Privacy Policy
Last updated: March 4, 2026 · Version 2.0.0
1. Who We Are & Our Promise
Bedrock Chat is built and operated by Bedrock AI Systems. We are a privacy-first communication platform designed for families, gamers, and communities who believe private conversations should stay private.
Our promise, in concrete terms:
- No government IDs or facial scans — ever
- No behavioral advertising or ad profiles
- No selling or sharing your data with advertisers
- No third-party analytics services (Google Analytics, Mixpanel, etc.)
- No tracking pixels or cross-site surveillance
- No audio or video recordings of voice calls
- Anonymous analytics only, with opt-out at any time
- Family monitoring that is always transparent to the teen
If you have questions about this policy, contact us at privacy@bedrock-chat.com or our Data Protection Officer at dpo@bedrock-chat.com.
2. What We Collect & Exactly How We See It
This is the centerpiece of our policy. Every type of data we collect is described below as a “card” so you can see exactly what we know, why, and for how long.
ACCOUNT INFORMATION
What we store: Username, email address, password (hashed — we cannot read it), display name, avatar, bio, account type (standard, parent, or teen), date of birth (for COPPA compliance on teen accounts only)
Why: To operate your account and authenticate you
How long: While your account is active. Deleted within 30 days of account deletion
Your control: Edit in Settings, export via Data Export, or delete your account at any time
Legal basis (GDPR): Contractual necessity (Art. 6(1)(b))
MESSAGES & CONTENT
What we store: Text messages, file uploads (10MB limit), emoji reactions, message edits and deletions
Why: To deliver your messages to recipients and store conversation history
How long: Until you delete them or delete your account
Your control: Delete individual messages, delete your account (cascading delete of all messages)
Encryption status: Messages are encrypted in transit (TLS 1.3) and at rest (database encryption). We have built an end-to-end encryption library (ECDH key exchange + AES-256-GCM) and are actively working to integrate it into the message pipeline. Currently, messages are not yet end-to-end encrypted between users. We will update this policy when E2E encryption is deployed.
Legal basis (GDPR): Contractual necessity (Art. 6(1)(b))
VOICE & VIDEO CALL METADATA
What we store: Who was in the call, start/end timestamps, duration, whether video or screen sharing was used (yes/no — not the content)
What we DO NOT store: Audio recordings, video recordings, transcriptions, summaries of what was said. This is architecturally enforced — our voice infrastructure (LiveKit WebRTC) is configured for real-time streaming only with no recording capability enabled.
Why: Safety oversight for family accounts (who talked to whom, not what was said) and service reliability
How long: 90 days
Legal basis (GDPR): Legitimate interest (Art. 6(1)(f)) — safety and service reliability
ANONYMOUS ANALYTICS
What we see: A number next to a label. Example: “Channel joins today: 847”
What we DO NOT see: Who joined, when exactly, from where, or any identifying information
Data collected: Anonymized page paths (IDs stripped), feature usage categories, performance metrics (page load times, error rates), session duration patterns, device category (mobile/tablet/desktop from viewport width only), viewport bucket (sm/md/lg/xl), browser family (no version), OS family (no version)
Session token: A random UUID generated fresh each browser session, stored in sessionStorage only. When you close the tab, it's gone. No way to link sessions.
Why: To know which features are being used and where errors happen so we can improve the app
How long: Raw events auto-deleted after 30 days. Only statistical aggregates survive (e.g., “47 sessions visited Settings on Feb 15” — no individual data)
Who sees it: Bedrock development team only. Never shared with third parties. Stored exclusively in our own database.
Your control: Opt out anytime in Settings → Privacy & Analytics. No penalty, no reduced functionality.
Age protections:
- Under 13: Analytics completely disabled. No events, no session tokens, no collection of any kind.
- Ages 13–15: Only anonymized page views. No feature tracking.
- 16 and up: Standard anonymous collection with opt-out.
Third parties: None. All analytics are self-hosted. No Google Analytics, Mixpanel, Amplitude, Hotjar, or any other external service.
Legal basis (GDPR): Legitimate interest (Art. 6(1)(f)). No personal data is processed. You can opt out at any time.
BUG REPORTS
What we store: Your description of the problem, the page you were on, device type, browser family, OS family, recent app errors from your session
Anonymous by default: We don't know who submitted bug reports unless you toggle “Attach my account” (OFF by default)
PII scrubbing: We automatically scan descriptions for accidentally included email addresses, phone numbers, and SSNs and remove them before storing
How long: Until resolved, then archived for 12 months
Legal basis (GDPR): Consent (Art. 6(1)(a)) — you choose to submit
COOKIES & LOCAL STORAGE
Cookies (2 total):
| Cookie | Purpose | Duration | Essential? |
|---|---|---|---|
sb-*-auth-token | Authentication session | Session or 30 days (Remember Me) | Yes |
privacy-mode | GPC/DNT signal detected | 1 year | Yes |
localStorage (preferences, cleared on logout):
| Key | Purpose |
|---|---|
bedrock-auth | Auth state (profile, lockout) |
bedrock-server | Selected server/channel |
bedrock-ui | Theme, sidebar states |
bedrock-consent | Cookie consent choices |
bedrock-settings | Appearance & accessibility |
bedrock-favorites | Channel favorites |
bedrock-remember-me | Login persistence preference |
bedrock-family | Family account state |
sessionStorage (dies on tab close):
bedrock_analytics_session— Random UUID for anonymous analytics
IndexedDB:
bedrock-keys— Encrypted private keys for future E2E encryption (ECDH P-256, protected by AES-GCM with password-derived key)
Rejecting non-essential cookies does not break any core functionality. See our Cookie Policy for details.
FAMILY MONITORING DATA
What we store: Parent-teen relationship records, monitoring level settings, transparency log of all parent actions, keyword alert configurations, server/friend approval decisions
Transparency guarantee: Every action a parent takes is logged in a transparency log that the teen can see in real-time. This transparency is enforced at the database level with a constraint that physically prevents hidden monitoring — it cannot be bypassed by code changes alone.
How long: While the Family Account is active
Legal basis (GDPR): Parental consent (COPPA) and legitimate interest (child safety, Art. 6(1)(f))
PUSH NOTIFICATIONS
What we store: Push subscription endpoint, encryption keys (p256dh, auth), user agent string
Why: To deliver notifications when the app is in the background
Your control: Requires explicit Notification permission. Unsubscribe anytime in browser settings or app settings.
Legal basis (GDPR): Consent (Art. 6(1)(a))
CONTENT REPORTS
What we store: Reporter identity, reported content snapshot (preserved even if original is deleted), report type (CSAM, harassment, spam, hate speech, violence, self-harm, impersonation), resolution status
Why: To enforce community safety rules and comply with mandatory reporting obligations (18 U.S.C. §2258A for CSAM)
CSAM reports: Automatically escalated. We are legally required to report suspected CSAM to the National Center for Missing & Exploited Children (NCMEC).
Legal basis (GDPR): Legal obligation (Art. 6(1)(c)) and legitimate interest (Art. 6(1)(f))
3. What We NEVER Collect
- Government IDs or biometrics — no facial scans, fingerprints, or government-issued identification
- Audio or video recordings — voice calls store metadata only (timestamps, participants). No audio is recorded, transcribed, or summarized.
- IP addresses — used momentarily as a rate-limit key to prevent abuse, then immediately discarded. Never stored in any database table or analytics record.
- Device fingerprints — no canvas fingerprinting, no audio fingerprinting, no user-agent sniffing for tracking purposes
- Browsing history outside our platform
- Behavioral advertising profiles — we do not build profiles about you and never will
- Third-party tracker data — no advertising pixels, no cross-site tracking scripts, no hidden surveillance
- Your real name unless you choose to provide it as your display name
- Your phone number unless you choose to provide it for future 2FA
4. Third-Party Services
We use a small number of infrastructure providers. No third-party advertising or analytics services are used. Here is every third-party service that processes your data:
- Supabase — Database, authentication, real-time messaging, and file storage. They process your account data, messages, and uploaded files on our behalf. Supabase Privacy Policy
- LiveKit — Voice and video call infrastructure (WebRTC). They route your audio/video streams in real-time but do not record or store them. They receive your user identity and room name for the duration of a call. LiveKit Privacy Policy
- Vercel — Application hosting and CDN. They serve our web application. We do not use Vercel Analytics or Vercel Speed Insights. Vercel Privacy Policy
Our long-term goal is to migrate to fully self-hosted infrastructure. We will update this policy as we make progress on that migration.
Data Processing Agreements: We are in the process of executing formal DPAs with each provider to ensure GDPR-compliant data processing terms are contractually binding.
5. Family Accounts & Parental Monitoring
Family Accounts let parents oversee their teen's safety while respecting teen privacy. Unlike platforms that secretly scan everything, our monitoring is completely transparent.
5.1 Four Monitoring Levels
- Minimal (Level 1): Parent can see server list and friend list only. No message access.
- Moderate (Level 2): Parent can also see message counts, online time, and view messages on request.
- Supervised (Level 3): Adds AI content flags, plus server joins and friend requests require parental approval.
- Restricted (Level 4): Whitelist-only communication. Adds keyword alerts, time limits, and real-time activity monitoring. Friend requests also require approval.
5.2 Transparency Guarantee
Teens can always see what their parents are monitoring:
- Every parent action (viewing messages, checking friends, changing settings) is logged in a transparency log visible to the teen in real-time
- A non-dismissible monitoring badge is visible to the teen at all times in the app
- Friends chatting with a monitored teen see a badge indicating monitoring is active
- This transparency is enforced at the database level — it is architecturally impossible for monitoring to be hidden
5.3 COPPA Compliance for Under-13 Users
- Users under 13 must have a parent create their account through a Family Account
- Parental consent is collected with timestamp, method, and policy version recorded
- Parents can review, export, or delete their child's data at any time
- Parents can refuse further data collection (by deleting the account)
- Analytics is completely disabled for under-13 users — no events, no session tokens, no collection of any kind
- No behavioral advertising is served to any users, including minors
- No data is shared with third parties for commercial purposes
To exercise COPPA rights, email privacy@bedrock-chat.com from the parent account's email address. We will respond within 72 hours.
6. Your Rights
6.1 Everyone
- Right to know what data we have about you
- Right to export your data in machine-readable format (JSON) via Data Export
- Right to delete your account and all associated data
- Right to opt out of anonymous analytics at any time in Settings → Privacy & Analytics
6.2 GDPR Rights (EU/UK Residents)
- Right of access (Art. 15): Request a copy of your personal data
- Right to rectification (Art. 16): Correct inaccurate data via Settings
- Right to erasure (Art. 17): Delete your data (“right to be forgotten”)
- Right to data portability (Art. 20): Receive your data in JSON format
- Right to object (Art. 21): Opt out of analytics processing
- Right to withdraw consent: At any time, without affecting prior processing
- Right to lodge a complaint: With your local supervisory authority
6.3 CCPA/CPRA Rights (California Residents)
- Right to know what personal information is collected
- Right to delete personal information
- Right to opt out of the sale or sharing of personal information — we do not sell or share your data
- Right to limit use of sensitive personal information
- Right to non-discrimination for exercising your rights
We honor Global Privacy Control (GPC) signals automatically. If your browser sends a GPC signal, we disable non-essential data collection. We also honor Do Not Track (DNT) signals.
Note: Anonymous analytics session tokens are not “personal information” under CCPA because they cannot be reasonably linked to any consumer or household.
6.4 COPPA Rights (Users Under 13)
- Parental right to review all collected information
- Parental right to delete all collected information
- Parental right to refuse further collection
To exercise these rights: visit Data Export, Privacy Settings, or email privacy@bedrock-chat.com.
7. Data Security
- Encryption in transit: All data transmitted over TLS/HTTPS
- Encryption at rest: Database-level encryption via Supabase
- End-to-end encryption: We have built an E2E encryption library using ECDH P-256 key exchange and AES-256-GCM. Integration into the message pipeline is in active development. Messages are not yet end-to-end encrypted.
- Security headers: HSTS, Content Security Policy, X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Referrer-Policy (strict-origin-when-cross-origin), Permissions-Policy (microphone/camera self-only)
- Password security: Passwords hashed with bcrypt. 8+ character requirement with uppercase, lowercase, and number. Account lockout after 5 failed attempts (15 minutes).
- Rate limiting: All API endpoints have rate limits to prevent abuse
- Row-Level Security: All 30+ database tables have RLS policies ensuring users can only access their own data
- Multi-factor authentication: Planned but not yet implemented. We will update this policy when MFA is available.
7.1 Breach Notification
In the event of a data breach affecting your personal data:
- GDPR: We will notify the relevant supervisory authority within 72 hours and affected users without undue delay
- COPPA: We will notify parents of affected minor users as expeditiously as possible
- State laws: We will comply with applicable state breach notification laws
8. Data Retention Schedule
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Account data | While active + 30 days after deletion | Cascading database delete + auth user removal |
| Messages | Until user deletes or account deletion | Cascading database delete |
| Voice call metadata | 90 days | Automated purge |
| Analytics raw events | 30 days | Nightly automated purge |
| Analytics aggregates | Indefinite (no PII) | N/A — contains no personal data |
| Bug reports | Until resolved + 12 months | Manual archive and deletion |
| Content reports | As required by law | Per legal retention requirements |
| Family monitoring logs | While Family Account active | Cascading delete on family dissolution |
| Push subscriptions | Until unsubscribed or expired | Automatic cleanup on expired endpoints |
| File uploads | Until user deletes or account deletion | Storage bucket cleanup |
9. International Data Transfers
Your data may be processed in the United States where our infrastructure providers (Supabase, Vercel, LiveKit) maintain servers. For EU/UK users, we ensure appropriate safeguards are in place for international data transfers in compliance with GDPR Chapter V requirements.
We are in the process of documenting Standard Contractual Clauses (SCCs) with our data processors to formalize these transfer mechanisms.
10. How We Use Your Information
- Provide, maintain, and improve the Bedrock Chat service
- Authenticate and secure your account
- Deliver your messages and enable voice/video calls
- Enable family safety features (when Family Account is active)
- Detect and prevent abuse, spam, and security threats
- Understand anonymous usage patterns to prioritize features and fix bugs
- Respond to support requests and bug reports
- Comply with legal obligations (including mandatory CSAM reporting)
We do not use your data for advertising, behavioral profiling, AI model training, or selling to third parties.
11. Changes to This Policy
When we update this Privacy Policy:
- We update the version number and “Last updated” date at the top
- Our consent management system will re-prompt you to review the new version
- For material changes, we provide at least 30 days notice via email or in-app notification
- Parents of minor users are notified separately via their parent account email
12. Contact & Complaints
We are real people, and we read our email.
- Privacy questions: privacy@bedrock-chat.com
- Data Protection Officer: dpo@bedrock-chat.com
- General support: support@bedrockchat.com
Response SLA: We acknowledge privacy requests within 72 hours and resolve them within 30 days.
GDPR: You have the right to lodge a complaint with your local supervisory authority if you believe your rights have been violated.
CCPA: You may also file a complaint with the California Attorney General.
Bedrock AI Systems — Privacy-first communication for families.
Legal counsel review recommended before publishing. This policy reflects actual codebase behavior as of the date above.