Privacy Policy

Who we are

kvoroom (the "Service") is operated by an individual based in Bosnia and Herzegovina. The data controller for the purposes of the EU General Data Protection Regulation (GDPR) is reachable at info@kvoroom.app.

What we collect

To run the Service we collect the following:

Account data

• Email address (required for sign-in via Firebase Authentication).
• An auto-generated username (you can change it at a token cost).
• A profile avatar (optional; uploaded from your photo library and stored as a small image inside your user record).
• A timestamp of when you accepted these terms.
• Your token balance and transaction history.

Location

• While the app is open in the foreground, we read your device location to show rooms within ~1.5 km of you and to verify you're physically inside a room's radius before you can join.
• We do not read or store your location while the app is in the background, and we do not save a history of where you've been.

Chat content

• The text of the messages you send in rooms and 1:1 chats.
• Reactions and reply references attached to messages.
• Membership records (which rooms you're currently in).

Moderation data

• If a message you tried to send was rejected by our automated content filter, the original text and the matched terms are stored in a moderation log so we can review repeat offenders.
• If another user reports you, that report is stored.

Technical data

• Standard server logs (IP address, timestamp, request path) kept briefly for security and abuse-prevention.
• Last-seen timestamps used for inactive-user signals.

What we don't collect

• No background location.
• No contacts, calendar, microphone, camera, or photos beyond a single avatar you explicitly pick.
• No third-party advertising trackers, no analytics SDKs that profile users.

How we use your data

• To provide the Service — sign you in, route messages, list nearby rooms, enforce membership rules, run the in-app token economy.
• To moderate the Service — block obviously harmful content, investigate reports, ban users who repeatedly violate the rules.
• To improve the Service — diagnose bugs, monitor uptime.
• To comply with the law — respond to lawful requests from competent authorities.

Where your data lives

• User accounts, profiles, rooms, messages, and token records are stored in Google Firebase / Cloud Firestore, in EU regions where available. Google acts as our data processor.
• The kvoroom backend itself runs on a server in Germany.
• We currently do not transfer your data outside of the EU/EEA except via Google as a sub-processor.

Who can see what

• Other users in a room can see your username, avatar, and the messages you post in that room. They cannot see your email.
• Direct chat partners can see the same plus the messages you send in your private chat.
• Admins of kvoroom can see your email, account creation time, role, token balance, and moderation reports about you. Admins act under a code of conduct and only access this data for moderation, support, or legal compliance.
• Nobody else — kvoroom does not sell, rent, or share your data with marketers or third parties.

Retention

• Room messages — kept for at most 24 hours, or only the most recent 100 per room, whichever comes first.
• Direct chat messages — kept while the chat is alive (1 hour default), then permanently deleted.
• Reports — kept for as long as moderation history is useful (up to 1 year), then deleted.
• Account data — kept while your account exists. Delete your account at any time by emailing info@kvoroom.app from your registered address; we'll erase the account and associated personal data within 30 days.
• Server logs — kept up to 30 days.

Your rights (GDPR)

If you are in the EU/EEA you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete your data ("right to be forgotten").
• Restrict or object to processing.
• Receive a portable copy of your data.
• Lodge a complaint with your national data protection authority.

To exercise any of these, email info@kvoroom.app from the email address tied to your account. We respond within 30 days.

Children

kvoroom is not intended for users under 13 (or under 16 in the EU, where local law requires a higher minimum age). If you believe a minor has created an account, contact us and we'll remove the account.

Security

All traffic between the app and our servers is encrypted with HTTPS / TLS. Passwords are hashed by Firebase Authentication using industry-standard algorithms. Room passwords (for locked rooms) are stored as bcrypt hashes — never as plain text.

Changes to this policy

If we change this policy in a way that affects you, we'll notify you in-app and update the "Effective" date above. Continued use after the update means you accept the changes.

Contact

Questions, complaints, deletion requests: info@kvoroom.app.