Privacy Policy
Status: draft, in preparation with counsel
This page is a factual statement of what Agyata does with data today. The finalised Privacy Policy — reviewed by counsel against GDPR, India DPDP, California CCPA, and Play Store data-safety requirements — will replace this page before v1 public launch. Until then, the description below is the ground truth of our data practices. If it does not match what counsel drafts, the difference will be a clarification of language, not a change of behaviour.
What we do not collect
No email. No phone number. No real name. No profile. No address book. No contacts. No photos. No location. No advertising identifiers (we do not integrate any mobile SDKs that collect them). No social login tokens. No saved payment method.
What we do collect, and why
A random session identifier (UUID) stored as an HttpOnly cookie on the web and in secure storage on Android. Purpose: so the server can distinguish one anonymous session from another. A random two-word handle (for example, "quiet-fern") generated per session. Purpose: so your peer has something to refer to you by within a chat. You can reroll it any time. A hashed IP (one-way) with timestamp at the moment you confirm the 18+ gate. Purpose: compliance evidence that the 18+ confirmation occurred. This is not reversible into your real IP and is not used for ad targeting. Anonymous telemetry: page views, error rates, queue wait times, pairing success rates. Purpose: keeping the site working. Stored on Cloudflare Analytics Engine, not tied to your session ID.
What we do not store
Chat messages are not written to any database. Rooms live in memory on a Cloudflare Durable Object while both users are connected. When either side disconnects for more than 15 seconds, the room and its messages are destroyed. Video frames never leave your device. If you report a video call, your browser computes a perceptual hash (a 64-bit summary) of the flagged frame locally and sends only that hash — never the frame itself.
What we store and for how long
Confession posts: stored indefinitely unless removed, auto-hidden for abuse signals, or deleted by the author. Reports: report metadata (report ID, reason, reporting session, timestamp) plus evidence (last 15 messages of a reported text chat; perceptual hashes of reported video frames). Retained for the time required to complete review and retained longer if the report is part of an ongoing safety or legal matter. Ban registry: session fingerprint hashes of banned sessions. Retained indefinitely — the entire point of a ban is that it persists. Audit log: moderation actions. Retained for operational review.
Where your data lives
Cloudflare Workers (compute), Cloudflare D1 (SQL, confessions + reports + audit log), Cloudflare KV (rate limits, bans, flags), Cloudflare R2 (evidence blobs — text snippets and perceptual hashes only, no media files). Cloudflare edge locations are globally distributed; your request terminates at the nearest edge.
Your rights under GDPR, DPDP, CCPA, and equivalents
Right of access, erasure, rectification, portability, and objection apply where the relevant regulation applies to you. Because Agyata does not collect personal identifiers, most requests resolve as "we do not hold this data about you" — but we will confirm in writing. If you believe we hold data linkable to you, email privacy@agyata.com with enough context to identify the data (for example, a confession ID or a rough post time) and we will investigate and respond within 30 days.
Third parties
We use Cloudflare for compute, storage, CDN, and WebRTC TURN relay. We use Workers AI for text moderation classification — prompts and outputs are not used to train models per Cloudflare terms. We use Sentry for error reporting. We do not sell data. We do not share data with advertisers. At launch, AdSense may be integrated on the feed and queue screens only (never inside a live chat room) — that integration, if it ships, will be documented on this page before going live.
Children
Agyata is 18+ only. The 18+ gate is binding. If we learn a user is under 18, their session is terminated and any content they posted is removed. If you believe a user on Agyata is under 18, email safety@agyata.com immediately.
Changes
When the counsel-reviewed Privacy Policy replaces this page, a site-wide banner will announce the change for at least seven days before the new policy takes effect. Material future changes will follow the same process.
Contact
Privacy questions: privacy@agyata.com. Data subject requests: privacy@agyata.com. General: ops@agyata.com.