Sryptos
Back to Home

Privacy Policy

Effective Date: November 2025

Entity: Sryptos Labs (“Sryptos”, “we”, “our”, or “us”)

1. Introduction

Your privacy is at the heart of everything we build. Sryptos is a secure, anonymous, and privacy-first communication platform designed to give you full control of your data.

This Privacy Policy explains how we collect, use, store, and protect information when you use Sryptos (the “Service”, “App”, or “Platform”).

By using Sryptos, you consent to the practices described here. If you do not agree, please stop using the Service.

2. Our Core Privacy Principles

  • End-to-End Encryption by Default – Your messages, voice, and video calls are encrypted on your device before transmission.
  • Minimal Data Collection – We store only the information required for the Service to function.
  • Local Ownership – Chat history and encryption keys stay on your device.
  • Transparency & Control – You may view, export, or delete your data at any time.
  • No Forced Identity – You can chat instantly as a Guest without sharing personal details.
  • Auto-Deletion – Media and temporary data are routinely deleted to reduce risk.

3. Information We Collect

Sryptos limits data collection to operational necessity and lawful bases under Article 6 of the GDPR.

3.1 Information You Provide

  • Username or Display Name – Used to identify you within chats.
  • Linked Account Information (Optional) – If you choose to link a Google or other account, we store only your unique ID and display name for login.
  • Contact or Support Messages – When you contact us (e.g., via email), we keep the correspondence for support and legal purposes.

3.2 Information Automatically Processed

  • Temporary Device Metadata – Device type, browser version, IP region (not precise address), and connection timestamps to maintain service reliability.
  • Crash or Performance Logs – Anonymous analytics solely for debugging.
  • Presence Data – Online/offline status and typing indicators, stored ephemerally in real time.

3.3 Guest Accounts

When you click “Guest Login”:

  • A random identifier and encryption keypair are created locally on your device.
  • Sryptos temporarily stores a guest session token valid for 24 hours.
  • No email, phone number, or personal identifiers are collected.
  • After expiration, guest data is permanently deleted from Sryptos servers.

4. Information We Do Not Collect

We do not collect, store, or have access to:

  • Message content or file attachments in plaintext
  • Your contacts, address book, or GPS location
  • Advertising identifiers or trackers
  • Biometric or sensitive demographic data

Sryptos does not sell, rent, or trade user data under any circumstance.

5. Use of Information

We process limited information for the following purposes:

  • Service Delivery – To authenticate sessions, route encrypted messages, and manage device connections.
  • Security & Abuse Prevention – To detect anomalies or abuse (e.g., spam, DDoS) while respecting encryption boundaries.
  • Feature Improvement – To enhance performance, fix bugs, and add new capabilities.
  • Legal Compliance – To fulfill obligations under applicable laws, including GDPR and digital services regulations.

We never use your data for targeted advertising or behavioral profiling.

6. End-to-End Encryption and Security Modes

Sryptos provides selectable encryption modes to balance security and convenience:

6.1 End-to-End Encryption (E2EE) Mode

This is the default and most secure mode. It uses the browser's built-in Web Crypto API to perform Elliptic-curve Diffie-Hellman (ECDH) key exchange and AES-GCM for authenticated message encryption. Keys never leave your device, meaning chat history does not sync across multiple devices.

6.2 Synced AES-256 Mode

For users who need multi-device access, this mode uses AES-GCM with a key derived from a master key. This allows chat history to be securely synced and read across devices logged into the same account. While highly secure, it relies on a central (but still user-controlled) key.

6.3 Voice & Video Calls

Voice and video calls always use WebRTC, which has mandatory, built-in encryption (DTLS-SRTP). Call data travels directly between participants (peer-to-peer) and does not pass through our servers.

7. Data Storage & Retention

7.1 Local Storage

Messages, media, and keys are stored in your device’s local database (IndexedDB or equivalent). You control when to clear or back up this data.

7.2 Server Storage (Ephemeral)

To deliver messages, Sryptos briefly stores encrypted data packets:

  • Undelivered messages for up to 30 days
  • Media files (images, videos, voice notes) for up to 30 days

After expiration or successful delivery, all items are automatically deleted.

7.3 Account Expiration

  • Guest sessions: deleted automatically after 24 hours.
  • Inactive permanent accounts: may be purged after 12 months of inactivity (with prior notice).

7.4 Backups

If you enable encrypted backups to your personal Google Drive, the backup file remains under your control in your "appDataFolder," which is private to Sryptos. We cannot decrypt or access these files.

8. Data Deletion & User Control

You may:

  • Delete conversations or media directly in the app.
  • Delete your entire account under Settings → Data Management → Delete All My Data.
  • Request erasure of server-side data via privacy@sryptos.com.

When deleted:

  • All delivery-pending messages and metadata are permanently erased.
  • Deletion requests are processed within 30 days in accordance with GDPR Article 17 (Right to Erasure).

9. Data Portability & Access

Under GDPR Articles 15 & 20, you may:

  • Request a copy of personal data we hold (typically limited metadata).
  • Export your encrypted chats locally before deletion.

To exercise these rights, email privacy@sryptos.com with the subject “Data Access Request”.

10. Legal Bases for Processing

We process data only when one of the following applies:

  • Consent – You have given explicit permission (e.g., linking an account).
  • Performance of Contract – Necessary to deliver the chat service.
  • Legitimate Interest – To maintain security and prevent abuse.
  • Legal Obligation – To comply with court orders or applicable regulations.

We rely primarily on consent and legitimate interest, consistent with Article 6(1)(a) and (f) GDPR.

11. Sharing & Disclosure

Sryptos does not share personal data except:

  • With your consent, such as linking a Google account.
  • For lawful requests, when compelled by valid legal order under due process.
  • With service providers strictly limited to infrastructure (e.g., hosting, push notifications), bound by data-processing agreements ensuring GDPR compliance.

We never sell or commercially distribute user data.

12. International Data Transfers

Sryptos operates servers in multiple regions for performance and redundancy. If data is transferred outside the European Economic Area (EEA), we ensure adequate safeguards through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, and
  • Encryption so that no personal data is exposed in readable form.

13. Data Security

We implement multiple layers of protection:

  • TLS 1.3 for transport security
  • AES-GCM for encryption at rest and in transit
  • Secure key generation via Web Crypto
  • Regular penetration testing and vulnerability disclosure program
  • Strict access controls for system administrators

Despite robust measures, no system is completely immune to risk. Users are encouraged to maintain secure devices and up-to-date software.

14. Cookies & Local Storage

Sryptos is a cookie-free Progressive Web App. We use local storage only to maintain encrypted session data and user preferences. No third-party tracking cookies or analytics scripts are deployed.

15. Children’s Privacy

Sryptos is not directed toward children under 16 years of age. We do not knowingly collect personal data from minors. If we learn that a child has used the service without consent, we will delete associated data promptly.

16. User Communications & Support

If you contact our team, your email and message content will be retained only as long as necessary to resolve your inquiry, after which it is securely deleted.

17. Data Breach Notification

In the unlikely event of a data breach affecting personal data, we will:

  • Notify affected users and supervisory authorities within 72 hours, as required by Article 33 GDPR.
  • Provide details on the scope, impact, and mitigation steps.
  • Cooperate fully with regulatory bodies.

Due to end-to-end encryption, breach exposure is expected to be minimal.

18. Your Rights under the GDPR

If you are located in the EU, EEA, or UK, you have the following rights:

RightDescription
AccessObtain a copy of your personal data.
RectificationCorrect inaccurate or incomplete data.
Erasure (“Right to be Forgotten”)Request deletion of your personal data.
RestrictionLimit processing in certain cases.
PortabilityReceive your data in a structured, machine-readable format.
ObjectionObject to processing based on legitimate interests.
Withdraw ConsentRevoke consent at any time.

To exercise these rights, email privacy@sryptos.com. We may need to verify your identity before responding.

19. Data Retention Schedule (Summary)

Data TypeRetention PeriodStorage Location
Guest session24 hoursServer (ephemeral)
Delivered messagesUntil user deletionDevice (local)
Undelivered messagesUp to 30 daysEncrypted server buffer
Media (images, video, voice)Up to 30 daysEncrypted server buffer
Support emailsUp to 6 monthsSecure email archive
Linked account metadataUntil unlinking or account deletionServer
Logs / analyticsUp to 14 daysAggregated, anonymized

20. Suspension or Termination of Account

Sryptos may temporarily suspend or permanently terminate accounts that:

  • Violate our Terms of Service or applicable law,
  • Engage in abuse, spam, or illegal activity, or
  • Pose a threat to the Service’s security or integrity.

Before termination, we generally attempt to notify users unless prohibited by law. Upon termination, all related data is deleted following the retention schedule.

Users may also close their account voluntarily at any time; deletion is final and irreversible.

21. Changes to This Privacy Policy

We may update this Policy periodically to reflect new features, laws, or operational changes. Revisions will be posted on our website with the updated effective date. Material changes may be communicated in-app or by notice on our homepage.

Continued use of the Service after changes constitutes acceptance of the new Policy.

22. Governing Law & Jurisdiction

This Policy is governed by the laws of the European Union and interpreted in accordance with the General Data Protection Regulation (EU 2016/679). Where applicable, local consumer or privacy laws of your jurisdiction also apply. Disputes will be subject to the competent courts within the European Union, unless otherwise required by local law.

23. Contact Information

For privacy inquiries, requests, or complaints, please contact us:

  • Sryptos Labs
  • Email: privacy@sryptos.com
  • Security: security@sryptos.com
  • Support: support@sryptos.com

You may also lodge a complaint with your local Data Protection Authority if you believe your rights have been violated.

24. Summary for Users (Plain Language)

  • We don’t read or store your chats — they’re encrypted end-to-end.
  • You can use Sryptos completely anonymously as a Guest.
  • We collect only what’s needed to run the service.
  • You control your data: export, back up, or delete anytime.
  • Media auto-deletes after 30 days to protect privacy.
  • We comply fully with EU GDPR and international privacy standards.

© 2025 Sryptos. All rights reserved. A product of BHK Vision Labs.