Privacy Policy
What we do not collect
No email. No phone number. No real name. No profile. No address book. No contacts. No photos. No location. No social login tokens. No saved payment method. We do not integrate any mobile SDK that collects device advertising identifiers (Android Advertising ID, iOS IDFA). Google AdSense, where enabled, sets its own advertising cookies through the browser — see "Advertising and cookies" below for how that works.
What we do collect, and why
A random session identifier (UUID) stored as an HttpOnly cookie on the web and in secure storage on Android. Purpose: so the server can distinguish one anonymous session from another. A random two-word handle (for example, "quiet-fern") generated per session. Purpose: so your peer has something to refer to you by within a chat. You can reroll it any time. A hashed IP (one-way) with timestamp at the moment you confirm the 18+ gate, and a separately hashed IP used to enforce bans. Purpose: compliance evidence that the 18+ confirmation occurred, and abuse prevention. Neither hash is reversible into your real IP and neither is used for ad targeting. Aggregate telemetry: page views, error rates, queue wait times, pairing success rates, and — for video chat specifically — round-trip time, jitter, packet loss, bytes sent and received, frame rate, selected ICE candidate pair type (direct versus relay), and available bandwidth estimate. Purpose: keeping the site working and diagnosing call quality. Stored on Cloudflare Analytics Engine with only the ephemeral session identifier attached; we cannot tie a row in that dataset back to an individual.
How chat messages and video flow
Text chat: messages are never written to any database. A chat room lives in memory on a Cloudflare Durable Object while both users are connected; when either side disconnects for more than 15 seconds, the room and its messages are destroyed. The only exception is when a user files a report — in that case the last 15 messages from the reporter's own view are captured as evidence and stored in Cloudflare R2 for review.
Video chat: video and audio are streamed directly between the two peers using WebRTC. Our servers do not see, record, or store the media content. Whenever possible the connection is peer-to-peer, meaning the media travels directly between your device and your peer's device. On networks where a direct connection is not possible (commonly mobile carrier NAT or strict corporate firewalls), the encrypted media is relayed through Cloudflare's TURN servers — Cloudflare forwards the packets but does not decrypt or persist them. Approximately 30 to 50 percent of real-world calls require TURN relay.
If you report a video call, your browser computes a perceptual hash (a 64-bit summary) of recent frames locally and sends only those hashes — never the frames themselves.
What we store and for how long
Session identifier: up to 30 days, rolling (extended every time you visit). Confession posts: up to 12 months by default, then automatically purged by a daily retention job; earlier if removed, auto-hidden for abuse signals, or deleted by the author. Reports: metadata (report ID, reason, reporting session ID, timestamp) plus evidence (last 15 messages of a reported text chat; perceptual hashes of reported video frames) retained for the time required to complete review, or longer if the report is part of an ongoing safety or legal matter. Ban registry: session and IP hashes of banned sessions, retained indefinitely — the entire point of a ban is that it persists. Audit log: moderation actions, retained for operational review. Aggregate WebRTC telemetry in Analytics Engine: 90-day retention (Cloudflare default). Cloudflare Workers operational logs: 7-day retention.
Where your data lives
Cloudflare Workers (compute), Cloudflare D1 (SQL, confessions + reports + audit log), Cloudflare KV (rate limits, bans, flags), Cloudflare R2 (evidence blobs — text snippets and perceptual hashes only, no media files). Cloudflare edge locations are globally distributed; your request terminates at the nearest edge.
Your rights under GDPR, DPDP, CCPA, and equivalents
Right of access, erasure, rectification, portability, and objection apply where the relevant regulation applies to you. Because Agyata does not collect personal identifiers, most requests resolve as "we do not hold this data about you" — but we will confirm in writing. If you believe we hold data linkable to you, email privacy@agyata.com with enough context to identify the data (for example, a confession ID or a rough post time) and we will investigate and respond within 30 days.
Third parties
We use Cloudflare for compute, storage, CDN, and WebRTC TURN relay. We use Workers AI for text moderation classification — prompts and outputs are not used to train models per Cloudflare terms. We use Sentry for error reporting. We use Google AdSense to serve ads (see "Advertising and cookies" below). We do not sell data. We do not share data with advertisers beyond the standard AdSense-served placements.
Advertising and cookies
Agyata serves ads via Google AdSense. AdSense and its partners may set cookies and similar identifiers on your device to personalise the ads you see, measure ad performance, and prevent repeated delivery of the same ad. These cookies are set by Google, not by Agyata, and are subject to Google's own privacy policy and ad-personalisation controls at https://adssettings.google.com. You can opt out of personalised ads at https://www.google.com/settings/ads. Where required by local law (EU, UK, California), AdSense surfaces its own consent prompt before setting non-essential cookies. Agyata itself sets no advertising cookies and does not share any identifier of yours with advertisers.
Children
Agyata is 18+ only. The 18+ gate is binding. If we learn a user is under 18, their session is terminated and any content they posted is removed. If you believe a user on Agyata is under 18, email safety@agyata.com immediately.
Changes
Material changes to this Privacy Policy will be announced in a site-wide banner for at least seven days before the change takes effect. The effective date and version number at the top of this page reflect the current revision. Historical versions are available on request by emailing privacy@agyata.com.
Contact
Privacy questions and data subject requests: privacy@agyata.com. General: ops@agyata.com.