Privacy Policy

Last updated: March 2026

1. Overview

This privacy policy explains what personal data is collected when you use the Voidcom website (voidcom.app) and the Voidcom desktop application, and how that data is processed. We take your privacy seriously and process personal data only in accordance with the European General Data Protection Regulation (GDPR) and applicable national data protection laws.

2. Responsible party

The responsible party (data controller) within the meaning of the GDPR is:
Maximilian Tschauder
max@frisson.social

See the Imprint for full contact details.

3. Hosting

The Voidcom website is hosted on Cloudflare Pages. When you visit this website, Cloudflare may process your IP address, browser type, operating system, referrer URL, and the time of your request. This processing is necessary for delivering the website to you and is based on our legitimate interest (Art. 6(1)(f) GDPR).

Cloudflare is a US-based company. Data transfers to the US are covered by the EU-US Data Privacy Framework. For more information, see Cloudflare's Privacy Policy.

4. Data we collect on the website

a) Newsletter subscription

When you subscribe to our newsletter, we collect your email address. We use a double opt-in process: after entering your email, you will receive a confirmation email. Your subscription is only activated once you click the confirmation link. We store your email address, confirmation status, and subscription date.

Legal basis: Consent (Art. 6(1)(a) GDPR). You can withdraw your consent at any time by using the unsubscribe link in any newsletter email. Upon unsubscription, your data is immediately and permanently deleted from our systems.

Newsletter emails are sent via Proton Mail (Proton AG, Switzerland). Switzerland has been granted an adequacy decision by the European Commission, ensuring an adequate level of data protection.

b) Beta application

When you apply for the beta program, we collect your email address, username, and optionally a reason for joining. This data is stored to process your application.

Legal basis: Consent (Art. 6(1)(a) GDPR). Beta applications that are not approved are deleted after 6 months.

c) Server log files

Cloudflare automatically collects and stores information in server log files that your browser transmits when visiting the website:

  • IP address (anonymized)
  • Date and time of the request
  • Requested URL
  • Browser type and version
  • Operating system
  • Referrer URL

This data is not combined with other data sources. Legal basis: Legitimate interest (Art. 6(1)(f) GDPR).

d) Local storage

This website stores your theme preference (light or dark mode) in your browser's local storage. This is not personal data, is never sent to our servers, and is used solely to remember your display preference.

5. Data we collect in the Voidcom application

a) Account data

When you create a Voidcom account, we store your email address, username, and a securely hashed password (using Argon2id — we never store your password in plain text).

Legal basis: Contract performance (Art. 6(1)(b) GDPR) — necessary to provide the service.

b) Messages

Messages in server text channels are stored on our servers to provide the chat functionality. Direct messages (DMs) are end-to-end encrypted — the server only stores encrypted ciphertext and cannot read the content of your private conversations.

Legal basis: Contract performance (Art. 6(1)(b) GDPR).

c) Voice and video

Voice and video data is transmitted in real-time only. It is forwarded through our servers to other participants but is never recorded or stored. Voice and video streams are protected by transport encryption.

d) Server membership, channels, and roles

We store your server memberships, channel access, and assigned roles to provide the community functionality.

Legal basis: Contract performance (Art. 6(1)(b) GDPR).

e) Friend list and presence

Your friend relationships are stored to enable direct messaging and friend features. Online/offline presence status is ephemeral and is not persisted — it is only visible while you are connected.

f) File attachments

Files you upload are stored in object storage and linked to your account. You can delete your uploaded files at any time.

g) Session data

When you log in, a session token (JWT) and refresh token are generated. These are stored on your device and validated server-side. They are automatically invalidated when you log out or when they expire.

6. Analytics

We use Cloudflare Web Analytics on the website to understand how visitors use our site. Cloudflare Web Analytics is a privacy-first analytics service that:

  • Does not use cookies
  • Does not track individual users across sites
  • Does not collect personal data
  • Collects only aggregated, anonymized metrics (page views, referrers, countries, browser/OS types)

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR). No consent banner is required because no personal data or cookies are involved.

7. External resources

All fonts and icons used on this website are self-hosted. No external resources are loaded from third-party servers when you visit our website. Your browser does not connect to Google, Adobe, or any other font or asset provider.

8. Cookies

This website does not set any cookies. No first-party or third-party cookies are used for tracking, analytics, or any other purpose.

9. Data storage and transfers

  • Website data (newsletter subscribers, beta applications) is stored in Cloudflare D1, a database service by Cloudflare Inc. Data transfers to the US are covered by the EU-US Data Privacy Framework.
  • Application data (accounts, messages, files) is stored on servers hosted by Hetzner Online GmbH in Nürnberg, Germany. Your data remains within the European Union.
  • Newsletter emails are sent via Proton Mail (Proton AG, Switzerland), which benefits from the EU adequacy decision for Switzerland.
  • Analytics data is processed by Cloudflare Web Analytics (Cloudflare Inc., EU-US DPF). No personal data is collected.

10. Data retention

  • Beta applications: Deleted 6 months after submission if not approved.
  • Newsletter subscribers: Data is deleted immediately upon unsubscribe.
  • App user accounts: Retained until you request account deletion.
  • Messages: Retained until the channel or server is deleted, or you request erasure.
  • Voice and video: Not stored — real-time transmission only.

11. Minimum age

Voidcom is intended for users aged 16 or older. If you are under 16, you may only use the service with the consent of a parent or legal guardian, in accordance with Art. 8 GDPR and § 2 TTDSG.

12. Your rights under GDPR

You have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR) — You can request information about your stored personal data.
  • Right to rectification (Art. 16 GDPR) — You can request correction of inaccurate data.
  • Right to erasure (Art. 17 GDPR) — You can request deletion of your data.
  • Right to restriction (Art. 18 GDPR) — You can request restriction of processing.
  • Right to data portability (Art. 20 GDPR) — You can request your data in a machine-readable format.
  • Right to object (Art. 21 GDPR) — You can object to the processing of your data.
  • Right to withdraw consent (Art. 7(3) GDPR) — You can withdraw consent at any time (e.g., unsubscribe from the newsletter). Withdrawal does not affect the lawfulness of processing before withdrawal.
  • Right to lodge a complaint — You can file a complaint with a supervisory authority.

To exercise any of these rights, contact us at max@frisson.social.

The competent supervisory authority is:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (LfDI BW)
www.baden-wuerttemberg.datenschutz.de

13. Data security

We implement the following security measures to protect your data:

  • All connections are encrypted using HTTPS/TLS.
  • Passwords are hashed with Argon2id (a memory-hard algorithm resistant to brute-force attacks).
  • Direct messages are end-to-end encrypted using XChaCha20-Poly1305 with X25519 key exchange.
  • Cloudflare provides DDoS protection and a Web Application Firewall (WAF).
  • Voice and video are protected by transport encryption (QUIC/TLS).

14. Changes to this policy

We may update this privacy policy from time to time. The current version is always available at /privacy/. The "Last updated" date at the top of this page indicates when the policy was last revised.