Features Technology Compare Pricing
Gaming & eSports
Privacy
Communities
Blog Download

Privacy Policy

Last updated: April 2026

1. Overview

This privacy policy explains what personal data is collected when you use the Voidcom website (voidcom.app) and the Voidcom desktop application, and how that data is processed. We take your privacy seriously and process personal data only in accordance with the European General Data Protection Regulation (GDPR) and applicable national data protection laws.

2. Responsible party

The responsible party (data controller) within the meaning of the GDPR is:
Maximilian Tschauder
max@frisson.social

See the Imprint for full contact details.

3. Hosting

The Voidcom website and application are hosted by Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany). When you visit this website, our server may process your IP address, browser type, operating system, referrer URL, and the time of your request. This processing is necessary for delivering the website to you and is based on our legitimate interest (Art. 6(1)(f) GDPR).

All data is stored on servers located in Germany. A data processing agreement (Auftragsverarbeitungsvertrag) is in place with Hetzner. For more information, see Hetzner's Privacy Policy.

4. Content Delivery Network

We use Bunny CDN (BunnyWay d.o.o., Cesta komandanta Staneta 4A, 1215 Medvode, Slovenia) as a content delivery network to optimize loading times and provide DDoS protection. When you access our website, your request is routed through Bunny CDN's edge servers. Bunny CDN may process your IP address (anonymized by default) and HTTP request metadata.

BunnyWay d.o.o. is an EU-based company — no international data transfer is involved. A data processing agreement is in place. For more information, see Bunny CDN's Privacy Policy.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR).

5. Data we collect on the website

a) Newsletter subscription

When you subscribe to our newsletter, we collect your email address. We use a double opt-in process: after entering your email, you will receive a confirmation email. Your subscription is only activated once you click the confirmation link. We store your email address, confirmation status, and subscription date.

Legal basis: Consent (Art. 6(1)(a) GDPR). You can withdraw your consent at any time by using the unsubscribe link in any newsletter email. Upon unsubscription, your data is immediately and permanently deleted from our systems.

Newsletter emails are sent via Proton Mail (Proton AG, Switzerland). Switzerland has been granted an adequacy decision by the European Commission, ensuring an adequate level of data protection.

b) Beta application

When you apply for the beta program, we collect your email address, username, and optionally your country and a reason for joining. This data is stored to process your application, to notify you about its status, and to plan server regions.

Legal basis: Consent (Art. 6(1)(a) GDPR). Beta applications that are not approved are deleted after 6 months.

c) Server log files

Our server automatically collects and stores information in server log files that your browser transmits when visiting the website:

  • IP address (anonymized)
  • Date and time of the request
  • Requested URL
  • Browser type and version
  • Operating system
  • Referrer URL

This data is not combined with other data sources and is automatically deleted after 7 days. Legal basis: Legitimate interest (Art. 6(1)(f) GDPR).

d) Interactive chat demo

The website features an interactive chat demonstration that uses artificial intelligence to generate responses. When you type a message in the chat demo, your message text is sent to our server, which forwards it to the Mistral AI API (Mistral AI, 15 rue des Halles, 75001 Paris, France) to generate a response.

Data processed: Only the message text you type into the chat demo is transmitted. No personal data, IP address, or account information is sent to Mistral AI by us — the request is proxied through our server.

Data retention by Mistral AI: Mistral AI may retain API inputs and outputs for up to 30 days on a rolling basis for abuse monitoring purposes. Your data is not used to train Mistral AI's models (we use the paid Scale plan, which excludes training usage). For details, see Mistral AI's Privacy Policy and their Data Processing Addendum.

Processing location: Mistral AI is an EU-based company headquartered in France. For their API platform (La Plateforme), Mistral AI uses the following sub-processors relevant to API request processing:

  • Microsoft Inc. — Cloud infrastructure (Sweden, Norway)
  • CoreWeave — Inference provider (EEA)
  • Kong Inc. — API security (EEA)

Data processing occurs within the European Economic Area. The full and current list of Mistral AI's sub-processors is available at trust.mistral.ai/subprocessors. Standard Contractual Clauses (SCCs) are in place for any non-EU transfers.

Rate limiting: The chat demo is rate-limited to 10 requests per minute per visitor. When the limit is reached, pre-written fallback responses are shown instead of contacting the Mistral AI API.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — the interactive demo serves to demonstrate the application's functionality to prospective users. You can choose not to use the chat demo; it is entirely optional and no data is sent unless you actively type and submit a message.

e) Local storage

This website stores your theme preference (light or dark mode) in your browser's local storage. This is not personal data, is never sent to our servers, and is used solely to remember your display preference.

6. Data we collect in the Voidcom application

a) Account data

When you create a Voidcom account, we store your email address, username, and a securely hashed password (using Argon2id — we never store your password in plain text).

Legal basis: Contract performance (Art. 6(1)(b) GDPR) — necessary to provide the service.

b) Messages

Messages in server text channels are stored on our servers to provide the chat functionality. Direct messages (DMs) are end-to-end encrypted — the server only stores encrypted ciphertext and cannot read the content of your private conversations.

Legal basis: Contract performance (Art. 6(1)(b) GDPR).

c) Voice and video

Voice and video data is transmitted in real-time only. It is forwarded through our servers to other participants but is never recorded or stored. Voice and video streams are end-to-end encrypted with per-channel keys — the server forwards opaque packets it cannot decrypt.

d) Server membership, channels, and roles

We store your server memberships, channel access, and assigned roles to provide the community functionality.

Legal basis: Contract performance (Art. 6(1)(b) GDPR).

e) Friend list and presence

Your friend relationships are stored to enable direct messaging and friend features. Online/offline presence status is ephemeral and is not persisted — it is only visible while you are connected.

f) File attachments

Files you upload are stored in object storage and linked to your account. You can delete your uploaded files at any time.

g) Session data

When you log in, a session token (JWT) and refresh token are generated. These are stored on your device and validated server-side. They are automatically invalidated when you log out or when they expire.

h) Crash reporting and error tracking

The Voidcom server uses Bugsink, a self-hosted error tracking service, to collect crash reports and error logs. The desktop and mobile application only sends crash reports during the beta phase to help us identify and fix bugs before the stable release. Bugsink runs on our own infrastructure in Germany — no data is sent to any third-party error tracking provider.

When an error occurs, the following data may be collected:

  • Error message and stack trace
  • Operating system and runtime version
  • Application version

Crash reports do not contain message content, passwords, encryption keys, or other user-generated content. They are used solely to identify and fix software bugs.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — maintaining application stability and quickly resolving defects that affect our users.

7. Analytics

We use Plausible Analytics, self-hosted on our own infrastructure in Germany, to understand how visitors use our site. Plausible is a privacy-first analytics tool that:

  • Does not use cookies
  • Does not track individual users across sites
  • Does not collect or store personal data
  • Does not store IP addresses (hashed with a daily-rotating salt, then discarded)
  • Collects only aggregated, anonymized metrics (page views, referrers, countries, browser/OS types)

Because Plausible is self-hosted, no data is transmitted to any third party. Legal basis: Legitimate interest (Art. 6(1)(f) GDPR). No consent banner is required because no personal data or cookies are involved (TDDDG § 25).

8. External resources

All fonts and icons used on this website are self-hosted. No external resources are loaded from third-party servers when you visit our website. Your browser does not connect to Google, Adobe, or any other font or asset provider.

The only external service contacted from our server (not from your browser) is the Mistral AI API, and only when you actively submit a message in the interactive chat demo. See section 5d for details.

9. Cookies

This website does not set any cookies. No first-party or third-party cookies are used for tracking, analytics, or any other purpose.

10. Data storage and transfers

  • Website and application data (newsletter subscribers, beta applications, accounts, messages, files) is stored on servers hosted by Hetzner Online GmbH in Germany. Your data remains within the European Union.
  • Content delivery is provided by Bunny CDN (BunnyWay d.o.o., Slovenia). IP addresses are anonymized by default. No data leaves the EU.
  • Analytics are processed by self-hosted Plausible Analytics on our own servers in Germany. No personal data is collected or transferred.
  • Newsletter emails are sent via Proton Mail (Proton AG, Switzerland), which benefits from the EU adequacy decision for Switzerland.
  • Interactive chat demo messages are processed by Mistral AI (15 rue des Halles, 75001 Paris, France). Mistral AI is an EU-based company. A data processing addendum is in place. API data is retained for up to 30 days for abuse monitoring and is not used for model training.
  • Crash reports are processed by a self-hosted Bugsink instance on our own Hetzner servers in Germany. No error tracking data is sent to any third party. Your data remains within the European Union.

11. Data retention

  • Beta applications: Deleted 6 months after submission if not approved.
  • Newsletter subscribers: Data is deleted immediately upon unsubscribe.
  • App user accounts: Retained until you request account deletion.
  • Messages: Retained until the channel or server is deleted, or you request erasure.
  • Server log files: Automatically deleted after 7 days.
  • Voice and video: Not stored — real-time transmission only.
  • Chat demo messages: Not stored on our servers. Mistral AI may retain inputs and outputs for up to 30 rolling days for abuse monitoring.
  • Crash reports: Retained for up to 90 days, then automatically deleted.

12. Minimum age

Voidcom is intended for users aged 16 or older. If you are under 16, you may only use the service with the consent of a parent or legal guardian, in accordance with Art. 8 GDPR and TDDDG § 25.

13. Your rights under GDPR

You have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR) — You can request information about your stored personal data.
  • Right to rectification (Art. 16 GDPR) — You can request correction of inaccurate data.
  • Right to erasure (Art. 17 GDPR) — You can request deletion of your data.
  • Right to restriction (Art. 18 GDPR) — You can request restriction of processing.
  • Right to data portability (Art. 20 GDPR) — You can request your data in a machine-readable format.
  • Right to object (Art. 21 GDPR) — You can object to the processing of your data.
  • Right to withdraw consent (Art. 7(3) GDPR) — You can withdraw consent at any time (e.g., unsubscribe from the newsletter). Withdrawal does not affect the lawfulness of processing before withdrawal.
  • Right to lodge a complaint — You can file a complaint with a supervisory authority.

To exercise any of these rights, contact us at max@frisson.social.

The competent supervisory authority is:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (LfDI BW)
www.baden-wuerttemberg.datenschutz.de

14. Data security

We implement the following security measures to protect your data:

  • All connections are encrypted using HTTPS/TLS.
  • Passwords are hashed with Argon2id (a memory-hard algorithm resistant to brute-force attacks).
  • Direct messages are end-to-end encrypted using XChaCha20-Poly1305 with hybrid X25519 + ML-KEM-768 key exchange (post-quantum secure, BSI TR-02102-1 compliant).
  • Bunny CDN provides DDoS protection and edge caching.
  • Voice calls are end-to-end encrypted with per-channel keys (XChaCha20-Poly1305). The server forwards opaque packets it cannot decrypt.

15. Changes to this policy

We may update this privacy policy from time to time. The current version is always available at /privacy/. The "Last updated" date at the top of this page indicates when the policy was last revised.