Legal

Privacy Policy — VideoCall.cc

Version 1.0 · Effective 6/22/2026

Privacy Policy

Privacy Policy

Effective: June 2025 · Version 1.0
VideoCall.cc ("we," "us," or "our") is committed to protecting your personal information. This Privacy Policy describes how we collect, use, store, share, and protect data when you use the VideoCall.cc website, web application, and mobile application (collectively, the "Service"). By accessing or using the Service, you acknowledge you have read and understood this Policy. If you do not agree with these practices, please discontinue use of the Service.

1. Who We Are

VideoCall.cc operates a browser-based video meeting platform. No software download or account is required to join a meeting. Registered accounts provide access to a personal dashboard, meeting history, scheduling, and profile management. The underlying real-time media engine is provided by independent community-operated Jitsi servers (see Section 6).

For any privacy-related enquiries, refer to Section 17 (Contact Us).

2. Scope of This Policy

This Policy applies to:

This Policy does not govern the practices of third-party community Jitsi servers, which process real-time meeting media independently. Those services operate under their own privacy terms.

  • The VideoCall.cc website and web application (videocall.cc) and all sub-pages.
  • The VideoCall.cc mobile application for iOS and Android.
  • All API interactions between the mobile app, web app, and our servers.
  • Guest users who create or join meetings without a registered account.

3. Data We Collect

3.1 Registered Account Data

3.2 Guest Data

3.3 Meeting Metadata

3.4 Uploaded Profile Images

3.5 Account Deletion Requests

3.6 Technical and Operational Data

When you create a VideoCall.cc account, we collect:

Guests who create or join meetings without registering provide:

We store metadata about every meeting created on our platform. This includes:

Profile pictures uploaded by registered users are stored as files under the public/uploads directory on our server. These files are publicly accessible by URL — anyone who knows the file URL can view the image. Do not upload images you wish to keep private as a profile picture.

When you submit an account deletion request, we collect your email, first name, last name, and an optional reason. This information is used solely to process and verify your deletion request, which is reviewed by an administrator.

In the course of providing the Service, our systems process:

  • Meeting title and optional description
  • Meeting ID — a short, unguessable public code
  • Optional meeting password (stored; returned only to the meeting creator)
  • Participant lists — registered user references and guest participant records (name, optional email, join timestamp)
  • Start time, end time, and duration
  • Active/inactive status and scheduling information
  • Community Jitsi server domain assigned at meeting creation
  • JWT authentication tokens — issued at login and stored client-side. User tokens expire after 24 hours; guest meeting tokens expire after 24 hours.
  • Heartbeat signals — clients send a periodic signal (~every 20 seconds) while in an active meeting so the system can detect if a meeting has been abandoned.
  • Server-selection data — the community Jitsi server assigned to a meeting is recorded in the meeting record to enable failover.
  • IP address via Google Fonts — our web pages load the Plus Jakarta Sans font from Google's CDN. This request exposes your IP address to Google. See Section 6 for details.
Field Required? Purpose
First name & last name Required Display in your profile, meetings, and dashboard
Email address Required Account identifier, login credential, and account-related communications. Stored in lowercase.
Password Required Stored as a bcrypt hash only — your plaintext password is never retained
Profile picture Optional Personalise your profile. Stored as a file on our server; accessible via a public URL (see §3.4)
Field Required? Purpose
Display name Required Identifies you within the meeting to other participants
Email address Optional If provided, stored on the meeting record for the guest creator to receive a meeting token

4. How We Collect Data

We collect personal data through the following means:

We do not use tracking pixels, third-party analytics scripts (e.g. Google Analytics), advertising SDKs on the web app, or purchase data from data brokers.

  • Direct submission — when you register, fill in a guest form, create a meeting, update your profile, or submit a deletion request.
  • Automated technical signals — heartbeat signals sent by your browser or app during an active meeting.
  • Third-party font delivery — your IP address is incidentally shared with Google Fonts when your browser downloads our web font.
  • URL parameters — guest meeting tokens may be delivered via URL query parameters when you click a shared meeting link.

5. How We Use Your Data

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.

Purpose Data Used Legal Basis
Create and manage your account Name, email, hashed password, profile picture Contract performance
Authenticate and authorise you Email, password hash, JWT token Contract performance
Create, run, schedule, and end meetings Meeting metadata, participant records Contract performance
Provide guest meeting access Guest name, optional email, guest JWT Contract performance
Generate and display meeting share links, QR codes, and email templates Meeting ID, site URL Contract performance
Detect abandoned meetings (heartbeat sweep) Meeting ID, last heartbeat timestamp Legitimate interests (service reliability)
Auto-close scheduled meetings at their end time Meeting start time, duration Contract performance
Display your meeting history Meeting metadata for your account Contract performance
Process account deletion requests Name, email, deletion reason Legal obligation / contract performance
Operate and secure the Service All data described in §3 Legitimate interests (security)
Deliver legal documents (Privacy Policy, Terms) None — rendered from database to all users Legal obligation
Mobile app regional configuration (branding, ads) Country/region code Legitimate interests (service personalisation)

6. Third-Party Services & Subprocessors

6.1 MongoDB Atlas (Database)

6.2 Community Jitsi Servers (Real-Time Meeting Media)

6.3 Google Fonts

6.4 Mobile Advertising (Mobile App Only)

6.5 Summary of Third Parties

All application data described in Section 3 is stored in MongoDB Atlas, a cloud database service operated by MongoDB, Inc. MongoDB Atlas acts as a data processor on our behalf and stores data in accordance with its data processing agreement and security standards. The database name is videocallcc. Data is transmitted and stored encrypted.

We maintain a curated pool of community Jitsi servers. Each meeting is assigned a server domain at creation. If a server becomes unreachable, your meeting may fail over to another healthy server in the pool. The assigned server domain is recorded in the meeting metadata.

Our web application loads the Plus Jakarta Sans typeface from Google's font CDN (fonts.googleapis.com). When your browser requests this font, Google receives your IP address and browser user-agent. This is a standard mechanism of browser-based font delivery. Google's processing of this data is governed by Google's Privacy Policy (policies.google.com/privacy). If you wish to avoid this, you may use a browser extension that blocks Google Fonts requests.

The mobile application may display advertising configured through per-region settings stored in our database. Advertising identifiers, ad types, and ad network IDs are configured at the country/region level. The mobile app's interaction with advertising networks (impression, click, and audience data) is governed by those networks' respective privacy policies and is described in more detail in the mobile app's supplementary privacy disclosures. The web application does not serve or receive advertising.

Third Party Role Data Shared
MongoDB Atlas Database / storage processor All application data (§3)
Community Jitsi Servers Real-time media infrastructure (independent controllers) Meeting room name; real-time AV/chat transmitted directly from your browser
Google Fonts Font CDN Your IP address (incidental, at page load)
Ad Networks (mobile only) Advertising delivery As configured per region; see mobile disclosures

7. Data We Do NOT Collect or Store

For the avoidance of doubt, VideoCall.cc does not collect, store, or have access to:

  • ✗ Meeting audio or video recordings — media is transmitted through community Jitsi servers and never touches our infrastructure.
  • ✗ In-call chat messages — chat transmitted during a meeting is handled exclusively by the community Jitsi server.
  • ✗ Screen-share content — transmitted directly through the Jitsi layer.
  • ✗ Payment or financial data — VideoCall.cc does not process payments.
  • ✗ Precise GPS or device location — we do not request location permissions.
  • ✗ Biometric data — no facial recognition, voice prints, or similar biometric processing.
  • ✗ Plaintext passwords — all passwords are hashed with bcrypt before storage.
  • ✗ Advertising tracking identifiers (web) — the web app does not use third-party ad cookies or tracking scripts.

8. Cookies & Client-Side Storage

8.1 localStorage (Web)

8.2 Cookies (Web)

8.3 Mobile App Storage

The mobile application uses device-local storage for equivalent session tokens and preferences. Refer to the platform-specific privacy disclosures for iOS and Android for details on mobile storage practices.

Key Contents Purpose
token Signed JWT (user) Maintains your authenticated session without re-login. Expires after 24 hours.
user Basic profile (name, ID) Displays your name and profile in the UI without a round-trip API call.
vcc-theme "light" or "dark" Persists your preferred display theme across sessions.
Cookie Name Type Purpose
admin_session HTTP-only, signed, 7-day expiry Admin console session. Not readable by JavaScript. Used only by authorised administrators.

9. Data Sharing & Disclosure

9.1 Service Delivery

9.2 Meeting Participants

9.3 Administrators

9.4 Legal Obligations

9.5 Business Transfers

We do not sell, rent, or trade your personal information. We share data only in the following circumstances:

We share data with subprocessors (MongoDB Atlas, community Jitsi servers, Google Fonts) as described in Section 6, strictly to operate the Service.

Your display name (and, for registered users, any profile information visible in the meeting room) is visible to other meeting participants. Meeting metadata, including participant names, is visible to the meeting creator. Meeting passwords are only returned to the meeting creator and are never exposed to other participants or guests.

VideoCall.cc administrators can access account data, meeting records, and deletion requests through the admin console for operational and support purposes. Admin access is protected by a separate credential and an HTTP-only session cookie.

We may disclose personal data if required to do so by law, court order, or lawful request by government or regulatory authorities, or to protect the rights, property, or safety of VideoCall.cc, its users, or the public.

If VideoCall.cc is acquired, merged, or transfers substantially all of its assets, personal data may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your data by updating this Policy.

10. Data Retention

10.1 Active Accounts

10.2 Meeting Records

10.3 Guest Data

10.4 Account Deletion

10.5 Profile Images

10.6 Deletion Requests

Your account data (name, email, hashed password, profile picture) is retained for as long as your account is active. You may request deletion at any time (see Section 12).

Meeting metadata (title, description, participant lists, timestamps) is retained after meetings end as historical records. Registered users can view their meeting history in the dashboard. We do not currently apply automatic expiry to historical meeting records; this may be updated in future versions of this Policy.

Guest participant names and optional emails are stored as part of the meeting record they joined or created. This data persists for the lifetime of the meeting record.

Uploaded profile pictures remain as files on our server after account deletion unless a hard-deletion or specific erasure request is submitted. Because these files are publicly accessible by URL, we recommend removing your profile picture before submitting a deletion request.

Account deletion request records (including email, name, reason, and admin notes) are retained for audit and legal compliance purposes even after the request is processed.

11. Security

We implement the following technical and organisational measures to protect your personal data:

While we implement reasonable security measures, no system is completely secure. You are responsible for maintaining the confidentiality of your account credentials and for any activity that occurs under your account.

  • Password hashing — all passwords are hashed using bcrypt before storage. Plaintext passwords are never persisted.
  • Signed tokens — JWTs are signed with a secret key held in server-side environment variables, inaccessible to client code.
  • HTTP-only admin cookie — the admin session cookie cannot be read by JavaScript, mitigating XSS exposure for admin credentials.
  • HTTP security headers — all responses include: Content-Security-Policy, HTTP Strict-Transport-Security (HSTS), X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy, and a Permissions-Policy restricting camera and microphone access to embedded meeting servers only.
  • Scoped CORS — cross-origin API access uses token-based authentication with no credential cookies; admin APIs are same-origin only.
  • Meeting password scope — meeting passwords are only returned to the meeting creator; no other participant or guest can retrieve them via the API.
  • Search engine exclusion — admin and API routes are excluded from search indexing via robots.txt and X-Robots-Tag: noindex.
  • Data in transit — the Service is served over HTTPS. Data in transit to MongoDB Atlas is encrypted.

12. Your Rights & Controls

Access

Rectification

Erasure

Object / Restrict

Portability

Password Change

Depending on your location and applicable law (including GDPR, CCPA, and equivalent legislation), you may have the following rights:

Request a copy of the personal data we hold about you.

Correct inaccurate or incomplete personal data via your profile settings at /profile.

Request deletion of your account and personal data at /account/delete-account. Hard erasure requests must be submitted by email.

Object to or request restriction of processing of your data in certain circumstances.

Request your personal data in a structured, machine-readable format where technically feasible.

Update your password at any time from your profile settings.

To exercise any of the rights above, contact us using the details in Section 17 or use the in-app controls at /profile and /account/delete-account. We will respond to verifiable requests within 30 days (or within the timeframe required by applicable law).

13. Children

Users who are under the age of majority in their jurisdiction should obtain parental or guardian consent before using the Service.

14. Mobile Application

The VideoCall.cc mobile application for iOS and Android consumes the same backend API as the web application and is subject to this Privacy Policy. The mobile app additionally:

Platform-specific privacy details (including App Store and Play Store privacy nutrition labels) are maintained in the respective store listings and supplementary mobile privacy disclosures.

  • May present advertising configured through per-region settings. Advertising interactions are subject to the applicable ad network's privacy policy.
  • Applies regional branding and configuration (color schemes, assets) based on country/region code stored in our database.
  • Uses device-local storage for session tokens and preferences equivalent to the web localStorage described in Section 8.
  • May request camera and microphone permissions for the purposes of joining meetings. These permissions are used solely for the live meeting experience and are not used for recording or background access.

15. International Data Transfers

Your data may be stored and processed in countries outside your own, including locations where MongoDB Atlas infrastructure is hosted. These locations may have different data protection laws than your country of residence. Where required by law, we implement appropriate safeguards (such as standard contractual clauses) to protect data transferred across borders.

Community Jitsi servers in our pool may be located in various countries. Real-time meeting media processed by those servers is subject to the jurisdiction and terms of their respective operators.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our practices, technology, legal requirements, or for other operational reasons. The current version and effective date are always displayed at the top of this page. The authoritative version of this Policy is stored in our database and rendered dynamically on the /legal/privacy page.

For material changes — such as new categories of data collected, new purposes for processing, or new third-party sharing — we will provide notice via the Service (e.g., a banner on the dashboard) or by email to registered account holders before the change takes effect. Continued use of the Service after a change takes effect constitutes acceptance of the revised Policy.

17. Contact Us

For any privacy-related questions, data access requests, deletion requests, or complaints, please contact us:

If you are located in the European Economic Area and believe your data protection rights have been violated, you also have the right to lodge a complaint with your local supervisory authority.