Privacy Policy
Last updated: 5 March 2026 · Applies to the eXODA Chat App (iOS & Android) and the website exodachat.web.app
1. Controller
The controller for data processing within the meaning of the GDPR:
T. Stephan
Kookamp 40
46354 Südlohn, Germany
E-Mail: info@exoda.de
Phone: +49 171 3833568
VAT ID: DE263100503
2. Overview of Data Processing
eXODA Chat is a messenger app that allows users to communicate in individual and group chats, create organisations with channels, and convert voice messages to text. We only collect data that is strictly necessary for operating the app.
Important: We do not require an e-mail address, phone number, or real name. We use no tracking, no advertising, and no analytics.
3. Data We Collect
3.1 Data Entered by the User
| Data Type | Purpose | Legal Basis |
|---|---|---|
| Username (User ID) | Unique identification in the chat | Art. 6(1)(b) GDPR (contract) |
| Display name | Display in chat | Art. 6(1)(b) GDPR |
| Password (SHA-256 hash) | Authentication | Art. 6(1)(b) GDPR |
| Profile picture (optional) | Display in chat | Art. 6(1)(a) GDPR (consent) |
| Status text (optional) | Profile information | Art. 6(1)(a) GDPR |
| Text messages | Communication | Art. 6(1)(b) GDPR |
| Image messages (optional) | Communication | Art. 6(1)(b) GDPR |
| Voice recordings (temporary) | Conversion to text (transcription) | Art. 6(1)(a) GDPR |
| Report reasons | Content moderation | Art. 6(1)(f) GDPR (legitimate interest) |
3.2 Automatically Collected Data
| Data Type | Purpose | Legal Basis |
|---|---|---|
| FCM token (device push address) | Push notifications | Art. 6(1)(a) GDPR |
| Online/offline status | Showing availability status | Art. 6(1)(b) GDPR |
| Last-seen timestamp | Showing last visit | Art. 6(1)(b) GDPR |
| Account creation date | Account management | Art. 6(1)(b) GDPR |
| Read receipts | Delivery status of messages | Art. 6(1)(b) GDPR |
| Device language | Language for transcription | Art. 6(1)(b) GDPR |
| Operating system type (iOS/Android) | Push notification routing | Art. 6(1)(b) GDPR |
3.3 Data We Do NOT Collect
- No e-mail address
- No phone number
- No location data (GPS)
- No device IDs, IDFA, or advertising IDs
- No contact list / address book
- No analytics or crash data
- No payment or financial data
- No health data
- No browsing history
4. Device Permissions
| Permission | Purpose | When |
|---|---|---|
| Camera / Gallery | Selecting profile pictures and image messages | Only when actively used |
| Microphone | Voice recording for text transcription | Only when actively used; recording is deleted immediately after transcription |
| Push notifications | Notification about new messages | After user consent |
| Internet | Connection to Firebase backend | Always (required) |
5. Third-Party Services
5.1 Google Firebase
We use Google Firebase as our backend infrastructure:
- Cloud Firestore – Storage of user profiles, chats, messages, organisations, and moderation data
- Cloud Storage – Storage of profile pictures and chat images
- Cloud Functions – Server-side processing (push messages, AI moderation)
- Cloud Messaging (FCM) – Delivery of push notifications
Data is processed on servers in the EU (region europe-west1). Privacy information from Google: firebase.google.com/support/privacy
We use no Firebase Analytics, no Crashlytics, no Performance Monitoring, and no Google advertising services.
5.2 OpenAI
We use two services from OpenAI Inc. (San Francisco, USA):
- GPT-4.1-mini (Content Moderation) – Message texts are sent server-side (via Cloud Functions, not from the user's device) to OpenAI to check for inappropriate content. This is done in our legitimate interest to protect users (Art. 6(1)(f) GDPR).
- Whisper (Speech-to-Text) – When the user actively uses the speech-to-text feature, the audio recording is transmitted to OpenAI and converted to text. The recording is then immediately deleted from the device.
OpenAI processes data in accordance with the OpenAI Privacy Policy. Transfer to the USA is based on EU standard contractual clauses.
6. Push Notifications
After you grant consent, we send push notifications for new messages. The notification contains:
- Sender's name
- Preview of the message text (or "📷 Image")
Delivery is via Firebase Cloud Messaging (FCM) using topic-based targeting. You can disable push notifications at any time in your device settings.
7. Content Moderation & Reports
To protect our users, we employ the following moderation measures:
- Automatic AI Moderation: Every message is checked server-side by GPT-4.1-mini for hate speech, violence, sexual content, and other violations. Flagged messages are automatically blocked.
- User Reports: Any user can report a message as inappropriate. Reports are stored with chat ID, message ID, reporter ID, and optional reason, and are reviewed by an administrator.
- User Blocking: Users can block other users. The blocked person can no longer see messages in the blocking user's feed.
- Administrator Actions: Administrators can lock messages and ban users.
Moderation data (reports, blocks) is stored for as long as required for platform security.
8. Storage and Deletion
8.1 Storage Location
All data is stored in Google Firebase data centres in the EU (region europe-west1, Belgium).
8.2 Retention Periods
| Data Type | Retention Period |
|---|---|
| User profile | Until account deletion by the user |
| Messages | Until deletion by the user or chat deletion |
| Profile pictures / chat images | Until account or chat deletion |
| Voice recordings | Temporary – immediately deleted after transcription |
| FCM token | Until logout or account deletion |
| Moderation / report data | As long as required for platform security |
8.3 Account Deletion
You can delete your account at any time directly in the app (Profile → Delete account). Upon deletion, all your personal data including profile, messages, and images will be permanently removed.
9. Local Data Storage
Only the current login session is stored on your device (User ID via SharedPreferences / UserDefaults). No cookies and no local databases are used.
10. Your Rights under the GDPR
You have the right at any time to:
- Access (Art. 15 GDPR) – Which data about you is stored
- Rectification (Art. 16 GDPR) – Correction of inaccurate data
- Erasure (Art. 17 GDPR) – Deletion of your data (in the app: Profile → Delete account)
- Restriction (Art. 18 GDPR) – Restriction of processing
- Data portability (Art. 20 GDPR) – Delivery of your data in a structured format
- Objection (Art. 21 GDPR) – Objection to processing
- Withdrawal of consent (Art. 7(3) GDPR) – At any time with effect for the future
To exercise your rights, contact: info@exoda.de
You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR).
11. Data Security
- Passwords are hashed client-side with SHA-256 and stored only as a hash
- All data transmissions are encrypted via HTTPS/TLS
- Firebase security rules restrict data access to authorised users
- Push notifications are delivered via encrypted FCM channels
12. Children and Minors
eXODA Chat is not directed at children under 16. We do not knowingly collect data from minors under 16. Should we become aware of this, we will delete the relevant data immediately.
13. Changes to this Privacy Policy
We reserve the right to update this privacy policy as necessary to reflect changes to the app or legal requirements. The current version is always available at exodachat.web.app/datenschutz.html.
14. Contact
For questions about data protection, you can reach us at:
T. Stephan
E-Mail: info@exoda.de
Phone: +49 171 3833568