TL;DR: We collect only what's necessary to run Setu. Your files are encrypted client-side before upload. Chat messages are not stored. You control your data.
📦 1. Information We Collect
1.1 Information You Provide
When you create an account on Setu, we collect:
- Name — to identify you within rooms and on your profile card.
- Email address — for authentication and account recovery.
- Nickname (optional) — a display name for rooms.
- Phone number (optional) — stored on your profile but never shared publicly.
- Country (optional) — for profile personalization only.
- Password — hashed with PBKDF2-SHA256 (100,000 iterations + salt). We never store your raw password.
1.2 Information Generated Automatically
When you use Setu, we may automatically collect:
- IP address — for rate limiting and abuse prevention (not stored long-term).
- Browser/device type — for analytics and compatibility.
- Usage data — page visits, feature interactions (via Google Analytics, anonymized).
- Transfer codes & room IDs — ephemeral identifiers that expire automatically.
1.3 Files You Transfer
Files uploaded via the QR Transfer feature are:
- Encrypted client-side with AES-256-GCM before leaving your browser.
- Stored as encrypted chunks on our servers; we cannot read their contents.
- Automatically deleted after 7 minutes or upon single download (if one-time mode is enabled).
⚙️ 2. How We Use Your Information
We use collected information only for the following purposes:
- To authenticate you and maintain your session securely (JWT tokens).
- To display your profile card and room membership within Setu rooms.
- To enable file transfer and real-time collaboration features.
- To improve the platform through aggregated, anonymized analytics.
- To respond to your support requests and feedback submissions.
- To enforce our Terms & Conditions and prevent abuse.
We do not sell, rent, or trade your personal information to any third party for marketing purposes.
🔐 3. Data Storage & Security
We implement multiple layers of security to protect your data:
- Encryption in transit: All communications between your browser and our servers use HTTPS/TLS.
- Encryption at rest: Files are encrypted before upload; the decryption key is wrapped and stored separately from the encrypted chunks.
- Password hashing: PBKDF2-SHA256 with 100,000 iterations and a random salt — verified with constant-time comparison.
- JWT authentication: Short-lived tokens with automatic expiry.
- Auto-expiry: File transfer links expire after 7 minutes; one-time download links expire after a single use.
Account profile data (name, email, nickname, phone, country) is stored in our secured database and is not publicly accessible.
🍪 4. Cookies & Tracking
Setu uses minimal tracking technologies:
- localStorage: We use browser localStorage to remember your theme preference (dark/light mode) and maintain authentication state. This data never leaves your device.
- Google Analytics: We use anonymized Google Analytics to understand how users interact with the platform. No personally identifiable information is sent to Google Analytics.
- No advertising cookies: We do not use cookies for advertising, retargeting, or cross-site tracking.
You can disable cookies in your browser settings; this may affect some functionality (e.g., theme persistence).
🤝 5. Data Sharing
We do not share your personal data with third parties, except in the following limited circumstances:
- Service providers: We use infrastructure providers (e.g., cloud hosting, CDN) who process data solely on our behalf under data processing agreements.
- Legal compliance: We may disclose data if required by law, court order, or to protect the safety of users or the public.
- Business transfer: In the unlikely event of a merger or acquisition, your data may be transferred — you will be notified in advance.
Room members: When you join a Setu room, your display name/nickname is visible to other room members. This is intentional and necessary for collaboration.
⚖️ 6. Your Rights
You have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete data.
- Deletion: Request deletion of your account and associated personal data.
- Portability: Request your data in a machine-readable format.
- Withdrawal of consent: You may stop using the service at any time.
To exercise any of these rights, contact us at our contact page.
👶 7. Children's Privacy
Setu is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal data, please contact us immediately and we will delete that information.
📝 8. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will:
- Update the "Last Updated" date at the top of this page.
- Notify users of significant changes via the platform or email (if registered).
Continued use of Setu after changes constitutes acceptance of the updated policy.