My point was that it's a claim that's impossible to formally prove: we don't really know how to do formal proofs of destruction, at least not with the scheme you're using.

But even beyond that, there are a lot of weaknesses in this setup. I'll post a list of them in response to the other comment you left, since they'll be more relevant there.

> What else would you like to see here?

Frankly, you should either disable this service or put a big red banner on it explaining that it it (1) hasn't been audited, and (2) doesn't encrypt messages on the client side. As it is, people are going to make incorrect and potentially dangerous assumptions about the privacy of data they put on your service.

Please don't take that as a personal rebuke, because it isn't! I just don't want you to be the most recent person in a long lineage of developers to be publicly burned for teaching themselves applied cryptography.