Privacy Policy

Effective date: June 8, 2026

Website: https://privatgram.com

Product: PRIVATGRAM - Secure Corporate Messaging System for Critical Information Infrastructure

This Privacy Policy explains how PRIVATGRAM processes information when users access or use the PRIVATGRAM secure corporate messaging system, including the website, desktop application, mobile applications, server components, administrative panels, documentation, support channels, and related services.

PRIVATGRAM is designed for corporate and institutional use, including banks, government institutions, enterprises, and critical information infrastructure organizations that require secure internal communication, centralized administration, and controlled access management.

PRIVATGRAMM is developed and distributed under the registered trademark PRIVATGRAM®.

1. Definitions

For the purposes of this Privacy Policy:

"PRIVATGRAM", "the System", "we", "us", or "our" means the PRIVATGRAM secure corporate messaging system, its official website, software components, applications, server modules, documentation, and related services.

"User" means an individual who accesses or uses PRIVATGRAM through a user account provided by an organization or authorized administrator.

"Organization" means a bank, government institution, enterprise, company, agency, or other legal entity that deploys or uses PRIVATGRAM for internal communication.

"Organization Administrator" means a person authorized by an Organization to manage users, devices, sessions, groups, channels, and access rights within that Organization.

"Super Administrator" means an authorized person responsible for managing central system infrastructure, organization networks, system administrators, server parameters, IP addresses, and database connections.

"Personal Data" means any information that relates to an identified or identifiable individual.

"Message Content" means text messages, files, images, voice messages, video messages, and other communication content exchanged through the System.

"Metadata" means technical and service information related to communication, such as user identifiers, device identifiers, timestamps, delivery status, chat membership, and system events.

2. Scope of this Privacy Policy

This Privacy Policy applies to:

• the official website privatgram.com;
• PRIVATGRAM desktop applications;
• PRIVATGRAM Android applications;
• PRIVATGRAM iOS applications;
• server components used by organizations;
• administrative panels;
• support, security, and legal communication channels;
• documentation and related online services.

This Privacy Policy does not replace the internal privacy, security, employment, or information security policies of Organizations using PRIVATGRAM. When PRIVATGRAM is deployed by an Organization, that Organization may apply its own rules regarding access, monitoring, retention, internal control, and lawful use of corporate communication systems.

3. Data Controller and Data Processor Roles

3.1. Organization-Controlled Deployment

If PRIVATGRAM is deployed within an Organization’s own infrastructure, private server environment, or controlled database environment, the Organization normally acts as the primary controller of Personal Data processed in its corporate network.

In such cases, the Organization determines which users receive access, what user data is entered into the System, how long data is retained, which administrators manage access, whether accounts are suspended, deleted, or archived, which security policies apply, and whether logs and system events are reviewed.

PRIVATGRAM may act as a software provider, technical service provider, or processor only to the extent defined by a separate agreement with the Organization.

3.2. PRIVATGRAM-Hosted or Centrally Managed Deployment

If PRIVATGRAM provides hosting, infrastructure, technical administration, maintenance, or support services, PRIVATGRAM may process certain data for the purposes of operating, securing, maintaining, and supporting the System.

The exact role of PRIVATGRAM and the Organization may be further defined in a separate contract, data processing agreement, service agreement, or deployment document.

4. Information We May Process

4.1. Account Information

The System may process username or login, user ID, organization name, department, role or access level, account status, profile settings, nickname, avatar information if enabled, registration date, and administrator-created account details.

4.2. Authentication Information

The System may process password hashes, cryptographic salt values, authentication tokens, session identifiers, login status, failed login attempts, password change events, and account recovery or password reset events.

Passwords are not intended to be stored in plaintext. The System uses cryptographic password processing mechanisms such as password hashing and individual cryptographic salt values.

4.3. Device and Session Information

The System may process device identifiers, device roles, registration IDs, session status, IP addresses, login time, last activity time, operating system type, application version, device access status, and revoked or terminated sessions.

This information is used for authentication, security, session management, device control, and administrative access management.

4.4. Cryptographic Public Key Material

The System may process public cryptographic material required for secure communication, including identity public keys, signed prekeys, one-time prekeys, registration identifiers, public key bundles, and session-related public parameters.

Private cryptographic keys are intended to remain on authorized user devices and should not be transmitted to or stored by the server.

4.5. Messages and Communication Data

The System may process encrypted message content, sender and recipient identifiers, chat identifiers, group or channel identifiers, message timestamps, delivery status, editing status, deletion status, reactions, invitations, and encrypted delivery records.

PRIVATGRAM is designed so that message content is transmitted and stored in encrypted form. Plaintext message content should be available only on authorized user devices after local decryption.

4.6. Files and Attachments

The System may process file identifiers, file names, MIME types, file size, number of file chunks, encrypted file content, encrypted attachment metadata, upload and download events, sender and recipient identifiers, and storage paths or internal file references.

Files, images, voice messages, and video messages may be encrypted before transmission and stored in encrypted form depending on the system configuration.

4.7. Administrative Data

The System may process administrator accounts, organization network identifiers, server IP addresses, database connection parameters, organization status, access permissions, administrative actions, changes to users, groups, channels, devices, sessions, and system configuration records.

4.8. Logs and Security Events

The System may process successful and failed login attempts, account creation events, password change events, session creation and termination, device registration and revocation, administrator actions, server errors, connection events, suspicious activity indicators, and system security events.

Logs are used for technical operation, troubleshooting, security monitoring, audit, and protection against unauthorized access.

4.9. Support and Contact Information

If a user or organization contacts PRIVATGRAM, we may process name, email address, organization name, subject of the request, message content sent to support, technical logs or screenshots voluntarily provided, correspondence history, and security report details.

5. Information We Do Not Intentionally Collect

PRIVATGRAM is not designed to intentionally collect precise GPS location, advertising identifiers for behavioral advertising, payment card information, biometric data for identification by PRIVATGRAM, personal social media profiles, personal contacts from the device address book unless a specific contact feature is implemented and enabled, or plaintext content of encrypted messages on the server.

If mobile operating systems provide biometric unlock functions, such as fingerprint or face authentication, such biometric processing is normally handled by the device operating system and not by PRIVATGRAM servers.

6. Purpose of Processing

Information may be processed for providing secure corporate messaging functionality, authenticating users, managing user accounts, managing organization networks, delivering messages and files, creating and managing personal chats, groups, and channels, supporting voice and video message exchange, managing devices and sessions, revoking unauthorized or compromised access, supporting administrator control, maintaining system security, detecting unauthorized access, preventing misuse of the System, troubleshooting technical problems, maintaining logs and audit records, complying with legal, contractual, or security requirements, providing technical support, and improving system stability and functionality.

7. Legal Basis for Processing

Where applicable law requires a legal basis for processing Personal Data, processing may be based on one or more of the following grounds: performance of a contract with an Organization, legitimate interests in providing and securing the System, compliance with legal obligations, user consent where required, protection of the security and integrity of corporate communication systems, and performance of employment, corporate, or institutional communication functions under the authority of the Organization.

For Organization-controlled deployments, the Organization is responsible for determining the applicable legal basis for processing Personal Data of its users.

8. Message Confidentiality and Encryption

PRIVATGRAM is designed to protect message content through encryption. The System may use TLS for transport protection, Signal-class cryptographic architecture, X3DH-based session establishment, Double Ratchet-based session key evolution, device-level session separation, AES-GCM-based encryption for attachments where applicable, and local storage of private cryptographic material on user devices.

The server is intended to store and route encrypted content. It should not require access to plaintext message content in order to deliver messages.

However, no system can guarantee absolute security under all conditions. Security may depend on correct deployment, device protection, administrator configuration, server security, software updates, user behavior, and organizational security policies.

9. Metadata

Even when message content is encrypted, the System may process metadata required for operation. Metadata may include sender and recipient identifiers, chat, group, or channel identifiers, timestamps, message size, delivery status, device identifiers, IP addresses, session events, account status, group membership, and administrator actions.

Metadata is used to provide message delivery, account management, device management, system security, and administrative control.

10. Data Sharing and Disclosure

PRIVATGRAM does not sell Personal Data.

Information may be disclosed only when necessary and depending on the deployment model, including to the user’s Organization, authorized administrators, technical service providers, app store and mobile platform providers, or when required by applicable law, court order, lawful request, regulatory requirement, or to protect the security, rights, and legitimate interests of users, Organizations, or the System.

11. Third-Party Services

Depending on the deployment model and application version, the System may use or interact with hosting providers, cloud infrastructure providers, push notification services, mobile platform services, app store services, email service providers, security monitoring tools, and support systems.

The use of third-party services may vary depending on whether the System is self-hosted by an Organization, hosted by PRIVATGRAM, or deployed in a controlled data center. Third-party services process information according to their own privacy policies and contractual terms.

12. International Data Transfers

Depending on the deployment model, Personal Data may be stored and processed in the country where the Organization’s servers are located. If third-party infrastructure, app stores, hosting providers, or international support services are used, information may be transferred to or processed in other countries.

Where required by applicable law, such transfers should be protected by appropriate legal, contractual, technical, and organizational safeguards. For self-hosted deployments, the Organization is responsible for determining where its data is stored and whether cross-border transfer rules apply.

13. Data Retention

Data retention periods may depend on Organization policy, contractual requirements, legal obligations, information security requirements, administrator settings, technical backup schedules, audit requirements, and user account status.

The System may retain different categories of data for different periods. Account data may be retained while the account is active; encrypted messages may be retained according to Organization policy; logs may be retained for security and audit purposes; backup copies may be retained for a limited technical period; and support correspondence may be retained as necessary to resolve requests and maintain records.

When data is no longer required, it may be deleted, anonymized, archived, or retained only where legally or technically necessary.

14. Data Deletion

Users may request deletion of their account data where permitted by applicable law and Organization policy.

In Organization-controlled deployments, deletion requests should normally be submitted to the Organization Administrator or the responsible department of the Organization.

Depending on the technical and legal context, deletion may be limited where data must be retained for security logs, audit records, legal obligations, contractual requirements, backup integrity, dispute resolution, or investigation of misuse or unauthorized access.

15. User Rights

Depending on applicable law and the deployment model, users may have the right to request access to their Personal Data, correction of inaccurate data, deletion of Personal Data, restriction of processing, objection to certain processing activities, export of certain data, withdrawal of consent where processing is based on consent, and submission of a complaint to a competent authority.

In Organization-controlled deployments, users should contact their Organization Administrator or responsible privacy/security department first. For privacy-related requests concerning PRIVATGRAM-operated services, users may contact privacy@privatgram.com.

16. Security Measures

PRIVATGRAM uses technical and organizational measures designed to protect information, including TLS transport protection, encrypted message storage, device-level session separation, password hashing, individual cryptographic salt values, role-based access control, administrator access control, session management, device revocation, security event logging, separation of organization environments where applicable, database access control, and backup and recovery procedures depending on deployment.

Security also depends on the Organization’s infrastructure, administrator actions, endpoint security, password policies, server configuration, access control, and user behavior.

17. User Responsibilities

Users are responsible for keeping login credentials confidential, protecting their devices, not sharing accounts, reporting suspicious activity, following Organization security policies, using the System only for authorized purposes, updating applications where required, and avoiding installation from unofficial sources unless authorized by the Organization.

18. Organization Responsibilities

Organizations using PRIVATGRAM are responsible for determining lawful purposes for processing, informing users about internal monitoring and retention rules, configuring access rights, appointing authorized administrators, protecting server infrastructure, maintaining database security, managing backup policies, responding to user requests where applicable, and ensuring compliance with applicable laws and internal policies.

19. Children’s Privacy

PRIVATGRAM is designed for corporate and institutional use and is not intended for children or for general consumer use by minors.

The System should be used only by authorized users of an Organization. Organizations are responsible for ensuring that access is granted only to users who are permitted to use the System under applicable law and internal rules.

20. Cookies and Website Data

The official website privatgram.com may use basic technical cookies or similar technologies necessary for website operation, security, performance, or language preferences.

If analytics, marketing, embedded content, or third-party tracking tools are later added to the website, this Privacy Policy should be updated to describe what tools are used, what data they collect, the purpose of collection, whether cookies are optional, and how users can manage cookie preferences.

At the current stage, the website should avoid unnecessary tracking technologies unless they are required and properly disclosed.

21. Mobile Applications and Permissions

PRIVATGRAM mobile applications may request access to device functions depending on enabled features. Such permissions may include camera access for taking or sending images and video messages, microphone access for voice messages or video messages, storage or media access for sending and receiving files, notification permission for message alerts, network access for server communication, and biometric unlock through the operating system where enabled.

Permissions are used only to provide the relevant application functionality. Users may manage permissions through their device operating system settings.

22. Push Notifications

If push notifications are enabled, mobile platform services such as Apple Push Notification service or Firebase Cloud Messaging may be used to deliver notification signals to devices.

Notification content should be limited where possible and should not intentionally include plaintext confidential message content unless the Organization’s deployment configuration allows it.

Push notification providers may process technical identifiers necessary to deliver notifications according to their own policies.

23. Data Safety and App Store Disclosures

For mobile application distribution, PRIVATGRAM may be required to provide privacy and data safety disclosures to app stores, including Google Play and Apple App Store.

These disclosures may describe categories of data collected, purposes of processing, whether data is shared, whether data is encrypted in transit, whether users can request deletion, whether data is used for tracking, and whether data collection is required or optional.

The information provided in app stores should be consistent with this Privacy Policy and the actual technical behavior of the application.

24. No Sale of Personal Data

PRIVATGRAM does not sell Personal Data, does not use message content for advertising, and does not use encrypted message content to build advertising profiles.

If any advertising, analytics, or marketing tools are introduced in the future, this Privacy Policy must be updated before such tools are used.

25. Changes to this Privacy Policy

This Privacy Policy may be updated from time to time to reflect changes in system functionality, deployment models, legal requirements, security practices, mobile application permissions, third-party services, and app store requirements.

The updated version will be published on the official website. The “Effective date” at the top of this page indicates when the latest version became effective.

26. Contact Information

For privacy-related questions, requests, or complaints, please contact:

• Privacy Contact: privacy@privatgram.com
• Security Contact: security@privatgram.com
• Legal Contact: legal@privatgram.com
• General Contact: info@privatgram.com
• Official Website: https://privatgram.com

27. Trademark and Legal Notice

PRIVATGRAM® is a registered trademark.

The trademark is registered for Class 38 services related to transmission of messages and images using computers, video transmission on demand, providing chat rooms in virtual environments, providing online forums for collaboration, messaging services, and voice mail services.

Unauthorized use of the PRIVATGRAM name, trademark, logo, domain identity, or confusingly similar designations may violate trademark and intellectual property rights.