BeChat Privacy Policy

Last Updated: November 23, 2025

1. Introduction

BeChat ("we", "our", or "the app") is a privacy-focused messaging application that uses end-to-end encryption and post-quantum cryptography to protect your communications. This privacy policy explains how we collect, use, and protect your information.

We are committed to protecting your privacy and ensuring that your personal data is handled responsibly. This policy applies to all users of BeChat and describes our practices regarding data collection, use, and disclosure.

2. Data Collection

2.1 Information We Collect

  • Account Information: Your unique PIN (generated during registration) and cryptographic keys. The PIN is used solely for identification and is not linked to any personal information.
  • Messages: All messages are end-to-end encrypted and stored locally on your device. Encrypted message metadata (sender, recipient, timestamp) is stored on our servers for delivery purposes only.
  • Contacts: Contact PINs you add are stored locally on your device. We do not have access to your contact list.
  • Device Information: Device name, type, and fingerprint for authentication and security purposes. This helps prevent unauthorized access to your account.
  • Usage Data: Last seen timestamp (optional), online status. This information is only shared with your contacts if you enable it.
  • Media Files: Photos, videos, and audio files you choose to share are encrypted before transmission and stored encrypted on our servers until delivery.

2.2 Information We Do NOT Collect

  • Personal identifiable information (name, email, phone number, address)
  • Message content (we cannot read your encrypted messages)
  • Location data (except when voluntarily shared in messages or for spam prevention)
  • Analytics or tracking data
  • Browsing history or app usage patterns
  • Contact lists from your device
  • Biometric data

3. Permissions Explained

3.1 Camera Permission

Why we need it: To allow you to take photos and videos to share in conversations.

How we use it: Camera access is only used when you explicitly choose to capture media within the app. We do not access your camera in the background, and we never record video or take photos without your explicit action.

You can revoke this permission: At any time through your device settings. The app will continue to function, but you won't be able to take new photos or videos.

3.2 Storage Permission (READ_MEDIA_IMAGES, READ_MEDIA_VIDEO, READ_MEDIA_AUDIO)

Why we need it: To allow you to select and share photos, videos, and audio files from your device.

How we use it: Storage access is only used when you choose to attach media to messages. All media is encrypted before transmission using AES-256-GCM encryption. We do not scan or index your media files.

You can revoke this permission: At any time through your device settings. You'll still be able to send text messages.

3.3 Location Permission (Optional)

Why we need it: For spam prevention when messaging non-contacts.

How we use it: Location is only requested when you send a first message to a non-contact. This helps prevent spam and abuse. The location data is not stored or shared with other users.

You can decline this permission: The app will function normally, but you may be subject to additional verification when messaging new contacts.

3.4 Internet Permission

Why we need it: To send and receive encrypted messages through our servers.

How we use it: All network communication is encrypted using TLS 1.3. We use this permission only for message delivery and synchronization.

3.5 Notification Permission

Why we need it: To notify you of new messages when the app is not in the foreground.

How we use it: We only send notifications for new messages. Notification content does not include message text for privacy reasons.

4. How We Use Your Information

  • Message Delivery: Encrypted messages are transmitted through our servers but cannot be read by us. We only route encrypted data between devices.
  • Authentication: Your device credentials authenticate you with our servers using cryptographic challenge-response protocols.
  • Presence: Your online/last seen status is shared with your contacts (if enabled). You can disable this feature at any time.
  • Spam Prevention: Location data from first messages helps prevent abuse and spam. This data is not stored long-term.
  • Account Management: Device information is used to manage your account and prevent unauthorized access.
  • Service Improvement: We may use anonymized, aggregated data to improve our service, but never in a way that identifies you.

5. Data Security

We implement industry-leading security measures to protect your data:

  • End-to-End Encryption: All messages are encrypted on your device using post-quantum cryptography (ML-KEM-768, ML-DSA-65) and AES-256-GCM. Only you and your recipient can decrypt messages.
  • Local Storage: Messages are stored encrypted in your device's local database. We never have access to your local data.
  • Zero Knowledge: Our servers cannot decrypt your messages or media. We use a zero-knowledge architecture where encryption keys never leave your device.
  • Secure Media: Photos and videos are encrypted with AES-256-GCM before upload. Media files are deleted from our servers after successful delivery.
  • Perfect Forward Secrecy: Session keys rotate automatically, ensuring that past messages remain secure even if current keys are compromised.
  • Secure Authentication: We use PASETO tokens (more secure than JWT) for authentication. Tokens expire after 15 minutes and can be refreshed securely.
  • Transport Security: All data in transit is protected with TLS 1.3 encryption.
  • Server Security: Our servers are regularly updated and monitored for security vulnerabilities.

6. Data Sharing

We do NOT:

  • Sell your data to third parties
  • Share your data with advertisers
  • Use your data for marketing purposes
  • Access or read your encrypted messages
  • Share your data with government agencies unless required by law (see Legal Compliance section)
  • Use third-party analytics or tracking services

We only share encrypted message metadata with:

  • Our servers: For message routing and delivery (encrypted in transit). Our servers cannot decrypt message content.
  • Your contacts: Online status and read receipts (if enabled). You can disable these features.

6.1 Third-Party Services

BeChat does not use third-party analytics, advertising, or tracking services. We may use third-party infrastructure providers (such as cloud hosting) for server operations, but these providers do not have access to your encrypted data.

7. Data Retention

  • Messages: Stored locally on your device until you delete them. We do not have access to your local message storage.
  • Server Data: Encrypted messages are deleted from servers after successful delivery. Message metadata (sender, recipient, timestamp) may be retained for up to 90 days for delivery confirmation and troubleshooting.
  • Account Data: Retained while your account is active. When you deactivate your account, all associated data is deleted within 30 days.
  • Media Files: Encrypted media files are deleted from our servers after successful delivery to all recipients.
  • Logs: Server logs are retained for up to 30 days for security and troubleshooting purposes. Logs do not contain message content.

8. Your Rights

You have the right to:

  • Access: Request a copy of the data we have about you (limited to metadata, as we cannot access message content)
  • Deletion: Delete your messages and conversations at any time. Deactivate your account to delete all associated data.
  • Correction: Update your account information and device settings
  • Control: Control your online status visibility, read receipts, and notification preferences
  • Block: Block unwanted contacts
  • Report: Report abusive messages or users
  • Data Portability: Export your messages (stored locally on your device)
  • Withdraw Consent: Revoke permissions at any time through your device settings

To exercise these rights, contact us at privacy@betweet.eu.

9. Children's Privacy

BeChat is not intended for users under 13 years of age (or the minimum age in your jurisdiction). We do not knowingly collect information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately at privacy@betweet.eu and we will delete the information.

10. International Data Transfers

Your data may be processed and stored on servers located outside your country of residence. We ensure that appropriate safeguards are in place to protect your data in accordance with this privacy policy and applicable data protection laws.

11. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by:

  • Updating the "Last Updated" date at the top of this policy
  • Posting a notice in the app (for significant changes)
  • Sending an email notification (for major changes)

Your continued use of BeChat after changes become effective constitutes acceptance of the updated policy.

12. Contact Us

If you have questions, concerns, or requests regarding this privacy policy or our data practices, please contact us at:

Email: privacy@betweet.eu
Support: support@betweet.eu

We will respond to your inquiry within 30 days.

13. Legal Compliance

BeChat complies with:

  • General Data Protection Regulation (GDPR): We comply with EU data protection laws, including the right to access, rectification, erasure, and data portability.
  • California Consumer Privacy Act (CCPA): California residents have the right to know what personal information we collect, request deletion, and opt-out of sale (we do not sell data).
  • Google Play Store policies: We comply with all Google Play Store privacy and security requirements.
  • Apple App Store policies: We comply with all Apple App Store privacy and security requirements.

If you are located in the European Economic Area (EEA), you have additional rights under GDPR. Please contact us to exercise these rights.

14. Data Breach Notification

In the unlikely event of a data breach that affects your personal information, we will:

  • Notify affected users within 72 hours of discovering the breach
  • Notify relevant data protection authorities as required by law
  • Provide details about the nature of the breach and steps we're taking to address it
  • Recommend steps you can take to protect yourself

Note: Due to our zero-knowledge architecture, even in the event of a server breach, attackers would not be able to decrypt your messages.