Privacy Policy
Effective date: 2026-05-06 · Version: 2026-05-06
Draft notice.Specific items below (DPO contact, exact retention periods, list of sub-processors) need to be confirmed by the operator and reviewed by counsel before going live. GDPR violations carry fines of up to EUR 20 million or 4 % of worldwide turnover — this policy must be accurate.
1. Who is responsible for your data?
The data controller for the purposes of the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) is the operator of 2chat. Full identification is in the Legal Notice. You can contact us at platzhalter@platzhalter.com.
We have not appointed a Data Protection Officer (DPO); however, you can address any data-protection question to the contact address above. The competent supervisory authority is the data protection authority of the EU Member State where the operator is established (see Legal Notice). You may also lodge a complaint with the supervisory authority of the EU Member State of your habitual residence under Article 77 GDPR.
2. What data we process & why
| Category | Examples | Purpose | Lawful basis |
|---|---|---|---|
| Account | Discord ID, username, avatar URL, email | Operate the service, link your sessions | Art. 6(1)(b) — performance of a contract |
| Live audio & video | WebRTC peer-to-peer streams | Real-time chat — relayed peer-to-peer, never recorded by us | Art. 6(1)(b) |
| Report-triggered safety captures | Single JPEG of your local feed, captured only when you have been reported or staff is investigating ongoing harm in your room. No background sampling, no audio. | Verifying user complaints under our Community Guidelines | Art. 6(1)(f) — legitimate interest in user safety, accepted as a condition of use under Terms §7; Art. 21 right to object reviewable case-by-case (no per-user opt-out, since an opt-out would defeat the safety purpose) |
| Reports | Reason, optional note, screenshot | Investigate complaints (DSA Art. 16) | Art. 6(1)(c) — legal obligation; Art. 6(1)(f) — legitimate interest in safety |
| Payments | Stripe session ID, amount, frame purchased | Process purchases, comply with tax/accounting law | Art. 6(1)(b) + Art. 6(1)(c) |
| Age & parental | Date of birth, parent email if minor | Verify eligibility, comply with DSA Art. 28 | Art. 6(1)(c) + Art. 8 (children) |
| Logs & consents | Acceptance timestamps, IP, user-agent | Demonstrate compliance | Art. 6(1)(c) — accountability |
3. Retention
- Account data— for the lifetime of your account; deleted within 30 days of an account-deletion request, unless retention is required by law.
- Live audio/video— not retained by us; relayed peer-to-peer.
- Moderation snapshots— deleted at most one hour after capture (an automated job runs every 15 minutes).
- Reports & their evidence— up to 2 years after resolution, then anonymised.
- Payment records— up to 10 years to comply with applicable EU and national tax / accounting retention obligations.
- Consent records— for the lifetime of the account plus 3 years.
4. Sub-processors
We rely on the following processors. They are bound by data processing agreements; full details are available on request.
- Supabase, Inc.— database, auth, storage, realtime. EU region (Frankfurt). DPA available at supabase.com/legal/dpa.
- Stripe Payments Europe, Limited— payment processing.
- Discord, Inc.— OAuth identity provider for sign-in.
- Vercel Inc.— web application hosting.
5. International transfers
Some sub-processors are based in the United States (Stripe, Discord, Vercel). Transfers are protected by the EU–US Data Privacy Framework or by Standard Contractual Clauses adopted by the European Commission, as applicable. You can request copies of these safeguards at the contact address above.
6. Your rights
You have the right to:
- request access to your personal data (Art. 15);
- have inaccurate data corrected (Art. 16);
- have your data erased (Art. 17 — “right to be forgotten”);
- restrict processing (Art. 18);
- data portability (Art. 20) — you can download your full account data from the Settings tab;
- object to processing based on legitimate interest (Art. 21);
- withdraw any consent you have given, at any time, without affecting the lawfulness of processing before the withdrawal;
- lodge a complaint with your local EU data protection authority (see Section 1).
To exercise these rights, contact platzhalter@platzhalter.com. We respond within 30 days.
7. Automated decision-making
We do not use any fully automated decision-making with legal or similarly significant effects. Bans and warnings are decided by human moderators reviewing reports.
8. Children
2chat is restricted to users 14 years and older. For users under 18 we collect a parental contact email and may require verification before unlocking full access. We never knowingly collect personal data from anyone under 14. If you believe a user under 14 has registered, please contact us immediately and we will remove the account.
9. Security
We protect your data with encryption in transit (HTTPS, WebRTC’s DTLS-SRTP) and at rest, role-based access control, audit logs, and regular dependency updates. No system is perfectly secure; in the unlikely event of a personal data breach affecting your rights and freedoms we will notify you and the competent supervisory authority as required by Art. 33–34 GDPR.
10. Changes
We may update this policy. The current version and effective date appear at the top. Material changes will be highlighted in the app.