Version 1.0 · Effective 6/22/2026
VideoCall.cc operates a browser-based video meeting platform. No software download or account is required to join a meeting. Registered accounts provide access to a personal dashboard, meeting history, scheduling, and profile management. The underlying real-time media engine is provided by independent community-operated Jitsi servers (see Section 6).
For any privacy-related enquiries, refer to Section 17 (Contact Us).
This Policy applies to:
This Policy does not govern the practices of third-party community Jitsi servers, which process real-time meeting media independently. Those services operate under their own privacy terms.
When you create a VideoCall.cc account, we collect:
Guests who create or join meetings without registering provide:
We store metadata about every meeting created on our platform. This includes:
Profile pictures uploaded by registered users are stored as files under the public/uploads directory on our server. These files are publicly accessible by URL — anyone who knows the file URL can view the image. Do not upload images you wish to keep private as a profile picture.
When you submit an account deletion request, we collect your email, first name, last name, and an optional reason. This information is used solely to process and verify your deletion request, which is reviewed by an administrator.
In the course of providing the Service, our systems process:
| Field | Required? | Purpose |
|---|---|---|
| First name & last name | Required | Display in your profile, meetings, and dashboard |
| Email address | Required | Account identifier, login credential, and account-related communications. Stored in lowercase. |
| Password | Required | Stored as a bcrypt hash only — your plaintext password is never retained |
| Profile picture | Optional | Personalise your profile. Stored as a file on our server; accessible via a public URL (see §3.4) |
| Field | Required? | Purpose |
|---|---|---|
| Display name | Required | Identifies you within the meeting to other participants |
| Email address | Optional | If provided, stored on the meeting record for the guest creator to receive a meeting token |
We collect personal data through the following means:
We do not use tracking pixels, third-party analytics scripts (e.g. Google Analytics), advertising SDKs on the web app, or purchase data from data brokers.
We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Create and manage your account | Name, email, hashed password, profile picture | Contract performance |
| Authenticate and authorise you | Email, password hash, JWT token | Contract performance |
| Create, run, schedule, and end meetings | Meeting metadata, participant records | Contract performance |
| Provide guest meeting access | Guest name, optional email, guest JWT | Contract performance |
| Generate and display meeting share links, QR codes, and email templates | Meeting ID, site URL | Contract performance |
| Detect abandoned meetings (heartbeat sweep) | Meeting ID, last heartbeat timestamp | Legitimate interests (service reliability) |
| Auto-close scheduled meetings at their end time | Meeting start time, duration | Contract performance |
| Display your meeting history | Meeting metadata for your account | Contract performance |
| Process account deletion requests | Name, email, deletion reason | Legal obligation / contract performance |
| Operate and secure the Service | All data described in §3 | Legitimate interests (security) |
| Deliver legal documents (Privacy Policy, Terms) | None — rendered from database to all users | Legal obligation |
| Mobile app regional configuration (branding, ads) | Country/region code | Legitimate interests (service personalisation) |
All application data described in Section 3 is stored in MongoDB Atlas, a cloud database service operated by MongoDB, Inc. MongoDB Atlas acts as a data processor on our behalf and stores data in accordance with its data processing agreement and security standards. The database name is videocallcc. Data is transmitted and stored encrypted.
We maintain a curated pool of community Jitsi servers. Each meeting is assigned a server domain at creation. If a server becomes unreachable, your meeting may fail over to another healthy server in the pool. The assigned server domain is recorded in the meeting metadata.
Our web application loads the Plus Jakarta Sans typeface from Google's font CDN (fonts.googleapis.com). When your browser requests this font, Google receives your IP address and browser user-agent. This is a standard mechanism of browser-based font delivery. Google's processing of this data is governed by Google's Privacy Policy (policies.google.com/privacy). If you wish to avoid this, you may use a browser extension that blocks Google Fonts requests.
The mobile application may display advertising configured through per-region settings stored in our database. Advertising identifiers, ad types, and ad network IDs are configured at the country/region level. The mobile app's interaction with advertising networks (impression, click, and audience data) is governed by those networks' respective privacy policies and is described in more detail in the mobile app's supplementary privacy disclosures. The web application does not serve or receive advertising.
| Third Party | Role | Data Shared |
|---|---|---|
| MongoDB Atlas | Database / storage processor | All application data (§3) |
| Community Jitsi Servers | Real-time media infrastructure (independent controllers) | Meeting room name; real-time AV/chat transmitted directly from your browser |
| Google Fonts | Font CDN | Your IP address (incidental, at page load) |
| Ad Networks (mobile only) | Advertising delivery | As configured per region; see mobile disclosures |
For the avoidance of doubt, VideoCall.cc does not collect, store, or have access to:
The mobile application uses device-local storage for equivalent session tokens and preferences. Refer to the platform-specific privacy disclosures for iOS and Android for details on mobile storage practices.
| Key | Contents | Purpose |
|---|---|---|
| token | Signed JWT (user) | Maintains your authenticated session without re-login. Expires after 24 hours. |
| user | Basic profile (name, ID) | Displays your name and profile in the UI without a round-trip API call. |
| vcc-theme | "light" or "dark" | Persists your preferred display theme across sessions. |
| Cookie Name | Type | Purpose |
|---|---|---|
| admin_session | HTTP-only, signed, 7-day expiry | Admin console session. Not readable by JavaScript. Used only by authorised administrators. |
We do not sell, rent, or trade your personal information. We share data only in the following circumstances:
We share data with subprocessors (MongoDB Atlas, community Jitsi servers, Google Fonts) as described in Section 6, strictly to operate the Service.
Your display name (and, for registered users, any profile information visible in the meeting room) is visible to other meeting participants. Meeting metadata, including participant names, is visible to the meeting creator. Meeting passwords are only returned to the meeting creator and are never exposed to other participants or guests.
VideoCall.cc administrators can access account data, meeting records, and deletion requests through the admin console for operational and support purposes. Admin access is protected by a separate credential and an HTTP-only session cookie.
We may disclose personal data if required to do so by law, court order, or lawful request by government or regulatory authorities, or to protect the rights, property, or safety of VideoCall.cc, its users, or the public.
If VideoCall.cc is acquired, merged, or transfers substantially all of its assets, personal data may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your data by updating this Policy.
Your account data (name, email, hashed password, profile picture) is retained for as long as your account is active. You may request deletion at any time (see Section 12).
Meeting metadata (title, description, participant lists, timestamps) is retained after meetings end as historical records. Registered users can view their meeting history in the dashboard. We do not currently apply automatic expiry to historical meeting records; this may be updated in future versions of this Policy.
Guest participant names and optional emails are stored as part of the meeting record they joined or created. This data persists for the lifetime of the meeting record.
Uploaded profile pictures remain as files on our server after account deletion unless a hard-deletion or specific erasure request is submitted. Because these files are publicly accessible by URL, we recommend removing your profile picture before submitting a deletion request.
Account deletion request records (including email, name, reason, and admin notes) are retained for audit and legal compliance purposes even after the request is processed.
We implement the following technical and organisational measures to protect your personal data:
While we implement reasonable security measures, no system is completely secure. You are responsible for maintaining the confidentiality of your account credentials and for any activity that occurs under your account.
Depending on your location and applicable law (including GDPR, CCPA, and equivalent legislation), you may have the following rights:
Request a copy of the personal data we hold about you.
Correct inaccurate or incomplete personal data via your profile settings at /profile.
Request deletion of your account and personal data at /account/delete-account. Hard erasure requests must be submitted by email.
Object to or request restriction of processing of your data in certain circumstances.
Request your personal data in a structured, machine-readable format where technically feasible.
Update your password at any time from your profile settings.
To exercise any of the rights above, contact us using the details in Section 17 or use the in-app controls at /profile and /account/delete-account. We will respond to verifiable requests within 30 days (or within the timeframe required by applicable law).
Users who are under the age of majority in their jurisdiction should obtain parental or guardian consent before using the Service.
The VideoCall.cc mobile application for iOS and Android consumes the same backend API as the web application and is subject to this Privacy Policy. The mobile app additionally:
Platform-specific privacy details (including App Store and Play Store privacy nutrition labels) are maintained in the respective store listings and supplementary mobile privacy disclosures.
Your data may be stored and processed in countries outside your own, including locations where MongoDB Atlas infrastructure is hosted. These locations may have different data protection laws than your country of residence. Where required by law, we implement appropriate safeguards (such as standard contractual clauses) to protect data transferred across borders.
Community Jitsi servers in our pool may be located in various countries. Real-time meeting media processed by those servers is subject to the jurisdiction and terms of their respective operators.
We may update this Privacy Policy from time to time to reflect changes to our practices, technology, legal requirements, or for other operational reasons. The current version and effective date are always displayed at the top of this page. The authoritative version of this Policy is stored in our database and rendered dynamically on the /legal/privacy page.
For material changes — such as new categories of data collected, new purposes for processing, or new third-party sharing — we will provide notice via the Service (e.g., a banner on the dashboard) or by email to registered account holders before the change takes effect. Continued use of the Service after a change takes effect constitutes acceptance of the revised Policy.
For any privacy-related questions, data access requests, deletion requests, or complaints, please contact us:
If you are located in the European Economic Area and believe your data protection rights have been violated, you also have the right to lodge a complaint with your local supervisory authority.