0. WHO CONTROLS YOUR DATA
| Item | Detail |
|---|---|
| Controller / operator | The Buzzio Team — currently an unincorporated operator of the Buzzio app and related services. We may assign operations to a future registered legal entity; this policy will be updated with the entity’s legal name and address when that happens. |
| Contact for privacy | app449377@gmail.com — use subject Privacy Request |
| Website | https://buzzio.dev |
| Data Protection Officer (DPO) | Not appointed at this time. If law later requires a DPO or an EU/UK representative, we will publish those details here and notify users in-app. |
1. OUR CORE PROMISE
Buzzio is built so that your private conversations stay private.
We design private messaging so that, wherever possible:
- we cannot read your end-to-end encrypted messages
- we do not keep a durable server-side archive of who you privately talk to
- we do not sell your data — never have, never will
We do not sell your data.
Not messages. Not metadata. Not Buzzio IDs. Not community posts. Not Whisper answers. Not reactions. Not blocks. Not reports. Not backups. Not wallet activity. Never.
Under California law (CCPA/CPRA), we also do not “sell” or “share” personal information for cross-context behavioral advertising. See §33.
This policy explains, feature by feature:
- What we store
- What we do not store
- How encryption and deletion work
- Where “zero metadata” applies — and where it does not
If a feature needs more storage to work (Community, Broadcast, Stories, Whisper Questions, open-history groups, optional contact sync, optional cloud backup), we say so honestly. Even then, we still do not sell that data.
2. WHO WE ARE & WHAT THIS COVERS
This Privacy Policy applies to the Buzzio mobile app and related Buzzio services, including:
- One-to-one private chat
- Whisper private chat (QR anonymous sessions)
- Whisper Questions (
whisper.buzzio.devand related web pages) - End-to-end groups and open-history groups
- Private voice & video calls
- Broadcast channels
- Communities
- Stories
- Profile / username / privacy settings
- Optional encrypted cloud backup
- Optional non-custodial Bitcoin wallet
- Buzzio Premium and in-app purchases (including Whisper Questions Link Packs)
By using Buzzio, you acknowledge this Privacy Policy. Where law requires a separate consent for a specific processing activity (for example optional contact sync, non-essential cookies, or certain analytics), we will ask for that consent in-product or on the web.
If you do not agree, do not use the app or related sites.
3. YOUR BUZZIO ID (IDENTITY)
What a Buzzio ID is
Your public account identifier is a Buzzio ID — a randomly generated 12-digit identifier (shown with dashes for readability).
Internally, systems may still refer to this same identifier as a technical ghostId field for historical compatibility. For users, the name is Buzzio ID.
What only you control
- A 12-word mnemonic recovery phrase is generated on your device.
- Cryptographic private keys are derived locally.
- We never receive your mnemonic or private messaging keys.
- If you lose your device and your mnemonic, we cannot recover your private chat keys or local history. That is intentional.
Core account data we hold
| Data | Why | How long |
|---|---|---|
| Buzzio ID | Route traffic to your account | Until account deletion |
| Account creation timestamp | Auth / account integrity | Until account deletion |
| Last sign-in timestamp | Auth / account integrity | Until account deletion |
| Public encryption key / prekey material | So others can encrypt only for you | Until account deletion / key rotation |
| FCM push token(s) | Deliver notifications | Overwritten on login changes; deleted on logout / account deletion |
| Optional profile fields you set | Nickname, username, description, photo, privacy settings, achievements, premium status | Until you change/remove them, they expire, or you delete your account |
What we do not require
- No personal phone number as identity
- No personal email as identity
- Auth may use a synthetic technical address derived from your Buzzio ID for Firebase Auth — not your real email inbox identity
We do not sell Buzzio ID or account data. Never.
4. WHERE “ZERO METADATA” APPLIES
“Zero metadata” is not a blanket claim for every Buzzio surface.
It applies to these private encrypted surfaces:
| Feature | Zero durable “who talks to whom” archive | Encryption model |
|---|---|---|
| 1-to-1 chat | Yes — once there are no undelivered messages left on our relay for that conversation | End-to-end (X3DH + Double Ratchet) |
| Whisper private chat | Yes — after the session expires and cleanup runs | End-to-end session crypto |
| End-to-end groups | Yes for message archives — no durable readable transcript of what was said | End-to-end sender-key style |
| Private calls | Yes for durable call history/recordings on our servers | Encrypted signaling + peer-to-peer WebRTC media |
What “zero metadata” means here
It means we do not keep a durable, searchable server-side conversation graph or readable private chat/call archive on those surfaces after delivery/expiry — beyond:
- momentary encrypted delivery traffic
- the limited account / safety / admin data listed in this policy
What it does not mean
It does not mean “Buzzio stores nothing anywhere.”
Features like Community, Broadcast, Stories, Whisper Questions, open-history groups, blocks, reports, optional pins, optional contact sync, and optional cloud backup store more by design so those features can work.
None of that data is sold. Never.
5. ONE-TO-ONE CHAT
How collection & delivery work
- Messages are end-to-end encrypted on your device before they leave it.
- Our servers act as a blind relay: they see encrypted blobs, not readable message text.
- While waiting for delivery, an encrypted envelope may temporarily include routing fields needed to deliver it (for example sender Buzzio ID, ciphertext, message type, sequence, and flags such as view-once / disappearing / secure-mode related flags).
- After the recipient’s device receives the message, the encrypted copy is removed from our relay.
- Your readable history lives in a locally encrypted database (SQLCipher) on your device — not as a cloud plaintext archive we can open.
Exact retention for undelivered relay traffic
- Undelivered 1-to-1 pending envelopes are safety-purged on a 3-day retention schedule.
- Stale undelivered traffic does not stay forever.
The key guarantee
If there are no undelivered messages left for a conversation on our relay, we do not retain a server-side record of who you are talking to for that chat.
Your conversation list and message contents remain on your device.
Privacy controls inside 1-to-1 chat
| Feature | What it does |
|---|---|
| Secure View | Mutual mode that strengthens protection against screenshots / screen recording while active. Pending Secure View requests expire (about 2 hours). |
| Secure Mode / vanish-style TTL after seen | Messages can be set to disappear after being seen on short TTLs (options from seconds up to hours). |
| Disappearing messages | Chat-level disappearing timers: 24 hours / 7 days / 90 days. |
| Once-view mode | Messages are designed to disappear shortly after seen (about 5 seconds) with stronger screenshot protection. |
| View-once media | Photos/videos open once, then are removed from the chat experience as designed. |
| Kept messages | Lets you exempt specific messages from disappearing behavior until unkept. This is a participant control signal — not a reason for us to store a readable cloud transcript. |
| Block | Stops contact. Block relationships may be enforced server-side (user_blocks) so the block works across sessions. Safety control only — not sold. |
| Report | You may submit limited evidence (typically the last 5 messages already on your device) so moderation can review abuse. Reports exist for safety, not advertising. Not sold. Report evidence may be retained until reviewed/handled (typically up to 90 days, or longer if needed for an active safety/legal matter). |
| Private device storage | Contacts, keys, and private chat history are stored in your device’s encrypted local database. |
Optional / exceptional 1-to-1 server records
These are not your full chat transcript, but can exist if you use the feature:
- Shared pins: limited pin metadata may include a short plaintext snippet (capped) so both sides can see the pin; pin durations include 24h / 7d / 30d.
- Blocks / reports: safety enforcement as above.
- Presence / last seen: optional online / last-seen signals with privacy allow-lists you control; stale presence is cleaned (about 24 hours for stale offline nodes).
Even where these exist: we do not sell them. Never.
6. WHISPER PRIVATE CHAT (QR ANONYMOUS SESSION)
Whisper private chat lets people start a time-limited, end-to-end encrypted conversation (often via QR) without building a permanent social graph of that chat on our servers.
Encryption
- Messages are end-to-end encrypted with a session key for that Whisper session.
- We treat Whisper private chat as a zero-metadata conversation surface for chat content and durable “who talked to whom” message history after expiry.
Session controls
- Duration presets typically range from 1 hour up to 168 hours (7 days).
- Optional vanish timers (for example seconds to hours).
- Optional screenshot restriction.
- Scan limits (for example up to 50 scans depending on settings).
What session setup may store (honest list)
To operate and expire the session, we may temporarily store operational fields such as:
- expiry time, scan count / max scans
- vanish / screenshot settings
- session status / name
- creator push token for notifications
- creator Buzzio ID (used so Cloud Functions / notifications can operate the session)
Message bodies remain end-to-end encrypted. Operational session fields exist to run and delete the session — not to build advertising profiles.
Deletion after expire
- When a Whisper private session expires, associated session data and relay paths are deleted from our servers (with safety cleanup jobs for expired/orphaned sessions).
- Local session messages/media are removed according to the session design.
We do not sell Whisper private chat data. Never.
7. WHISPER QUESTIONS
Whisper Questions is a separate feature from Whisper private chat. It is anonymous Q&A via links such as whisper.buzzio.dev.
Important: different privacy model
Whisper Questions is not end-to-end encrypted like Whisper private chat.
Answers must be stored so the link owner can read them.
What we store
| Data | Why |
|---|---|
| Question + answers (plaintext to the service that stores them for the owner) | Feature function |
| Owner Buzzio ID | Ownership |
| Link slug / template / status | Public link routing |
| Expiry timestamps | Auto-expire |
| Salted IP hash on answers / rate-limit docs | Abuse prevention (not your real IP stored in clear for profiling) |
| Reports / stop / delete actions | Safety |
Exact retention
- Free links: about 24 hours
- Link Pack (paid) links: about 15 days
- Expired links/answers are cleaned according to those windows
What we promise
- We do not sell Whisper Questions data. Never.
- We do not use answers to build advertising profiles.
- Owners can stop collecting, delete answers, and report abuse.
- Share/growth counters may be aggregated operationally; answer text is not sold to advertisers.
8. END-TO-END GROUPS
Message privacy
- Message bodies are end-to-end encrypted.
- Encrypted group delivery traffic is retained briefly for catch-up, then purged — E2E group message bucket retention is 5 days.
- We do not keep a durable readable transcript of what E2E group members said.
- Future joiners do not automatically receive old E2E history the way an open archive would.
Zero metadata vs membership
- Zero metadata here means: no durable private message archive / conversation transcript of content.
- Membership & roles are different: to run a group we know who is a member and who has admin powers. That is administration data, not a sold chat graph.
Group controls
| Feature | Meaning |
|---|---|
| Group password | Join can require a password (stored as a hash). |
| Superadmin | Highest control (manage admins, ownership transfer, critical controls). |
| Admin | Manage members/settings within permissions. |
| Add / remove member | Intentional membership administration. |
| Banned members | Safety / moderation state for the group. |
| Vanish mode | Messages disappear on devices per group vanish settings. |
| Secure view / screenshot protection | Strengthens protection against screenshots / recording in that group. |
| View-once media | Open once, then disappear from the chat experience. |
| Temporary groups | Can be time-limited (up to about 30 days / 720 hours depending on settings). |
We do not sell E2E group data. Never.
9. OPEN-HISTORY GROUPS
Some groups use open-history mode with a server-held encryption key (DEK) so:
- history can be available to members (including later joiners)
- shared media pool / storage features can work
Honest differences from E2E groups
- Open-history is not the same as end-to-end groups.
- Durable encrypted history is stored as required by the feature.
- Default history retention is on the order of 365 days, subject to plan / media-pool / boost limits (for example freemium media-pool style caps such as about 100 MB before boosts).
We still do not sell open-history group data. Never.
10. PRIVATE CALLS (VOICE & VIDEO)
- Call signaling (setup data) is encrypted and is not kept as a permanent call transcript.
- While ringing/connecting, short-lived signaling may include operational hints needed to fetch keys / route the call.
- Call media uses peer-to-peer WebRTC whenever possible.
- We do not record calls. We cannot play back your call audio/video from a Buzzio server archive.
- Call history you see in the app is stored locally on your device.
- We treat private calls as a zero durable call-metadata archive surface: no server-side call history/recordings of who called whom.
We do not sell call data. Never.
11. BROADCAST CHANNELS
Broadcast channels are one-to-many publishing feeds. They are not end-to-end encrypted like 1-to-1 / Whisper private / E2E groups. They use server-managed encryption so a public or invite-gated feed can work.
Public vs unpublic at creation
- When you create a channel, use the “Public channel” / discoverable toggle.
- Public (ON): discoverable/searchable so people can find and follow it.
- Unpublic / not public (OFF): not openly listed for everyone; access is limited to how the channel is shared and followed (admins / followers), not open search discovery.
Who can message
- Admins compose and post.
- Followers receive posts and can engage as allowed (for example reactions).
- Followers do not get free-for-all posting like a community chat unless permissions say otherwise.
Retention
- Broadcast history is retained for 30 days, then deleted.
Reactions
- Users can react with emoji.
- Public viewers may see anonymous tallies.
- To prevent duplicate spam voting, the server may keep per-user uniqueness records.
- That is product integrity data — not sold.
We do not sell broadcast data. Never.
12. COMMUNITY
Communities are shared spaces with roles, channels, media, and durable history.
They are not end-to-end encrypted like 1-to-1 chat. They use server-held encryption keys (DEK) so history, roles, and moderation work across members and devices.
How messages are stored
- Messages and media are stored in community infrastructure under the community encryption model.
- Default history retention is about 365 days, plus media-pool / plan limits.
- Supported content includes text, images, videos, GIFs, and stickers (permissions controlled by roles).
Deletion
- Members with permission can delete messages, including delete-for-everyone style controls where supported.
- Deleted messages are tombstoned / removed from active history according to community deletion design.
- Leaving or being removed ends your membership access; remaining members may still see community history under retention rules.
Reactions
- People can react to messages.
- Reactions may store who reacted (for example user id / display name + emoji) so the feature works.
- Not sold.
Roles & administrators
- Communities support role creation and administrator / privileged roles.
- Roles control sending text/media/GIF/sticker, reacting, pinning, moderating, and more.
- Role maps, member lists, bans, invites, password join hashes, channel vanish / screenshot settings, and audit-style privileged-action logs may be stored so moderation works.
Community metadata (honest list)
| Metadata | Why |
|---|---|
| Community profile / settings | Operate the space |
| Member list & roles | Permissions & admin tools |
| Messages & media (server-encrypted) | History & media features |
| Reactions | Reaction UI & uniqueness |
| Channel settings (vanish / screenshot protection / password) | Access & privacy controls |
| Bans, invites, moderation / audit logs | Safety & administration |
| Storage / media-pool usage | Enforce limits |
This is more metadata than private 1-to-1 E2E chat by design.
It is still not sold, not used for advertising profiles, and not shared with data brokers.
We do not sell community data. Never.
13. STORIES
- Stories are short-lived posts with about a 24-hour lifetime.
- Story media/metadata needed to deliver and show viewers is stored for that window, then cleaned up.
- Audience controls (for example contacts / privacy lists) determine who can see a story.
- If you enable optional contact sync (below), story privacy audiences can use synced contact sets.
We do not sell story data. Never.
14. PROFILE, USERNAME, PRESENCE & ACHIEVEMENTS
Depending on what you set, we may store:
- Nickname / display name
- @username (global username mapping to your Buzzio ID)
- Description / bio (with optional short TTLs you choose, for example hours to days)
- Profile photo (auto-deleted from our servers after about 7 days)
- Field-level privacy settings (who can see Buzzio ID, username, photo, description, last seen, group-add, etc.)
- Achievements you earn
- Premium / badge / subscription status fields needed to unlock features
Presence / last-seen can be limited by your privacy allow-lists.
We do not sell profile or achievement data. Never.
15. OPTIONAL CONTACT SYNC
By default, your contact nicknames live on your device.
If you opt in to contact sync (for features such as story audiences / cross-device contact convenience):
- we may store a
saved_contacts_sync-style map of contact IDs and nicknames on your account - this creates a server-side contact set only because you enabled it
- you can turn it off; synced data is for product function, not advertising
- turning it off stops new sync; previously synced entries are removed from our servers within a reasonable period (typically within 30 days, or sooner when account deletion runs)
Separately, limited mutual-messaging / visibility graphs may exist so profile privacy rules (who can see what) can work.
We do not sell contact lists. Never.
16. OPTIONAL ENCRYPTED CLOUD BACKUP
Buzzio may offer optional paid encrypted cloud backup.
- Backups are encrypted before upload.
- Recovery depends on keys/recovery material you control on your device.
- We store encrypted backup blobs so you can restore — we are not building a readable cloud chat panel for ourselves.
- If you never enable backup, private E2E chat bodies are not kept as a decryptable cloud archive by default.
We do not sell backups. Never.
17. MEDIA & FILES
- On E2E surfaces (1-to-1, Whisper private, E2E groups), media is encrypted before upload. E2E media relays typically expire quickly (about 24 hours for many E2E media uploads).
- Community / Broadcast / open-history / Stories media follow those features’ retention and media-pool rules.
- Group profile images for permanent groups may be cleaned on a longer schedule (about 20 days in cleanup jobs).
We do not sell media. Never.
18. PUSH NOTIFICATIONS
- We use Firebase Cloud Messaging (FCM) to wake your device.
- Notification payloads are designed to avoid exposing private message contents in the clear.
- Short-lived operational notification logs may be retained briefly for delivery reliability (about 7 days), then cleaned.
- Push tokens are delivery addresses — not sold.
19. SUBSCRIPTIONS, PREMIUM & LINK PACKS
- Payments are processed by Google Play and/or the Apple App Store.
- We receive verification that a purchase/subscription is active.
- We do not receive your card number or store checkout billing identity as a payment processor.
- Buzzio Premium and Whisper Questions Link Packs are separate purchase types.
- Entitlement status is linked to your Buzzio ID for feature unlocks.
We do not sell payment or subscription data. Never.
20. OPTIONAL BITCOIN WALLET
If you activate the optional wallet:
- It is non-custodial. We never hold your Bitcoin, seed, or wallet private keys.
- Wallet keys are derived locally on a separate BIP-84 path from messaging keys.
- Important: the wallet may use the same 12-word recovery phrase as your messaging identity. Anyone with that phrase can control both your messaging keys and your Bitcoin. Protect it carefully.
- Public blockchain APIs (for example Blockstream Esplora) and optional price APIs (for example CoinGecko) may be used to show balances/prices.
- If enabled, a public receive address may be visible to mutual contacts who also enabled the wallet, solely to send Bitcoin between contacts.
- Wallet activation has a higher age requirement in our Terms (18+).
Blockchain transactions are public by nature of Bitcoin. That is the network, not Buzzio selling data.
We do not sell wallet data. Never.
21. GIFS & STICKERS (GIPHY)
- GIF/sticker search may use GIPHY.
- Search queries and related request data may be processed by GIPHY under GIPHY’s own terms/privacy policy.
- This is for sticker/GIF features only — not a Buzzio sale of your private chats.
22. ANALYTICS, APP INTEGRITY & SECURITY TELEMETRY
What we use
- Firebase Analytics (Google) may collect app usage and reliability events (for example feature usage counts, session/engagement metrics, device/app version, crash-adjacent diagnostics as configured).
- We use this to understand delivery health, fix bugs, and keep Buzzio running — not to sell ads or build advertiser profiles of who you talk to.
- We may also collect anonymous / aggregate operational metrics (infrastructure cost, reliability).
- App Check / device integrity (for example Play Integrity / DeviceCheck) may be used to reduce abuse.
- Rate limits may temporarily store counters to stop spam (reports, Whisper Questions, push flooding, etc.).
What we do not do with analytics
- We do not run advertising networks that profile you to sell ads.
- We do not sell analytics. Never.
How to limit analytics
- Use your device OS privacy / ad / analytics controls where available.
- Uninstalling the app stops further app analytics from that install.
- Email app449377@gmail.com (subject: Privacy Request — Analytics) if you need help with a specific request.
- Exact Firebase Analytics configuration can change as we ship updates; material changes will be reflected in this policy.
23. LOCAL DEVICE STORAGE
On your device, Buzzio stores:
- encrypted message databases
- contacts / keys
- local call history
- settings and caches needed for the app
Uninstalling destroys local app data on that device. Losing the mnemonic means we cannot reconstruct your private keys.
24. WHAT WE ABSOLUTELY DO NOT DO
Across every feature:
- ❌ Sell your data — never
- ❌ Sell access to advertisers, data brokers, or “partners” for profiling
- ❌ “Share” personal information for cross-context behavioral advertising (CCPA/CPRA meaning)
- ❌ Build advertising profiles of who you are or who you talk to
- ❌ Require your personal phone number or personal email as identity
- ❌ Keep a default cloud backup of your E2E 1-to-1 chat bodies that we can decrypt
For private E2E surfaces (1-to-1, Whisper private, E2E groups, private calls), after delivery/session needs are done:
- ❌ No durable “who talks to whom” private chat graph left on the server when nothing remains undelivered / when the session expired
- ❌ No readable private message archive or call recording archive on our side
25. LAW ENFORCEMENT REQUESTS
What we can provide is limited to what we actually hold for that account/feature, for example:
- That a Buzzio ID exists
- Account creation / last sign-in timestamps
- Feature-specific records only if that feature was used and data is still within retention (for example community membership, broadcast posts within 30 days, Whisper Questions still within TTL, blocks/reports, undelivered encrypted envelopes still waiting, optional synced contacts if enabled, optional encrypted backup ciphertext if enabled)
For 1-to-1 chat with no undelivered messages, expired Whisper private sessions, E2E group message archives, and private call recordings: there is no readable private history for us to hand over, because we do not keep one.
We cannot decrypt E2E message bodies. Private keys stay on devices.
26. DATA DELETION & WHAT MAY REMAIN
How to delete
- Delete account in-app: removes core account records we control (Buzzio ID account doc fields, public keys, push tokens, and associated deletable server data).
- Email deletion request: app449377@gmail.com (subject: Privacy Request — Delete Account)
- Uninstall: destroys local encrypted database on that device.
Automatic cleanup examples
- 1-to-1 pending relay: 3 days
- E2E group buckets: 5 days
- Broadcast history: 30 days
- Community / open-history default history: 365 days
- Profile photos: 7 days
- Stories: 24 hours
- Whisper Questions: 24 hours free / 15 days Link Pack
- Whisper private sessions: deleted at expiry
- Notification logs: about 7 days
Feature controls (disappearing, once-view, vanish, delete-for-everyone, stop Whisper Questions, leave community) remove or limit data according to each design.
After account deletion — what we may still keep
We aim to delete account-linked data we control promptly (typically within 30 days of a verified deletion request). We may retain limited records when reasonably necessary for:
| Retention | Typical period | Why |
|---|---|---|
| Open abuse reports / enforcement records | Up to 90 days after closure (or longer if an active legal matter) | Safety & legal defense |
| Purchase / entitlement verification logs needed for store disputes | As required by Apple / Google or tax/accounting rules | Transactions |
| Aggregated, de-identified analytics | Ongoing (not tied to your Buzzio ID) | Product reliability |
| Backup ciphertext you paid for | Until you delete backup / account, then purged under cleanup jobs | Feature function |
Community/Broadcast content you posted may remain visible to other members under those features’ retention rules even after you leave, until that content ages out or is deleted by admins.
27. THIRD-PARTY SERVICES (SUBPROCESSORS)
| Service | Purpose | What they receive |
|---|---|---|
| Firebase (Auth, Firestore, RTDB, FCM, Storage, Functions, App Check, Remote Config, Analytics) | Backend, auth, relay, notifications, integrity, product metrics | Account/operational data required to run Buzzio; E2E bodies remain ciphertext where designed; Analytics events as configured |
| Cloudflare R2 / Workers (including history API surfaces such as history-api.buzzio.dev) | Durable history for applicable features | Feature-scoped encrypted/history objects under retention rules |
| Bunny storage/CDN | Media for community / open-history / broadcast / stories / backups | Feature-scoped media/backup objects |
| Google Play / Apple App Store | Payments & distribution | Purchase handling by the store; we get entitlement verification |
| GIPHY | GIF/sticker search | Search/request data per GIPHY’s policy |
| Blockstream Esplora (or similar) | Optional wallet chain data | Public blockchain queries if wallet enabled |
| CoinGecko (or similar) | Optional price reference | Price API requests if wallet UI needs fiat estimates |
We treat these providers as service providers / processors for running Buzzio — not as buyers of your data.
We do not use advertising networks or data brokers.
We do not sell data through any third party. Never.
A living subprocessor list may also be published at https://buzzio.dev or in SUBPROCESSORS.md in our project docs when updated.
28. PERMISSIONS & LOCATION
| Permission | Why | Can you deny it? |
|---|---|---|
| Camera | Photos/videos, QR scanning | Yes |
| Microphone | Voice notes & calls | Yes |
| Storage / Photos | Attach media | Yes |
| Location | Optional location sharing inside chat (you choose to send a location message) | Yes |
| Notifications | Alerts | Yes |
| Background execution | Receive while closed | Yes |
Location data (detail)
- Buzzio does not continuously track your GPS in the background for advertising.
- Location is used when you pick and send a location (lat/lng and optional address text) as a message.
- On E2E surfaces, that location payload is treated like other message content (encrypted to recipients). We do not keep a separate durable “location history” archive for private chats beyond normal message relay rules.
- On server-stored surfaces (for example Community), a location message follows that feature’s retention (for example ~365 days).
- Reverse-geocoding (address lookup) may use on-device or map/provider APIs as implemented in the app; deny Location to disable the feature.
Denying a permission disables the related feature. Permissions do not grant us readable copies of your E2E private chats.
29. CHILDREN'S PRIVACY
Buzzio is not directed at children under 13.
You must be at least 13 years of age to use Buzzio (see Terms).
We do not knowingly collect personal information from children under 13.
If we learn that a user is under 13, we will delete the account.
(Wallet features require 18+ under our Terms.)
If you believe a child under 13 has created an account, email app449377@gmail.com (subject: Privacy Request — Under 13).
30. LEGAL BASES (EEA / UK / SIMILAR LAWS)
Where the GDPR, UK GDPR, or similar laws apply, we process personal data on these bases:
| Processing | Typical legal basis |
|---|---|
| Creating and operating your account, delivering messages/calls, Premium entitlements | Contract (performance of the Terms) |
| Optional contact sync, optional cloud backup, certain device permissions | Consent (you can withdraw) |
| Firebase Analytics / reliability metrics, abuse prevention, App Check, rate limits, security | Legitimate interests (run a secure, reliable service) — balanced against your rights |
| Blocks, reports, enforcement, responding to lawful requests | Legitimate interests and/or legal obligation |
| Salty IP hashes on Whisper Questions | Legitimate interests (abuse prevention) |
You may object to processing based on legitimate interests where the law allows. Email app449377@gmail.com (subject: Privacy Request — Objection).
31. YOUR PRIVACY RIGHTS
Depending on where you live, you may have some or all of these rights:
| Right | What it means | How to exercise |
|---|---|---|
| Access | Ask what personal data we hold about you | Email app449377@gmail.com — subject Privacy Request — Access |
| Correction | Fix inaccurate account/profile data | Edit in-app where possible, or email Privacy Request — Correction |
| Deletion | Delete your account / request erasure | In-app account delete or email Privacy Request — Delete Account |
| Portability | Receive a copy of certain account data in a common format | Email Privacy Request — Export (we will provide what we reasonably can; E2E message bodies we cannot decrypt are not exportable from our servers) |
| Restrict / object | Limit certain processing | Email Privacy Request — Restrict or Objection |
| Withdraw consent | Turn off optional features you opted into | Disable in-app (contact sync, backup, permissions) or email us |
| Complaint | Lodge a complaint with a supervisory authority | Your local data-protection authority (EEA/UK) or equivalent |
We will respond within a reasonable period (typically 30 days, or sooner if local law requires). We may need to verify you control the Buzzio ID before fulfilling a request.
32. INTERNATIONAL DATA TRANSFERS
Buzzio uses cloud infrastructure that may process data in multiple regions, including the United States and other countries where our providers operate (for example Google Firebase / Google Cloud and Cloudflare).
When personal data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision:
- we rely on appropriate safeguards offered by our providers, such as the European Commission’s Standard Contractual Clauses (SCCs) (and UK equivalents where applicable), plus the technical measures in this policy (encryption, access limits, retention); and/or
- other lawful transfer mechanisms recognized under applicable law.
By using Buzzio you acknowledge that operational processing may occur on those systems. This acknowledgment is not a substitute for the safeguards above where law requires them.
33. CALIFORNIA PRIVACY RIGHTS (CCPA / CPRA)
If you are a California resident, you may have rights to:
- Know categories and specific pieces of personal information collected
- Delete personal information (subject to exceptions)
- Correct inaccurate personal information
- Opt out of sale or sharing of personal information
- Limit use of sensitive personal information (where applicable)
- Non-discrimination for exercising these rights
We do not sell personal information.
We do not share personal information for cross-context behavioral advertising.
To exercise California rights, email app449377@gmail.com with subject Privacy Request — California. You may use an authorized agent as permitted by law; we may require proof of authorization and identity verification.
Categories we may collect (depending on features you use) include identifiers (Buzzio ID, usernames), internet/network activity (usage events, IP hashes for abuse control), commercial information (subscription entitlement), geolocation (only if you send a location message), audio/visual content you upload, and inferences limited to product operation (not ad profiles).
34. COOKIES & SIMILAR TECHNOLOGIES (WEB)
Buzzio’s mobile app is not a traditional browser cookie environment. Our web surfaces (for example Whisper Questions at whisper.buzzio.dev) may use:
| Type | Examples | Purpose | Consent |
|---|---|---|---|
| Strictly necessary | Load balancing, security, rate-limit / salted IP hash processing, session needed to submit an answer | Make the page work and stop abuse | Allowed as essential |
| Preferences / analytics | If we add non-essential analytics or preference cookies later | Understand traffic or remember settings | We will ask for consent where required before setting them |
Today, Whisper Questions is designed around essential operation (fetch question, submit answer, abuse controls). We do not use advertising cookies.
How to control cookies: use your browser settings to block or delete cookies. Blocking essential storage may break the page. See also the short notice on the Whisper web page linking to this policy.
35. SECURITY MEASURES
We use technical and organizational measures appropriate to the sensitivity of the data, including:
- End-to-end encryption for private chat / Whisper private / E2E groups (we cannot read message bodies)
- Encryption in transit (TLS) for client–server connections
- Local encryption of private databases on device (SQLCipher) where designed
- Server-side encryption / access controls for Community, Broadcast, open-history, and similar features
- App Check / device integrity checks to reduce automated abuse
- Least-privilege access for operators and automated jobs
- Retention limits and cleanup jobs described in this policy
No method of transmission or storage is 100% secure. You remain responsible for protecting your device and mnemonic.
36. DATA BREACH NOTIFICATION
If we become aware of a personal-data breach that affects Buzzio users:
- We will investigate and contain the incident.
- Where legally required, we will notify the competent authority without undue delay (for GDPR, that is generally within 72 hours of becoming aware, where feasible).
- If the breach is likely to result in a high risk to your rights and freedoms, we will notify affected users without undue delay, via in-app notice and/or email where we have a contact path, describing what happened and steps you can take.
37. CHANGES TO THIS POLICY
- We may update this Privacy Policy from time to time.
- The Last Updated date at the top will change.
- For material changes (for example new categories of data, new advertising practices, or weaker privacy guarantees), we will provide in-app notice and, where appropriate, an additional prompt before continued use.
- We will not use a policy update to start selling your data.
Commitments that do not change without a clear, user-visible update:
- We do not sell your data — never.
- 1-to-1 chat, Whisper private chat, end-to-end groups, and private calls remain private-by-design surfaces with end-to-end / peer-to-peer protection and no durable zero-metadata private conversation archive after delivery / expiry.
- Where a feature needs more storage, we will keep describing that honestly — and still will not sell the data.
38. CONTACT
Questions about privacy, rights requests, or under-13 notices:
Email: app449377@gmail.com
Subject line examples: Privacy Request — Access / Delete / Export / California / Under 13
Website: https://buzzio.dev
39. PLAIN-LANGUAGE SUMMARY
- Buzzio is run by the Buzzio Team (unincorporated operator for now). Contact: app449377@gmail.com.
- Age: 13+ to use the app; wallet 18+.
- 1-to-1 chat: E2E; relay purged after delivery (3-day safety net); if no undelivered messages remain, we don’t have who you talk to.
- Whisper private: E2E; deleted after expiry.
- Whisper Questions: plaintext for the owner; salted IP hash for abuse; 24h / 15d; not sold.
- E2E groups: E2E messages (5-day relay buckets).
- Open-history / Community: server-held keys; longer history (~365 days); not sold.
- Broadcast: 30-day deletion.
- Calls: P2P media; no durable server call archive.
- Analytics: Firebase Analytics for product/reliability — not ads.
- Delete / export / rights: in-app delete or email Privacy Request.
- California: we do not sell or share for ads.
- Transfers: Firebase / Cloudflare and similar; SCCs/provider safeguards where required.
- Everywhere: we do not sell your data, and we never will.
This privacy policy is effective as of July 13, 2026.
© 2026 Buzzio. All rights reserved.