VAY

Privacy Policy

Last updated: April 2026

1. Introduction

VAY (“we,” “us,” or “our”) is operated by VAY Foundation. This Privacy Policy explains how we collect, use, store, and protect your information when you use the VAY mobile application and related services (collectively, the “Service”). We are committed to protecting your privacy and handling your data transparently.

By using VAY, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Data We Collect

VAY collects the minimum data necessary to provide the Service. The categories below align with Apple's App Store privacy labels:

Contact Info

Phone number (optional, used only for contact discovery if you choose to provide it) and username (chosen during account creation).

Identifiers

Device identifier (for push notifications and session management) and user identifier (your Ed25519 public key, which serves as your cryptographic identity).

Usage Data

Anonymized call duration and message counts for service quality monitoring. This data is aggregated and cannot be linked back to individual users or specific conversations.

Diagnostics

Crash logs and performance data collected through Pilot (our built-in observer) and Sentry (crash reporting). This data helps us identify and fix bugs, improve call quality, and maintain app stability.

Data We Do NOT Collect

  • • Message content (encrypted end-to-end)
  • • Call audio or video content
  • • Your device contacts list
  • • Location data
  • • Browsing history
  • • Photos, videos, or files from your device

3. End-to-End Encryption

All calls and messages for Free tier and above are protected with SFrame end-to-end encryption (E2EE). This means:

  • • Encryption keys are generated and stored exclusively on your device.
  • • VAY servers relay encrypted data but cannot decrypt it.
  • • Neither VAY Foundation nor any third party can read your messages or listen to your calls.
  • • You can verify encryption with your contacts using the Safety Number (SAS code) displayed during calls.

4. Pilot — Built-in Observer

Pilot is VAY's built-in observer that monitors your communication environment to help ensure quality and reliability.

What Pilot monitors:

  • • Network quality and connectivity status
  • • Call stability and audio/video performance
  • • Message delivery status
  • • App health and crash detection
  • • Infrastructure status (server availability, latency)

What Pilot does NOT access:

  • • Message content or conversation history
  • • Call audio or video streams
  • • Your contacts or address book
  • • Any data outside the VAY application

How Pilot processes data:

Pilot performs analysis locally on your device. Only anonymized, aggregated diagnostic metrics are transmitted to VAY servers to help us improve service quality. These metrics cannot be used to reconstruct the content of any communication.

5. Data Storage & Security

We implement multiple layers of security to protect your data:

  • Server locations: Infrastructure hosted in the European Union and Central Asia, subject to applicable data protection regulations.
  • Encryption at rest: All server-side data is encrypted using AES-256-GCM.
  • Encryption in transit: All connections use TLS 1.3 with certificate pinning to prevent interception.
  • Device storage: Messages and encryption keys are stored in your device's secure storage and are protected by your device passcode.

6. Data Retention

  • Messages: VAY servers relay encrypted messages but do not retain message content after delivery. Undelivered messages are stored encrypted for a limited period until delivery succeeds or the retention window expires.
  • Account data: Upon account deletion, all server-side account data is permanently removed within 30 days.
  • Pilot observer events: Diagnostic events are retained for 7 days for Free tier users. Business and First tier users have extended retention as part of their subscription.
  • Crash reports: Retained for up to 90 days for debugging purposes, then automatically deleted.

7. Third-Party Services

VAY uses a limited number of third-party services to provide core functionality. We do not use any advertising networks or behavioral analytics services.

LiveKit — Provides real-time call infrastructure (audio/video relay). LiveKit processes encrypted media streams but cannot decrypt them.
Sentry — Crash reporting and error tracking. Receives only anonymized crash logs and performance diagnostics. No message content or personal data is sent to Sentry.
Apple — Processes in-app purchases and subscriptions through the App Store. Apple handles payment information directly; VAY does not store or access your payment details.

8. Children's Privacy

VAY is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete such information promptly. If you believe a child under 13 has provided us with personal data, please contact us at privacy@vay.foundation.

9. Your Rights (GDPR / CCPA)

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Right to access: Request a copy of the personal data we hold about you.
  • Right to correction: Request correction of inaccurate or incomplete data.
  • Right to deletion: Request deletion of your personal data. See Account Deletion for details.
  • Right to data portability: Request your data in a structured, commonly used format.
  • Right to opt out: Opt out of certain data processing activities.
  • Right to non-discrimination: Exercising your privacy rights will not affect the service you receive.

To exercise any of these rights, contact us at privacy@vay.foundation. We will respond within 30 days.

10. Account Deletion

You can delete your VAY account at any time through the app: Settings → Delete Account. You may also request deletion by emailing delete@vay.foundation with your username.

Upon deletion:

  • • All messages and call history are removed
  • • Your contacts and Pilot data are erased
  • • Active subscriptions are cancelled
  • • Encryption keys on the server are destroyed
  • • Server-side data is permanently purged within 30 days

For detailed information, see our Account Deletion page.

11. Cookies & Tracking

The VAY mobile application does not use cookies, tracking pixels, or web beacons. We do not employ any advertising identifiers or cross-app tracking. The VAY website (vay.network) does not use analytics services, cookies, or third-party trackers.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the VAY app and update the “Last updated” date at the top of this page. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

13. Contact

If you have questions or concerns about this Privacy Policy or our data practices, contact us at:

VAY Foundation

Email: privacy@vay.foundation

Website: vay.foundation