VantaChat ("the App", "we", "us", or "our") is developed and operated by Finnovant. We are committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information.
By using VantaChat, you agree to the practices described in this policy. If you do not agree, please do not use the App.
Developer: Finnovant
Website: https://finnovant.com/
Privacy Contact: bbezuidenhout@finnovant.com
Jurisdiction: We operate globally. This policy applies to all users worldwide.
VantaChat is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us and we will delete that information promptly.
Users in jurisdictions where the minimum age for digital consent is higher (e.g. 16 in certain EU member states) must meet their local minimum age requirement.
| Data | Purpose | Required? |
|---|---|---|
| Username | Unique account identifier | Yes |
| Display Name | Shown to contacts | Yes |
| About / Status | Optional personal bio | No |
| Profile Picture | Shown to contacts | No |
We do not collect your phone number, email address, date of birth, or payment information at any point.
When you create an account, the App generates an ECDH (Elliptic Curve Diffie-Hellman) key pair on your device using the secp256r1 curve. Your private key never leaves your device and is stored in the Android KeyStore (hardware-backed where available). Your public key is uploaded to our servers solely to allow contacts to send you encrypted messages.
A recovery hash derived from a BIP39 mnemonic seed phrase is stored on the server to support account recovery. The seed phrase itself is only ever shown to you and is never transmitted.
All messages are end-to-end encrypted on your device before being sent. Direct messages use AES-256-GCM with keys derived via ECDH. Group messages use a shared AES-256 group key, distributed via individual ECDH-encrypted handshakes.
Temporary relay only. Encrypted message payloads are stored on our relay server only until the recipient's device acknowledges delivery. Once delivered, the message is permanently deleted from our servers. We cannot read the content of any message at any time.
Media files (images, videos, documents) are uploaded encrypted to our secure storage and referenced within the encrypted message payload. Access to media requires the encryption key held only by the intended recipient.
Message metadata (delivery status, timestamps) may be processed to facilitate delivery.
Calls are peer-to-peer (P2P). Both one-to-one and group voice and video calls are established directly between participants' devices using WebRTC. Audio and video streams do not pass through or touch any media server — they travel directly between devices. We cannot intercept, record, or store any call content.
Call signaling (connection setup such as SDP and ICE candidates) passes through our servers briefly to establish the direct connection. This signaling data is transient and not retained after the call is connected. A Google STUN server is used for NAT traversal to help devices find each other on the network.
We use Firebase Cloud Messaging (FCM) by Google to deliver push notifications. Your FCM token is stored on our servers and updated automatically when it changes. Notification payloads do not include message content — only a generic indicator that a new event is waiting. Notifications are only delivered from users in your contact list.
We do not use analytics SDKs, advertising SDKs, or third-party crash-reporting services.
The following is stored on your device and is never accessible to us:
We use the information described above only to:
We do not sell, rent, or trade your personal information. We do not use your data for advertising or profiling. Ever.
| Processing Activity | Legal Basis |
|---|---|
| Account creation and management | Performance of contract |
| Message relay and delivery | Performance of contract |
| Push notifications | Consent |
| Security and abuse prevention | Legitimate interest |
| Legal compliance | Legal obligation |
| Service | Provider | Purpose | Data Shared |
|---|---|---|---|
| Firebase Cloud Messaging | Google LLC | Push notifications | FCM token, notification metadata |
| S3-Compatible Storage | StorageChain | Encrypted media storage | Encrypted media files, profile pictures |
| Google STUN | Google LLC | P2P call NAT traversal | IP addresses during call setup only |
We share only what is strictly necessary with each provider. We do not use advertising networks, analytics platforms, or third-party crash-reporting services.
| Data Type | Retention Period |
|---|---|
| Encrypted message payloads | Deleted from our servers immediately upon confirmed delivery to the recipient's device |
| Account data (profile, public key) | Until account deletion |
| Media files | Until deleted by the user or upon account deletion |
| FCM tokens | While account is active; deleted on account deletion |
| Call signaling data | Transient — discarded after call connection is established |
| Server access logs | Limited period for security and abuse prevention only |
| Local device data | On device until you clear app data or delete your account |
You can permanently delete your account at any time from Settings → Account → Delete Account.
Upon deletion:
Account deletion is permanent and irreversible. Your account cannot be recovered after deletion, even using your seed phrase.
Despite these measures, no system is 100% secure. We encourage you to use a strong PIN and keep your seed phrase in a safe place.
Depending on your location, you may have the following rights regarding your personal data:
| Right | How to Exercise |
|---|---|
| Access — obtain a copy of your data | Contact us by email |
| Correction — correct inaccurate data | Update in-app or contact us |
| Deletion — erase your account and data | Settings → Account → Delete Account, or contact us |
| Restriction / Objection — restrict or object to processing | Contact us by email |
| Withdraw Consent — withdraw where consent is the basis | Contact us by email |
We will respond to all requests within 30 days.
EU/EEA Users (GDPR): You have the right to lodge a complaint with your local data protection supervisory authority.
California Users (CCPA): You have the right to know, delete, and opt-out of the sale of personal information. We do not sell personal information.
Finnovant operates globally. Your data may be processed and stored in countries outside your own, including countries that may not have the same data protection laws as your country of residence. Where required, we apply appropriate safeguards (such as standard contractual clauses) to protect your data during international transfers.
| Permission | Purpose |
|---|---|
| RECORD_AUDIO | Microphone access for voice and group calls |
| CAMERA | Camera access for video calls |
| INTERNET | Required for all app functionality |
| ACCESS_NETWORK_STATE | Check network connectivity |
| POST_NOTIFICATIONS | Display push notifications |
| FOREGROUND_SERVICE | Maintain active call in background |
| USE_FULL_SCREEN_INTENT | Show incoming call screen |
| WAKE_LOCK | Keep device awake during active calls |
| VIBRATE | Haptic feedback for notifications |
| SYSTEM_ALERT_WINDOW | Display call overlay UI |
We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the App or via a notice on our website. The "Last Updated" date at the top of this policy reflects the most recent revision. Continued use of the App after changes constitutes acceptance of the updated policy.
If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please reach out:
Website: https://finnovant.com/
Email: bbezuidenhout@finnovant.com
We aim to respond within 30 days of receiving your request.