Privacy Policy

1. Data Controller

Owner: Mikhail Khalchevskiy PR

Email: mfsupremacy@gmail.com

Address: Serbia, Mite Ružica 2, 2/4, Novi Sad

2. About the Service

pressF ("the App") is a peer-to-peer (P2P) video calling and text chat application. All audio, video, and text chat data travels directly between users' devices via WebRTC and is never stored on any server. Our backend infrastructure exists solely to authenticate users, coordinate connection setup (signaling), and deliver push notifications.

3. Data We Collect

3.1 Account Data

• Email address — used for registration, login, and password recovery.
• Nickname — a display name visible to your contacts.
• Password hash — your password is hashed with bcrypt and never stored in plaintext.

3.2 Connection & Push Data

• FCM Token — a Firebase Cloud Messaging device token, used exclusively to deliver incoming call/chat push notifications when the app is in the background.
• Contact relationships — a list of user-to-user contact pairings (approved/pending), stored in our database to enable the contact book feature.

3.3 Transient Signaling Data

• WebRTC SDP offers/answers & ICE candidates — relayed through our WebSocket signaling server in real-time to establish P2P connections. This data is never persisted and exists only in volatile memory during the connection handshake.
• Session presence — temporary online/offline status stored in Redis while you are connected. Removed immediately upon disconnection.

3.4 Data We Do NOT Collect

• Chat messages — all text travels P2P via WebRTC DataChannel and is never routed through or stored on our servers.
• Audio or video streams — all media travels P2P via WebRTC and is encrypted with DTLS end-to-end.
• Call recordings or logs.
• Location data.
• Browsing history or cookies.

4. How We Use Your Data

• Authentication: To register your account, verify your email, issue JWT session tokens, and facilitate password resets.
• Signaling: To relay WebRTC negotiation payloads between peers so a direct P2P connection can be established.
• Push Notifications: To wake your device via Firebase Cloud Messaging when you receive an incoming call or chat request while the app is backgrounded or closed.
• Contact Management: To maintain your approved contacts list and route call/chat requests to the correct recipient.
• Service Improvement: To diagnose technical issues and improve app stability.

5. Legal Basis for Processing (GDPR Art. 6)

• Contractual Necessity (Art. 6(1)(b)): Processing your account data and signaling data is necessary to provide the App's core communication functionality.
• Legitimate Interests (Art. 6(1)(f)): Maintaining service security, preventing abuse, and improving performance.
• Consent (Art. 6(1)(a)): For push notification delivery. You may revoke notification permissions at any time via your device's OS settings.

6. Data Retention

• Account data (email, nickname, password hash) — retained until you delete your account or request erasure.
• FCM tokens — overwritten on each app launch; previous tokens are discarded.
• Signaling data (SDP, ICE) — never persisted. Exists only in volatile memory during real-time relay.
• Redis session data — automatically purged upon WebSocket disconnection.

7. Data Security

We implement strong technical and organizational measures to protect your data:

• End-to-end encryption: All P2P media and chat streams are encrypted with DTLS, mandated by the WebRTC standard. No server — including ours — can read or intercept your communications.
• Transport security: All client-server communications (REST API, WebSocket signaling) use TLS/HTTPS encryption.
• Password security: Passwords are hashed using bcrypt with a cryptographically secure salt. Plaintext passwords are never stored or logged.
• JWT authentication: Session tokens are signed with a server-side secret and include expiration timestamps.
• TURN credentials: Time-limited HMAC-SHA1 credentials are generated per-session for NAT traversal, expiring automatically after a short TTL.

8. Third-Party Services

The App integrates with the following third-party services:

• Firebase Cloud Messaging (Google) — for push notification delivery. Subject to Google's Privacy Policy.
• STUN/TURN servers — for NAT traversal. These servers relay encrypted media packets only when a direct P2P connection cannot be established. No content is decrypted or stored by TURN relays.

9. International Data Transfers

Your account data may be processed or stored on servers outside the European Economic Area (EEA). Where applicable, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as required under GDPR Chapter V.

10. Your Rights under GDPR

As a data subject in the EU/EEA, you have the following rights:

• Right of Access (Art. 15): Obtain confirmation and access to your personal data.
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to Erasure (Art. 17): Request deletion of your data when no longer necessary.
• Right to Restrict Processing (Art. 18): Temporarily limit processing under certain conditions.
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to Object (Art. 21): Object to processing based on legitimate interests.
• Right to Withdraw Consent (Art. 7(3)): Withdraw any consent at any time without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, contact us at mfsupremacy@gmail.com.

11. Children's Privacy

The App is not intended for children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us immediately so we can delete it.

12. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will notify you of significant changes within the App or via email. Continued use of the App after any changes constitutes acceptance of the updated policy.