Privacy Policy
This Privacy Policy explains how Vortex Sync (“Vortex Sync,” “we,” “us,” or “our”) collects, uses, discloses, and safeguards information in connection with the Vortex Sync messaging applications, websites, and related services (collectively, the “Service”). Vortex Sync is engineered so that the content of your communications is end-to-end encrypted and our systems are metadata-minimizing by design: we cannot read your messages, and we deliberately collect as little about you as the Service can function on.
Contents
- Scope & Who We Are
- Information We Collect
- What We Deliberately Do Not Collect
- How We Use Information
- Legal Bases (GDPR)
- How We Share Information
- Data Retention
- Security
- International Transfers
- Your Rights & Choices
- U.S. State Privacy Rights
- Children’s Privacy
- Changes to This Policy
- How to Contact Us
1. Scope & Who We Are
This Policy applies to all users of the Service worldwide. For individuals in the European Economic Area (“EEA”), the United Kingdom, and Switzerland, the data controller responsible for your personal data is Vortex Sync. Where we process data on behalf of an organization that provides you access to the Service, that organization is the controller and this Policy supplements, but does not override, that organization’s own privacy notice.
Capitalized terms not defined here have the meaning given in our Terms of Service.
2. Information We Collect
We collect the limited categories of information described below.
2.1 Information you provide to create and use an account
- Account identifiers. A unique account identifier and, depending on the registration method you choose, a phone number or username used to set up and recover your account.
- Public key material. The public portion of the cryptographic keys your device generates. Your private keys never leave your device and are never transmitted to us.
- Profile information you choose to add, such as a display name or avatar.
2.2 Information generated through your use of the Service
- Encrypted content. Messages and media you send are encrypted on your device before transmission. We store and route this content solely as opaque ciphertext that we cannot decrypt.
- Minimal delivery metadata. To deliver messages and operate the Service, our systems necessarily process limited routing and connection data (for example, that a connection is active, and ephemeral presence state). We design our systems to retain as little of this as operationally possible.
- Device & technical data. Limited technical information such as application version, operating-system type, and coarse diagnostic data necessary for security and reliability.
2.3 Information from your use of media storage
When you send photos or video, your encrypted media is uploaded directly to object storage using a single-use, time-limited credential. The encryption keys for that media are themselves encrypted for the intended recipients; we do not hold a key capable of decrypting your media.
3. What We Deliberately Do Not Collect
Privacy at Vortex Sync is an architectural commitment, not merely a policy. Because of how the Service is built, we do not:
- have the ability to read the content of your messages or media;
- store your private encryption keys;
- sell your personal information; or
- use the content of your communications to build advertising profiles.
4. How We Use Information
We use the limited information we process to:
- provide, maintain, and deliver the Service, including routing your encrypted messages;
- create, secure, and recover your account;
- protect the Service, our users, and the public against fraud, abuse, spam, and security threats;
- diagnose technical problems and improve reliability and performance;
- comply with applicable law and enforce our Terms of Service and Acceptable Use Policy; and
- communicate with you about service-related matters.
5. Legal Bases for Processing (EEA/UK)
Where the GDPR or UK GDPR applies, we rely on the following legal bases:
| Purpose | Legal basis |
|---|---|
| Providing the Service and delivering your messages | Performance of a contract (Art. 6(1)(b)) |
| Security, anti-abuse, and fraud prevention | Legitimate interests (Art. 6(1)(f)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
| Optional features you enable | Consent (Art. 6(1)(a)), which you may withdraw at any time |
6. How We Share Information
We do not sell your personal information. We disclose information only in the following limited circumstances:
- Service providers. We use vetted infrastructure providers (for example, cloud hosting and object storage) that process data on our behalf under written agreements requiring confidentiality and appropriate safeguards. These providers handle encrypted content as opaque data.
- Legal process. We may disclose information if required to do so by valid legal process, but only the limited information in our possession. Because of our architecture, we cannot produce message content we are unable to decrypt. Where lawful, we will seek to notify affected users.
- Safety. We may disclose information where we believe in good faith it is necessary to protect the rights, property, or safety of Vortex Sync, our users, or the public.
- Business transfers. In connection with a merger, acquisition, or sale of assets, subject to the protections of this Policy.
7. Data Retention
We retain information only for as long as necessary to fulfill the purposes described in this Policy, to comply with our legal obligations, to resolve disputes, and to enforce our agreements. Encrypted message content is retained to enable delivery and your own access across devices, and is deleted in accordance with your actions and our retention schedules. Account information is deleted following account deletion, subject to limited retention required by law or for security.
8. Security
We implement technical and organizational measures designed to protect information, including end-to-end encryption of message content, encryption in transit (TLS), hardened and access-controlled infrastructure, and the principle of least privilege. No method of transmission or storage is perfectly secure; while we work hard to protect your information, we cannot guarantee absolute security.
9. International Data Transfers
We may process and store information in countries other than your own. Where we transfer personal data out of the EEA, the United Kingdom, or Switzerland, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses and equivalent mechanisms, supplemented by the technical protection that end-to-end encryption provides.
10. Your Rights & Choices
Subject to applicable law, you may have the right to access, correct, delete, or port your personal data; to object to or restrict certain processing; and to withdraw consent. You may exercise these rights from within the application where available, or by contacting us as described below. We will respond within the timeframes required by law. You also have the right to lodge a complaint with your local data protection authority.
11. U.S. State Privacy Rights
Depending on your state of residence (for example, California, Colorado, Connecticut, Utah, or Virginia), you may have rights to know, access, correct, delete, and obtain a copy of your personal information, and to opt out of certain processing. We do not sell or “share” personal information for cross-context behavioral advertising. We do not discriminate against you for exercising your privacy rights. You may submit a request as described in Section 14; we will verify your request consistent with applicable law.
12. Children’s Privacy
The Service is not directed to children under the age of 13 (or the higher minimum age required in your jurisdiction), and we do not knowingly collect personal information from them. If you believe a child has provided us personal information, please contact us and we will take appropriate steps to delete it.
13. Changes to This Policy
We may update this Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where required by law, provide additional notice. Your continued use of the Service after an update constitutes acceptance of the revised Policy.
14. How to Contact Us
For privacy questions or to exercise your rights, contact our Privacy Team at [email protected]. If you are in the EEA or UK and we are required to designate a representative or Data Protection Officer, their contact details will be published here.