It's not encrypted client side, so the server is getting it unencrypted. They also return the data unencrypted, so if it is stored encrypted, it's not that useful encryption since the server also knows how to decrypt it.
Also their privacy policy notes that they'll give authorities access to your messages if they receive a warrant.
Following in line with this thought, I've actually plugged in my iPhone (non-jailbroken), downloaded the sqlite database onto my computer, and was able to see all the messages and URLs of photos sent. Even photos marked as "secret" (the apps Snapchat-like feature of deleting and hiding photos).
Also their privacy policy notes that they'll give authorities access to your messages if they receive a warrant.