Privacy Policy

1. Introduction

Shottly ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application ("Shottly" or the "App") and related services (collectively, the "Services").

By accessing or using our Services, you agree to this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Services.

2. Information We Collect

2.1 Information You Provide

• Display Name: The username you choose when registering. Usernames are visible to users you chat with.
• Display Name: The friendly name shown in chats. You may update it at any time in settings.
• Photos and Videos: Text messages, photos, videos, voice recordings, and files you send through the App. Content is stored on our servers and delivered to intended recipients.
• Voice Recordings: Audio recorded when you send a voice message. Stored on our servers as part of your conversation history.
• Reactions and Comments: Emoji reactions to messages and votes in polls you participate in.

2.2 Information Collected Automatically

• Device Identifier: Authentication tokens (JWTs) are generated upon login and stored locally on your device. These expire after 30 days and are used solely to authenticate your requests to our servers.
• Typing Indicators: A temporary presence signal stored for 5 seconds in edge cache when you are typing. This is never persisted to a database.
• Timestamps: Date and time of messages, reactions, and media uploads.

2.3 Information We Do NOT Collect

• We do not collect your real name, email address, phone number, or any government-issued identification.
• We do not collect your real name, email address, phone number, or government-issued identification beyond what you voluntarily provide as a display name.
• We do not collect location data, GPS coordinates, or IP-based geolocation.
• We do not use cookies, tracking pixels, or advertising identifiers.
• We do not access your device contacts, call logs, SMS, or browsing history.
• We do not collect analytics data or usage statistics.

3. How We Use Your Information

We use the information we collect solely for the following purposes:

• Service Delivery: To operate and maintain the core functionality of the App, including real-time messaging, snap delivery, voice message playback, and group chat management.
• Content Distribution: To deliver messages, snaps, voice recordings, files, and poll results to the intended recipients.
• Notification Delivery: To send push notifications about new messages, reactions, polls, and mentions.
• Service Improvement: To identify and fix technical issues and improve the reliability of our Services.

We do not use your information for advertising, profiling, marketing, or any purpose unrelated to providing the Services.

4. Data Storage and Security

4.1 Storage Infrastructure

Your data is stored on Cloudflare's global edge network using Cloudflare Workers KV, a distributed key-value storage system. Cloudflare maintains SOC 2 Type II compliance and employs industry-standard security measures including encryption at rest and in transit.

4.2 Data Encryption

• All data transmitted between the App and our servers is encrypted using TLS 1.2 or higher (HTTPS).
• Data stored on our servers is encrypted at rest using AES-256 encryption.
• Connection passwords (when set) are used for access control but are stored in hashed form.

4.3 Local Storage

The App stores minimal data locally on your device, including your authentication token (JWT), cached messages for offline access, draft messages, and user preferences (theme, language). This data is stored using the device's secure storage mechanisms and is not accessible to other applications.

4.4 Security Measures

While we implement commercially reasonable security measures to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your information.

5. Data Sharing and Disclosure

5.1 Within Connections

Media content you share is visible to all members of the connection in which it was shared. Your display name is visible to other members of your connections.

5.2 Third-Party Service Providers

We use the following third-party service providers:

• Cloudflare: Infrastructure hosting, content delivery, and data storage. Cloudflare processes data as a data processor under their Privacy Policy.

5.3 Legal Requirements

We may disclose your information if required to do so by law, or in the good faith belief that such action is necessary to:

• Comply with a legal obligation or lawful government request.
• Protect and defend our rights or property.
• Prevent or investigate possible wrongdoing in connection with the Services.
• Protect the personal safety of users of the Services or the public.

5.4 No Sale of Data

We do not sell, trade, rent, or otherwise transfer your personal information to third parties for commercial purposes, and we never will.

6. Data Retention

We retain your data as follows:

• Media Content: Messages, snaps, and media are stored on our servers until you or a group admin deletes them. Disappearing messages are automatically deleted after the timer you set expires.
• Account Data: Your username, display name, and preferences are retained while your account is active. You may delete your account at any time from Settings.
• Reactions and Comments: Retained as part of message history. Deleted when the message or conversation is deleted.

We do not retain data longer than necessary to provide the Services.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: You can view all content shared within your connections through the App.
• Deletion: You can delete specific media you have shared. Connection administrators can delete entire connections, which removes all associated data.
• Data Portability: You can save shared media to your device directly from the App.
• Withdrawal of Consent: You may stop using the Services at any time. Uninstalling the App removes all locally stored data.

7.1 GDPR Rights (European Economic Area)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR), including the right to access, rectify, erase, restrict processing, and data portability. Our legal basis for processing is your consent (provided by using the Services) and legitimate interest (providing and improving the Services).

7.2 CCPA Rights (California)

If you are a California resident, you have the right under the California Consumer Privacy Act (CCPA) to know what personal information we collect, request deletion of your data, and opt out of any sale of personal information. As stated above, we do not sell your personal information.

8. Children's Privacy

Our Services are not directed to individuals under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will take steps to delete such information promptly.

If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at the email address below.

9. International Data Transfers

Our Services are hosted on Cloudflare's global edge network, which means your data may be processed in data centers located outside your country of residence. Cloudflare participates in and has certified compliance with the EU-U.S. Data Privacy Framework and maintains Standard Contractual Clauses (SCCs) for international data transfers.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify users of any material changes by updating the "Last updated" date at the top of this page. We encourage you to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

• Email: contact@Shottly.app

We will respond to your inquiry within 30 days.