VChat App
by Rare Infoway Private Limited
Privacy Policy
Governing law: Republic of India — Digital Personal Data Protection Act, 2023 (DPDPA 2023) & Information Technology Act, 2000
Our Apps
This Privacy Policy applies to VChat. Rare Infoway also publishes the following mobile applications:
VChat
Messaging & real-time communication
ZamZam
Digital platform for Zambia
1. Who We Are
Data Fiduciary: Rare Infoway Private Limited ("we", "us", "our") determines the purpose and means of processing personal data through the VChat mobile application (the "App").
We process personal data in accordance with the Digital Personal Data Protection Act, 2023 (DPDPA 2023), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), and other applicable Indian laws.
2. What VChat Is
VChat is a private messaging and real-time communication application available on Android and iOS. It enables:
- Phone-number-based identity — Registration and login using your mobile phone number and a one-time password (OTP). No email address or password is required.
- 1-to-1 messaging — Text messages, images, voice notes (audio recordings), and document sharing with individual contacts.
- Voice and video calls — Real-time peer-to-peer audio and video calls powered by LiveKit (WebRTC infrastructure).
- Group / Community chat — Group conversations with multiple participants.
- Contact discovery — With your permission, the App reads your device contact list to identify which of your contacts are registered VChat users.
- Call history — Log of incoming, outgoing, and missed calls.
- Push notifications — Message alerts and incoming call notifications via Firebase Cloud Messaging (FCM) on Android and Apple Push Notification Service (APNs) on iOS.
- Media sharing — Images (compressed), audio recordings (M4A), and documents (PDF, Word, Excel) up to the App's size limits.
- Profile — Display name, profile photo, and personal bio (About text).
3. Lawful Bases for Processing
Under the DPDPA 2023, we process personal data on the following grounds:
Consent (section 6)
Contact access, optional profile fields, analytics, marketing communications
Legitimate uses (section 7)
State/legal obligations, safety of the data principal or others, legal proceedings
Contractual necessity
Core App functionality: account creation, messaging, calling, media delivery
You may withdraw consent at any time by contacting dhairy@rareinfoway.com. Withdrawal does not affect lawfulness of processing before withdrawal, but may limit App functionality.
Children: We do not knowingly collect personal data from children under the age of 18 without verifiable parental consent as required by section 9 of the DPDPA 2023. Contact dhairy@rareinfoway.com immediately if you believe a child's data was collected without consent.
4. What We Collect and Why
4.1 Account and Identity
- Phone number (E.164 format) — used as your unique identifier; collected at registration via OTP verification.
- Name — your display name, set during profile setup.
- Profile photo — optional; uploaded to AWS S3 object storage.
- About / bio — optional short status text.
- JWT authentication token — stored on your device in encrypted storage (expo-secure-store) to maintain your session.
- Last active timestamp — used to show online/offline status to your contacts.
Lawful basis: Contractual necessity for account creation; consent for optional profile fields.
4.2 Device Contacts
- With your explicit permission, we read your device contact list to identify which contacts are registered VChat users.
- We do not upload your full address book to our servers. We send hashed or normalised phone numbers to check registration status.
- You may revoke contacts access at any time in your device Settings.
Lawful basis: Consent.
4.3 Messages and Media
- Message content: Text, delivered and read receipts, message timestamps, conversation and message identifiers.
- Images: Compressed to ≤ 2 MB, resized to a maximum of 1920 px, stored on AWS S3.
- Voice notes: Audio recordings in M4A format (up to 10 MB), stored on AWS S3.
- Documents: PDFs, Word, and Excel files (up to 10 MB), stored on AWS S3.
- Local cache: Messages and media metadata cached in an on-device SQLite database for fast, offline access.
Lawful basis: Contractual necessity for the messaging service.
4.4 Voice and Video Calls (LiveKit)
- Call metadata: Caller identity, recipient identity, call type (audio/video), call initiation time, duration, outcome.
- Media streams: Real-time audio and video transmitted peer-to-peer via WebRTC over LiveKit's infrastructure. Media is not recorded or stored by us by default.
- LiveKit JWT token: Short-lived token issued by our backend at call start.
- Signalling events: Call invite, accept, reject, end, and miss events transmitted via Socket.IO in real time.
Lawful basis: Contractual necessity. Audio/video streams in transit are processed by LiveKit's infrastructure.
4.5 Push Notifications
- FCM device token (Android): Registered on our servers at first launch, used to route incoming call and message notifications.
- APNs token (iOS): Registered similarly for iOS push delivery.
- Notification payloads: Call type, caller identity, routing identifiers, and message preview (configurable).
- Incoming call notifications on Android use a MAX priority channel with vibration to ensure call alerts break through Do Not Disturb.
Lawful basis: Contractual necessity for call and message delivery; OS-level permission mechanism.
4.6 Technical and Device Data
- Device model, operating system version, App version, network connection type, IP address.
- Crash reports and performance diagnostics used for debugging and reliability.
- Server and API access logs retained for security and incident response.
Lawful basis: Legitimate uses (safety, legal compliance) and contractual necessity.
5. Android & iOS Permissions We Request
READ_CONTACTS, WRITE_CONTACTSReading device contacts to identify VChat users among your contacts
READ_MEDIA_IMAGES, READ_MEDIA_AUDIO, READ_MEDIA_VIDEOSelecting images, audio, and video files from your device to share in chat
READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGEAccessing and saving media files (Android < 13)
CAMERACapturing photos or video for sharing in chat
RECORD_AUDIO, MODIFY_AUDIO_SETTINGSRecording voice notes; microphone access during audio/video calls
VIBRATEVibration alerts for incoming calls and messages
RECEIVE_BOOT_COMPLETEDRe-registering FCM token after device restart to maintain push notifications
USE_FULL_SCREEN_INTENTDisplaying incoming call UI over the lock screen
iOS CameraCapturing photos/video for sharing
iOS MicrophoneVoice notes and call audio
iOS ContactsReading device contacts to find VChat users
iOS Push NotificationsMessage and call alerts via APNs
We request permissions only when the relevant feature is first used. You may revoke any permission in your device's Settings at any time, but doing so may limit App functionality.
6. Sharing and Third-Party Services
6.1 Data Processors
AWS S3
Object storageMedia files, object keys, presigned URL metadata
LiveKit
WebRTC callsAudio/video streams in transit, LiveKit room metadata
Socket.IO server (self-hosted)
Real-time signallingMessage payloads, call signalling events, user presence
Firebase / FCM
Android push notificationsFCM device token, notification payload
Apple APNs
iOS push notificationsAPNs device token, notification payload
We do not sell, rent, or trade your personal data to third parties for their marketing purposes.
6.2 Disclosure to Authorities
We will disclose personal data to law enforcement, government authorities, or courts when required by applicable Indian law, a valid court order, or other lawful legal process.
6.3 Business Transfers
In the event of a merger, acquisition, or sale of substantially all of our assets, personal data may be transferred to the acquiring entity. We will notify you via the App or email before your data becomes subject to a different privacy policy.
6.4 Cross-Border Transfers
Our primary servers are hosted on AWS Mumbai (ap-south-1), keeping data within India for the core backend. However, LiveKit infrastructure and FCM/APNs services involve data processing outside India. We implement appropriate safeguards for such transfers as required under applicable Indian law.
7. Data Retention
We retain personal data only as long as necessary to provide the App and comply with legal obligations.
Account data (phone number, name, profile)
Retained while account is active; deleted or anonymised within a reasonable period after account deletion
Messages and media
Retained while your account is active; media files on S3 subject to lifecycle policies; local device cache controlled by you
Call history
Retained for a reasonable period to display call logs; may be deleted through in-app controls
Push tokens (FCM / APNs)
Retained while your account is active; removed on account deletion or token refresh
Contact lookup data
Hashed phone numbers used for registration lookup are not persistently stored beyond the lookup operation
Server logs and crash reports
Short retention period for security, debugging, and incident response
8. Security
We implement the following measures aligned with the SPDI Rules, 2011 and DPDPA 2023:
- TLS/HTTPS for all data in transit between the App and our servers.
- Encrypted local storage for authentication tokens (expo-secure-store).
- Short-lived JWT tokens for LiveKit session access.
- Short-lived presigned URLs for S3 media access — files are not publicly addressable.
- Access controls and role-based permissions on backend infrastructure.
- Firebase security for FCM token management.
Security incidents: In the event of a personal data breach, we will comply with applicable Indian law, including notification obligations under the DPDPA 2023 and IT Act, 2000.
9. Your Rights Under the DPDPA 2023
As a data principal under the Digital Personal Data Protection Act, 2023, you have the following rights:
Right to information about processing
Section 11Right to correction and erasure of personal data
Section 12Right to grievance redressal
Section 13Right to nominate (designate a person to exercise rights on death/incapacity)
Section 14Right to withdraw consent
Section 6(4)Under SPDI Rules, 2011, you also have the right to review and correct sensitive personal data we hold about you.
To exercise any right, contact dhairy@rareinfoway.com. We will respond within the period prescribed by law.
Grievance Redressal
Contact Dhairy Dandaiya at dhairy@rareinfoway.com. We will acknowledge your complaint within 3 business days and resolve it within 30 days.
You may also approach the Data Protection Board of India (once constituted under the DPDPA 2023) if you are not satisfied with our response.
10. Cookies and Similar Technologies
The VChat App does not use browser cookies. We use device-local storage (AsyncStorage, expo-secure-store, expo-sqlite) solely to provide App functionality — authentication, message caching, and settings. These are essential to the operation of the App and are not used for advertising profiling.
11. Third-Party Links
The App may display links to external websites or services (e.g. in shared document previews or profile links). We are not responsible for the privacy practices of those sites. We encourage you to read their privacy policies.
12. Changes to This Policy
We will publish updated versions of this policy at https://rareinfoway.com and update the "Last updated" date. For material changes, we will notify you through the App or by SMS. Continued use of the App after the effective date constitutes your acknowledgement of the updated policy.
13. Contact and Grievance Officer
General privacy enquiries
dhairy@rareinfoway.comGrievance Officer
Dhairy Dandaiya — dhairy@rareinfoway.com
Data Protection Officer
Not Applicable
Postal address
105 NARAYAN NAGAR, SATYSAI ROAD, Raiya, Rajkot, Rajkot-360005, Gujarat
The Grievance Officer is available to address concerns regarding processing of your personal data in accordance with the Information Technology Act, 2000 and rules thereunder.
© 2026 Rare Infoway Private Limited