Privacy Policy

Last updated: 4 May 2026

This Privacy Policy explains how EasyTalk ("we", "our", "the service") collects, uses, stores, and protects your personal data when you use our web application. EasyTalk is a real-time communication platform developed as part of a Diploma Thesis at the University of Western Macedonia (UOWM), Department of Electrical & Computer Engineering, in Kozani, Greece.

We comply with the EU General Data Protection Regulation (GDPR) and related national legislation. By creating an account or otherwise using the service, you confirm that you have read and understood this policy.

1. Who we are

Service: EasyTalk — Real-Time Chat Web Application
Project context: Developed as part of a Diploma Thesis
Developed by: Athanasios Kouskouras
Supervised by: Dr. Minas Dasygenis
Institution: Department of Electrical & Computer Engineering, University of Western Macedonia, Kozani, Greece (EU)
Laboratory: Laboratory of Digital Systems and Computer Architecture
Contact: [email protected] or use the Contact Us form

2. Hosting & status of the service

EasyTalk is currently in development / academic stage and is not yet operated as a commercial service. The application runs in an academic environment within the European Union (Greece / UOWM). No personal data is transferred outside the European Economic Area, except for emails delivered through Google’s SMTP infrastructure (see Section 6).

If we move to production hosting in the future, this section will be updated to disclose the hosting provider and any cross-border transfer safeguards (Standard Contractual Clauses or adequacy decisions).

3. Data we collect

Account data (provided by you during registration and profile setup):

  • A username you choose, visible to other users
  • Your email address (used for login, account verification, and notifications)
  • A password (never stored in plain text, only a securely hashed version is retained)
  • An optional profile image
  • Account state (active, banned, or deleted)
  • Account creation timestamp

User-generated content (created by you while using the service):

  • Direct (1-on-1) and group chat messages
  • Voice messages and video messages recorded in the chat (microphone and camera access requires your explicit consent each time)
  • Photos captured via the in-app camera (camera access requires your explicit consent each time)
  • File attachments you upload in chats such as images, audio, video, and documents (subject to size and format limits)
  • Group memberships, group images, group names
  • Friend requests and friendships
  • Contact form submissions: the subject, message, and optionally your nickname and surname you provide. Your username, email, and an internal account identifier are attached to each submission to link it to your account
  • Privacy and notification preferences such as account visibility settings and email notification opt-in

Technical & security data (collected automatically while using the service):

  • Strictly necessary cookies for authentication and session management (see Section 7)
  • Your IP address (used only for abuse-prevention purposes)
  • Real-time presence indicators (online/offline status and typing notifications, transmitted only while you are actively connected)
4. How we use your data
  • To create and authenticate your account
  • To deliver messages, files and notifications between you and other users you have chosen to communicate with
  • To match friend requests and maintain group memberships
  • To send you transactional emails for account verification, password resets, friend requests, and notifications about direct messages you received while offline
  • To enforce security, prevent abuse, and protect accounts from unauthorized access
  • To respond to your contact form messages and privacy requests

We do not use your data for advertising, profiling, behavioural tracking, or sale to third parties.

5. Legal basis (GDPR Art. 6)
  • Performance of a contract — for everything required to provide the service you signed up for (account, messaging, friends, groups).
  • Your consent — for accessing your microphone or camera (asked by your browser each time), and for optional email notifications which you can enable in Settings.
  • Legitimate interests — for security, fraud and abuse prevention.
  • Legal obligation — if we are required to retain or disclose data by applicable law.
6. Sharing & third parties

We do not sell, rent, or trade your personal data. Limited disclosure occurs only in the following cases:

  • Other users: information you choose to share with them, such as your username, profile image, the messages you send them, and your online status. Members of any group you both belong to can also see your role within that group (admin or member) and whether your account has been banned.
  • Email delivery: transactional emails (verification, password reset, notifications, contact form) are delivered through a third-party email delivery service (currently Google’s email infrastructure), acting as a sub-processor solely for that purpose.
  • Administrator: the developer can access user records (username, email, profile image, account status, and registration date) for moderation and abuse prevention.
  • Legal authorities: if compelled by valid legal process, we may disclose data to competent authorities.

Front-end libraries used by the interface are self-hosted on our server. The application does not use Google Analytics, Facebook Pixel, advertising trackers, or any other third-party tracking technology.

7. Cookies

EasyTalk uses only strictly necessary cookies for authentication and session management. No tracking, analytics, or advertising cookies are set.

  • An authentication cookie that keeps you logged in during your session
  • An optional persistent login cookie, set only if you choose “Keep me logged in” at login
  • A standard browser session cookie
  • A security token used to verify that form submissions come from your active session

All cookies are configured with industry-standard security attributes appropriate to the deployment (restricted to first-party use, HTTPS-only flag where applicable).

8. Data retention & deletion

Different categories of data are retained as follows:

  • Active accounts: kept for as long as your account exists.
  • Deleted accounts and deleted messages: marked as deleted (“soft delete”) and become invisible to other users. The underlying records may remain in the database for technical reasons (referential integrity, audit). You may request a full deletion via the Contact Us form (see Section 9).
  • Verification and password reset tokens: short-lived, automatically invalidated on use or after a brief expiry window.
  • Abuse-prevention records: retained only as long as needed to enforce these protections, then purged.
  • Session cookies: cleared when you log out or your session expires.
9. Your rights under GDPR

You have the right to:

  • Access — obtain a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — request hard deletion of your data.
  • Restriction — ask us to limit how we process your data.
  • Portability — receive your data in a structured, machine-readable format.
  • Object — object to specific processing activities.
  • Withdraw consent at any time, where processing is based on consent.
  • Lodge a complaint with the Greek Data Protection Authority (www.dpa.gr) or your local supervisory authority.

To exercise any of these rights, please use our Contact Us form with the subject line “Privacy Request”. We will respond within 30 days.

10. Security measures
  • Passwords are never stored in plain text. They are hashed using industry-standard algorithms before storage.
  • Sensitive content stored on our servers is protected with strong encryption at rest.
  • Database queries are designed to defend against injection attacks.
  • Forms that change account state include protections against unauthorized submissions.
  • Cookies are configured with appropriate security attributes.
  • We use additional HTTP response headers to defend against common browser-based attacks.
  • Sessions automatically expire after a period of inactivity.
  • Abuse-prevention mechanisms are applied across the service.
11. Children

EasyTalk is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us so we can delete the account.

12. Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page indicates when the policy was most recently revised. We encourage you to review this policy periodically. Where feasible, we may also notify you through the email address associated with your account.

13. Contact

For any privacy-related question or to exercise your rights, please use the Contact Us form (preferred) or email [email protected].