Privacy Policy

1. Data Controller

Vortex is operated by Ege Durmaz ("we", "us"). For privacy or data protection inquiries, contact abuse.vortex.rooms@gmail.com.

2. Data We Collect

2.1 Automatically Collected

• Anonymous authentication ID - A temporary Firebase anonymous user ID is generated. No email, phone number, or legal name is required.
• Session metadata - Room ID, join/leave timestamps, sub-session assignments, and participant presence state.
• Heartbeat data - A "last seen" timestamp updated periodically to detect disconnections and stale users.
• WebRTC signaling data - SDP and ICE candidates stored temporarily in Firestore to establish peer connections.

2.2 User-Provided

• Display name - A nickname you choose when joining a room. When E2E is enabled, this is stored as encrypted metadata.
• Chat messages - Text content sent in channels. When E2E is enabled, messages are encrypted client-side and stored as ciphertext.
• Avatar seed - A random avatar seed used to render your generated avatar.
• Room password hash - If a room password is set, only a server-side bcrypt hash is stored in a restricted collection; plaintext passwords are not stored.

2.3 Not Collected

• We do not collect email addresses, phone numbers, or real names as part of normal usage.
• We do not run ad tracking or analytics profiling for user behavior.
• Voice data is transmitted peer-to-peer (WebRTC) and does not pass through our application servers.
• We use a single functional cookie (sidebar_state) for UI preference only.

3. How We Use Data

• To provide and operate the real-time room service.
• To synchronize participants, channels, and room state.
• To detect abuse, process reports, and enforce our Terms.
• To comply with legal obligations and valid law-enforcement requests.

4. Data Retention

Vortex is designed to be ephemeral:

• Room data (messages, participant records, signaling data, encryption key material) is deleted when the room lifecycle ends.
• Automated cleanup removes stale sessions older than 24 hours as a safety fallback.
• We do not maintain long-term user profiles or message archives.
• Abuse reports may be retained for safety, legal compliance, and case handling.

5. End-to-End Encryption

When E2E is enabled for a room:

• Messages are encrypted on your device using Megolm.
• User metadata fields (such as name/avatar seed) are encrypted with AES-256-GCM.
• Key exchange relies on Curve25519 public-key cryptography.
• We cannot read encrypted message content in transit or at rest.

6. Data Sharing

We do not sell or rent personal data. We may disclose available data when required by applicable law, legal process, or lawful authority requests.

7. Third-Party Services

• Firebase (Google) - Authentication, Firestore, and hosting infrastructure. Subject to Firebase Privacy Policy.
• WebRTC/STUN - Peer-to-peer media setup and NAT traversal.
• Cloud Functions - Server-side operations such as moderation workflows and room password verification.

8. Your Rights (KVKK Article 11)

Under Turkish Personal Data Protection Law (KVKK), you may have rights to request information, correction, deletion, or other lawful actions regarding your personal data.

Because Vortex is anonymous and ephemeral by design, most data is automatically removed as part of room cleanup. For requests, contact abuse.vortex.rooms@gmail.com.

9. Children's Privacy

The Service is not intended for children under 13. If you believe a child under 13 has used the Service, contact us immediately.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Changes are effective when posted on this page with a revised date.

11. Contact

For privacy inquiries or data rights requests:

• Email: abuse.vortex.rooms@gmail.com
• GitHub: github.com/Aegean09/vortex-rooms