Privacy Policy

Last updated: March 2026

CallSec ("we", "us", "our") operates the CallSec secure communication platform accessible at callsec.si and through our mobile applications. This Privacy Policy explains how we collect, use, store, and protect your personal data in compliance with the General Data Protection Regulation (GDPR) and applicable European data protection laws.

1. Data Controller

The data controller responsible for processing your personal data is:

CallSec
Website: callsec.si
Email: info@callsec.si

2. Data We Collect

2.1 Account Information

User identifier (username) assigned during registration
Hashed authentication credentials (passwords are never stored in plaintext)
Account creation and last activity timestamps

2.2 Device Information

Device identifiers used for session management and multi-device support
Device type and operating system (for compatibility and security purposes)
Encryption keys associated with each device (for end-to-end encryption)

2.3 Push Notification Tokens

Firebase Cloud Messaging (FCM) tokens for Android push notifications
Apple Push Notification service (APNs) VoIP tokens for iOS call notifications
These tokens are used solely to deliver notifications and incoming call alerts

2.4 Call Metadata

Call signaling data necessary to establish connections (call invites, answers, hangups)
Call duration and timestamps for call history functionality
We do not record, store, or have access to the content of your calls. All voice and video calls are end-to-end encrypted

2.5 Technical Data

IP addresses (for connection management and security monitoring)
TURN relay server usage data (for facilitating peer-to-peer connections)

3. Data We Do NOT Collect

We do not collect, read, or store the content of your messages. All messages are end-to-end encrypted using the Vodozemac cryptographic library. The server cannot decrypt them.
We do not collect the content of your voice or video calls
We do not collect your contacts, photos, or files unless explicitly shared within a conversation
We do not use tracking cookies or third-party analytics
We do not build advertising profiles or behavioral models

4. End-to-End Encryption

CallSec employs end-to-end encryption (E2EE) for all messages and calls. This means:

Messages are encrypted on the sender's device and can only be decrypted by the intended recipient(s)
The CallSec server processes encrypted data only for delivery purposes and cannot read message content
Voice and video calls use WebRTC with SRTP encryption, routed through TURN relay servers that handle only encrypted media streams
Encryption keys are generated and stored locally on each device

5. How We Use Your Data

We process your data for the following purposes under the legal bases indicated:

Service delivery (contractual necessity): To provide secure messaging, voice, and video calling services
Push notifications (contractual necessity): To deliver message notifications and incoming call alerts using FCM and APNs tokens
Security monitoring (legitimate interest): To detect and prevent unauthorized access, abuse, and security threats
Multi-device management (contractual necessity): To synchronize encrypted sessions across your registered devices
Service improvement (legitimate interest): To maintain and improve platform reliability and performance

6. Device Security Features

The CallSec application includes on-device security features. These operate entirely on your device and no data from these features is transmitted to our servers:

Root and tamper detection
Screen recording and screenshot prevention
USB debugging and developer options detection
IMSI catcher detection and microphone monitoring
Biometric authentication and PIN protection
Automatic screen lock and task switcher protection

7. Data Storage and Location

All server-side data is stored on servers located in Europe
On-device data (messages, encryption keys, settings) is stored in an encrypted SQLCipher database on your device
We do not transfer personal data outside the European Economic Area (EEA)

8. Data Retention

Account data is retained for the duration of your active account
Encrypted message data on the server is retained only until delivered to recipient devices, after which it may be removed according to configured retention policies
Call signaling metadata is retained for up to 30 days for troubleshooting purposes
Server logs containing IP addresses are retained for a maximum of 90 days
Upon account deletion, all associated data is permanently removed from our servers

9. Data Sharing

We do not sell, trade, or rent your personal data to any third party.

We may share data only in the following limited circumstances:

Push notification providers: FCM tokens are shared with Google Firebase and APNs tokens with Apple solely for push delivery. These providers do not have access to message content
TURN relay servers: Encrypted media streams pass through relay servers for call connectivity. Relay servers cannot decrypt the content
Legal obligations: We may disclose data if required by law, court order, or regulatory authority. Due to end-to-end encryption, we can only provide metadata, not message content

10. Your Rights (GDPR)

Under the GDPR, you have the following rights regarding your personal data:

Right of access — Request a copy of the personal data we hold about you
Right to rectification — Request correction of inaccurate personal data
Right to erasure — Request deletion of your personal data and account
Right to restriction — Request that we restrict processing of your data
Right to data portability — Request your data in a structured, machine-readable format
Right to object — Object to processing based on legitimate interests
Right to withdraw consent — Withdraw consent at any time where processing is based on consent

To exercise any of these rights, contact us at info@callsec.si. We will respond within 30 days as required by the GDPR.

11. Data Deletion

You can request complete deletion of your account and all associated data by contacting us at info@callsec.si. Upon receiving your request:

Your account will be deactivated within 48 hours
All personal data will be permanently deleted from our servers within 30 days
Locally stored data on your devices is managed by you and can be removed by uninstalling the application

12. Security Measures

We implement comprehensive security measures to protect your data:

End-to-end encryption for all message content and calls
TLS 1.3 encryption for all server communications
Certificate pinning to prevent man-in-the-middle attacks
Encrypted database storage (SQLCipher) on client devices
JWT-based authentication with automatic token rotation
Rate limiting and brute-force protection
Regular security audits and updates

13. Children's Privacy

CallSec is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete such information promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated "Last updated" date. We encourage you to review this policy periodically. Continued use of the service after changes constitutes acceptance of the updated policy.

15. Contact Us

If you have any questions about this Privacy Policy, your personal data, or wish to exercise your rights, please contact us:

Email: info@callsec.si
Website: callsec.si