Privacy Policy

Video Call ·
Jurisdiction: Germany / EU · Last updated: 2026-06-15

This is a non-commercial hobby project. It is provided for free, without any commercial intent. This policy explains, in plain terms, what personal data is involved when you use it and on what legal basis it is processed under the EU General Data Protection Regulation (GDPR) and, where applicable, the German Federal Data Protection Act (BDSG) and the Telecom Telemedia Data Protection Act (TDDDG).

Contents

Controller & contact
How this project works
What data is processed
Legal basis
Retention
Recipients / providers
International transfers
Browser permissions
Security
Children
Automated decision-making
Your rights
Cookies & consent
Changes to this policy

1. Controller & contact

The "controller" is the person who decides why and how your personal data is processed (Art. 4(7) GDPR). For this project, that is the operator who deploys and runs it:

Contact details are configured by the site operator.

As a small hobby project, no separate Data Protection Officer (DPO) is appointed; this is generally not required for a project of this scale under Art. 37 GDPR / § 38 BDSG. Questions about your data can be sent to the contact above.

2. How this project works

This is a peer-to-peer (WebRTC) video calling tool. The website itself is a set of static files (HTML, CSS, JavaScript) with no application backend and no database of its own. Audio and video are sent directly between the two participants whenever possible, and are not stored by this project.

To make a direct browser-to-browser connection possible, WebRTC needs help from a few supporting servers: a signaling server (to swap connection details), STUN servers (to discover your public network address), and a TURN relay (used only as a fallback when a direct connection cannot be made). Using these servers necessarily discloses your IP address to them, and the TURN relay can carry your audio/video stream. This is inherent to how WebRTC works, not specific to this project. Note that the connection to the signaling server is opened automatically when the page loads, so the signaling provider can see your visit even if you never start a call; the STUN, TURN and media steps only occur once a call is placed or accepted.

3. What data is processed

Category	What & why
Server / hosting access data	When the page loads, the hosting/CDN provider may log standard request data: IP address, timestamp, requested URL, browser user agent, and referrer where available, plus error and security logs. Used to serve the site and keep it secure. The exact logging depends on the deployment configuration.
Peer ID	A random session identifier generated for your browser so others can call you. As soon as the page loads, your browser connects to the signaling provider and is assigned a Peer ID — this happens automatically even if you never place or accept a call, and discloses your IP address to the signaling provider. The Peer ID is not linked to your identity by this project.
Connection & signaling data	On page load, the signaling connection above is opened (disclosing your IP address to the signaling provider). When you then place or accept a call, additional connection details (including your IP address and network candidates) are exchanged via the STUN servers, and — if a direct connection is not possible — audio/video is relayed through the TURN server, disclosing your IP address to those providers too.
Camera & microphone	Accessed only with your browser permission. The browser requests camera and microphone access when the page loads, so a live preview of your own camera can be shown before any call begins; you can decline or revoke this at any time. The media is sent to another participant (and, if needed, via a TURN relay) only once a call is in progress, and is not recorded or stored by this project.
Data you enter	The Peer ID you type to call someone, and any Peer ID included in an invite link (the `?call=` parameter in the URL), which the app uses to place the call. Note that when you open an invite link, the Peer ID is part of the requested URL, so it can appear in the hosting/CDN access logs described above and in your browser history before the app reads it. The clipboard is written to only when you click "Copy ID" or "Copy invite link".
Cookies / local storage	This project sets no cookies and uses no local storage. No theme, language or session state is persisted. No analytics, advertising or tracking technologies are used.
Third-party requests	The main app page loads the PeerJS library from a public CDN and web fonts from Google Fonts; those providers receive your IP address and user agent as part of serving the files. These legal pages (Privacy/Terms) deliberately load no third-party resources.

This project does not knowingly process special categories of data (Art. 9 GDPR). Please do not transmit such data through the tool.

4. Legal basis

Legitimate interest (Art. 6(1)(f) GDPR) — operating the service securely and reliably, including necessary access, error and security logging, and protecting against abuse. Our interest is balanced against your rights; you may object (see section 12).
Performance of the requested function (Art. 6(1)(b)/(f) GDPR) — when you intentionally place or accept a call, the connection and signaling data is processed to carry out exactly that action.
Storing/accessing information on your device (§ 25 TDDDG) — only strictly necessary technical access is used; no information is stored on or read from your device beyond what is technically required to run the page, so no consent under § 25(1) TDDDG is needed.
Consent (Art. 6(1)(a) GDPR) — only where it would apply. No optional analytics, marketing or non-essential third-party embeds are used, so no consent banner is required.

5. Retention

This project keeps no database and does not store call media or submitted Peer IDs after a session ends. Peer IDs and connection state exist only in memory for the duration of your visit. Access, error and security logs created by the hosting/CDN and infrastructure providers are kept only as long as needed for operation, security and debugging, according to those providers' own retention settings, unless a specific retention period is configured by the operator. We do not claim to store nothing on the infrastructure side, because hosting and provider logs typically exist.

6. Recipients / providers

Depending on the deployment configuration, data may be processed by:

Hosting / CDN provider — serves the static site and may keep access logs.
WebRTC signaling provider — the PeerJS signaling service used to exchange connection details.
STUN providers — used to discover network addresses for a direct connection (currently Cloudflare and Google STUN endpoints).
TURN relay provider — relays audio/video when a direct connection is not possible (currently the OpenRelay project).
Library CDN & web fonts — unpkg (PeerJS library) and Google Fonts.
The other call participant — necessarily receives your audio/video and IP address during a call.

Where required, the operator concludes data processing agreements (Art. 28 GDPR) with providers acting as processors. The specific providers depend on the deployment configuration and may change. No personal data is sold.

7. International transfers

Some of the providers above (for example CDN, STUN/TURN and font providers) may process data outside the EU/EEA, including in the United States. Where that happens, transfers are intended to rely on an adequacy decision or on appropriate safeguards such as the EU Standard Contractual Clauses (Art. 46 GDPR). The exact constellation depends on the deployment configuration. If you would like details for a specific deployment, contact the operator.

8. Browser permissions

The tool asks your browser for camera and microphone access. You can decline, and you can revoke access at any time in your browser settings; calls simply will not be able to send your media without it. The app also requests clipboard write access when you copy your ID or an invite link.

9. Security

WebRTC media and data channels are encrypted in transit (DTLS-SRTP). The static site should be served over HTTPS. No system can be guaranteed perfectly secure, but the project is designed to keep no central store of personal data, which limits exposure.

10. Children

This project is not directed at children and does not knowingly process data of children. If you believe a child has used the service inappropriately, please contact the operator.

11. Automated decision-making

The project does not carry out automated decision-making or profiling that produces legal or similarly significant effects (Art. 22 GDPR).

12. Your rights

Under the GDPR you have the right to:

access your personal data (Art. 15);
rectification of inaccurate data (Art. 16);
erasure / deletion (Art. 17);
restriction of processing (Art. 18);
data portability (Art. 20);
object to processing based on legitimate interest (Art. 21);
withdraw consent at any time, where processing is based on consent (Art. 7(3));
lodge a complaint with a data protection supervisory authority (Art. 77).

To exercise these rights, use the contact details above. Please note that, as this project keeps no database, there is generally no stored personal data about you to access or delete on its side; provider-side logs are governed by those providers. In Germany, you may complain to the supervisory authority of your federal state (Land) or the operator's competent authority.

13. Cookies & consent

No cookie consent banner is shown because this project uses no cookies, no local storage and no non-essential tracking, analytics or marketing tools. Because there is no tracking to honor, no separate "Do Not Track" handling is needed; nothing is tracked in the first place.

14. Changes to this policy

As a hobby project, this policy may be updated when the tools, providers or legal requirements change. The "Last updated" date at the top reflects the current version. Please review it occasionally.

This document is provided for transparency for a small hobby project and is not legal advice.