working on next. Every feature listed here is in the current native iOS and Android apps unless explicitly marked Planned.
Built for the way trades actually talk.
Per-site, per-trade, per-phase, or per-client. Messaging that supports the structure your day-to-day already has.
Private 1:1 messaging
End-to-end encrypted text, attachments, and voice notes. React, edit, and delete. Read receipts and last-seen are configurable per conversation, so a foreman can stay private from a client without breaking other threads.
- Reactions, edits, and message deletes
- Configurable read receipts and last-seen
- In-thread search across your local history
- Reply, quote, and forward — with reforwarded provenance
Group conversations
Per-site, per-trade, or per-phase groups with admin roles, member-aware key handling, and per-member archive state so people who finish a phase can mute or archive without affecting anyone else.
- Admin and member roles
- Per-member archive — clean inbox, retained history
- Member-aware key changes when devices change
- Pinned announcements for safety briefings or call-outs
Connect privately — without giving up your phone or email.
No public directory, no email or phone search, no "people you may know." Adding a contact always requires intent on both sides.
Contact requests
Request a connection by handle. The other person reviews and approves before any private message can be sent. No silent friend-of-friend connections.
QR & contact card
Trade a QR or in-app contact card on the job site. The QR encodes a single-use rotating token — once it's scanned and accepted, it can't be reused.
Short codes & signed invite links
Time-limited short codes and HMAC-signed invite links for adding people remotely. The server stores only the hash — the raw token is never persisted.
Why no email or phone search?
Public lookup is the most common way contact information leaks. We replace it with private, intentional invite paths so a tradesperson can hand a contact card to a client at the counter without exposing a personal cell number to the rest of the internet.
Photos, voice notes, and calls that don't betray your job.
Encrypted attachments
Photos, video, files, and voice notes are encrypted on your device with a per-file content key, then uploaded as opaque ciphertext. Only the recipients hold the symmetric key needed to decrypt.
- Per-file content keys, never reused
- Server stores opaque blobs — no thumbnail mining, no content scanning
- Resumable uploads on flaky job-site networks
- Voice notes record locally, encrypt, then send
Voice & video calls
1:1 voice and video over WebRTC with DTLS-SRTP for the media path. Peer-to-peer where possible; relayed only when a job-site or carrier network blocks direct connections, via our coturn STUN/TURN.
- 1:1 voice and video
- Short-lived TURN credentials bound to the call session
- CallKit / call-style notifications without leaking caller identity
- Planned Multi-party calling for crews on the same site
You're in charge of every device, every export, and every notification.
Device management
See every device on your account, when it was last seen, and revoke access from inside the app. Each device has its own identity key and signed pre-keys; revoking a device prevents it from decrypting any new messages.
Push notifications
Privacy-safe pushes — "new message", "incoming voice call", "missed call" — without revealing the sender, recipient, or content. Lock-screen previews are blank by default.
Account export & delete
Request a portable export of your account data, or delete your account from the app. Deletions are honored on a 7-day grace window so an accidental tap can be reversed before anything is removed.
Reporting & safety
Report abuse without losing your privacy — only what you choose to share is included. The SuperAdmin reveal flow requires a written reason and is recorded in immutable audit logs.
Biometric app lock
Open the app with Face ID, Touch ID, or BiometricPrompt. Local data is encrypted at rest with keys held in iOS Keychain or Android Keystore — backed by your device's secure enclave.
Verification
Confirm your email and (optionally) your phone, used purely for account recovery. Neither is exposed to other users and neither is searchable.
iOS & Android, side by side.
We ship features in lockstep. Where there's a platform-specific name (CallKit vs. ConnectionService, Face ID vs. BiometricPrompt) we use the right one — but the user-visible behaviour is the same.
| Capability | iOS | Android |
|---|---|---|
| Native shell | Swift / SwiftUI | Kotlin / Jetpack Compose |
| Minimum OS | iOS 16 | Android 8.0 (API 26) |
| Form factors | iPhone & iPad universal | Phone & tablet |
| Biometric app lock | Face ID / Touch ID | BiometricPrompt |
| Local key storage | iOS Keychain (Secure Enclave) | Android Keystore (StrongBox where available) |
| Push channel | APNs (privacy-safe payloads) | FCM (privacy-safe payloads) |
| Call notifications | CallKit-style alerts | Telecom-style alerts |
| WebRTC media | DTLS-SRTP | DTLS-SRTP |
| QR scanning | AVFoundation / VisionKit | CameraX + ZXing |
| Deep links | Universal Links + tradesmenmessenger:// | App Links + tradesmenmessenger:// |
| Voice notes | AVAudioRecorder, on-device encrypt | MediaRecorder, on-device encrypt |
| Background uploads | NSURLSession background | WorkManager + Foreground service |
The numbers, not the marketing.
Real caps, real defaults. These are the numbers the apps and backend actually enforce today; if we change them we update this page.
| Setting | Default | Cap | Notes |
|---|---|---|---|
| Password length | 10 chars min | — | Argon2id at rest. Strict-character validation off by design — the bar is length, not symbol noise. |
| Account access token (JWT) | 15 min | — | HS256 with strict issuer/audience/typ checks; refresh tokens revocable per-device. |
| Refresh token | 30 days | — | Rotates on use; revoked on logout, ban, or device revocation. |
| Rotating QR invite TTL | 10 min | 60 min | Fresh per contact-card open or manual Refresh QR. |
| Static QR / signed-link TTL | 7–14 days | 90 days | Per-invite, set at creation. |
| Short-code TTL | 14 days | 90 days | Crockford-without-IL/OU/01 alphabet, format TM-XXXX-XXXX-XXXX. |
| Invite max-uses | 1 | 100 (signed/short), 50 (static QR), 1 (rotating QR) | Atomic increments under SELECT … FOR UPDATE. |
| Account-deletion grace window | 7 days | — | Cancellable from the app any time during the window. |
| Contact-card QR refresh | 60 / hour / user | — | Separate from manual POST /contact-invites/qr bucket so reload loops never brick the card. |
| Manual QR mint | 30 / hour / user | — | Disabled when the user has set Allow QR invites off. |
| Push payload | ≤ 256 bytes, generic body | — | "New message" / "Incoming voice call" — never sender or content. |
| Audit-log retention | Indefinite | — | SuperAdmin actions are append-only; never overwritten. |
Operators on the company tier can tighten retention windows further per data class — defaults shown above are the upper bound.
SuperAdmin tooling for crews, ops, and incident response.
A small but real ops surface for owners and operations managers running a fleet of crews. Web only, SuperAdmin-gated, IP allowlisted, 2FA-required.
Live dashboard
Active users, online now, message and call volume, push delivery, failed jobs, Postgres & Redis health.
User management
Search, ban with reason, force-logout, send a privacy-safe in-app notice. Every action is audited.
Reports queue
Triage user reports without exposing private content casually. Reveal requires a written reason and is logged.
Retention policies
Configure how long each data class is kept. Background workers age data out automatically.
Feature flags
Server-side toggles with optional per-user rollout percent for gradual feature rollout.
App-version control
Track shipped versions and define minimum-required and recommended versions per platform.
Legal documents
Edit privacy / terms / data-retention / data-deletion / breach-response / data-request docs with version history.
Breach incident management
Track incidents from discovery through resolution with severity, affected systems, and an audit trail.
Two-factor & recovery codes
TOTP for SuperAdmin sessions, with regenerable one-time recovery codes.
What we deliberately don't ship.
A messenger this private has to make trade-offs. These are the ones we made on purpose — not gaps we forgot.
No public web client
Browsers can't hold private keys with the same guarantees as a phone's secure enclave. Web clients also add a phishing surface we'd rather not own. The website you're reading is information-only; there is no public web user login.
No email or phone search
Public lookup is the most common way contact information leaks. We replace it with private invite paths (QR, short code, signed link). Exact-handle search exists as a secondary fallback and only matches on lower(handle) = lower(?).
No analytics SDKs
No Google Analytics, no Firebase Analytics, no Mixpanel, no Amplitude in the apps. Operational metrics live on the backend and are aggregate; per-user behaviour analytics aren't collected or sold.
No "people you may know"
No friend-of-friend graph traversal, no contact-list upload, no implicit suggestions. Adding a contact always requires intent on both sides.
No content scanning
The server never decrypts message bodies or media to scan them. Content moderation runs through user reports and the audited reveal flow — not automated content inspection.
No third-party ad SDKs
The apps don't ship ad networks, ad SDKs, or third-party trackers. Funding comes from the company tier, not from monetizing your conversations.
What we're working on next.
Items we're actively building toward. We update this page as features ship — nothing on this list is in the apps yet.
Group calling
Multi-party voice and video for crews on the same site, with the same WebRTC + coturn architecture used for 1:1 today.
Cross-device sync
Encrypted device-to-device handoff for chats and media so adding a tablet alongside your phone keeps your history available everywhere — without putting plaintext on the server.
Production E2EE crypto
Replace the current placeholder crypto module with a vetted Signal/MLS-compatible build before public store releases. See /security for the full status.
Job-site channels
Per-site spaces with sub-channels by trade and phase, so a single project can grow from foundation to handover without becoming a thirty-thread mess.
Saved canned messages
Common safety briefings, end-of-day summaries, and PO templates you can fire off from a quick action.
Read-only client links
A way to share a curated, time-limited summary with a client who isn't on the platform — without exposing the underlying conversation.
Ready to put it on a job?
Install the app, add a few crew members the right way, and run a real day on it. We'd rather you see it in action than read about it.