Privacy Policy ============== Last updated: February 20, 2026 This Privacy Policy explains what data Valour collects, why we collect it, and how you can control it. We believe in minimal data collection — we only store what is necessary to run the service. Valour is operated by Valour Software LLC ("the Company", "we", "us", "our"). You can reach us at support@valour.gg. What We Collect =============== Account Information ------------------- When you register, we collect: * Email address: for account verification, password recovery, and policy updates * Username and tag: your display identity on the platform * Password: stored as a salted hash, never in plain text * Date of birth: to verify you are at least 13 years old (COPPA compliance) * Country/locality: to determine which data regulations apply to you Optionally, you may provide: * Invite code: tracks which invite brought you to Valour * Referral source: how you heard about us (e.g. YouTube, Twitter) Profile Information ------------------- You may optionally fill in: * Profile headline and bio * Avatar and profile background images * Theme colors and border style All profile information is user-provided and publicly visible to other Valour users. Messages and Content -------------------- Messages you send are stored on our servers to deliver them to other users. This includes text content, attachments, embeds, replies, and emoji reactions. Technical Data -------------- * IP address: recorded on your authentication token for account security. Also logged when you upload images or video, for compliance with NCMEC and child safety law. * Device type: a simple mobile/desktop flag, used to show your online status * Push notification endpoints: to deliver notifications to your device We do NOT collect: * Your real name, phone number, or physical address * Browser fingerprints, cookies, or tracking pixels * Browsing behavior, page views, or session analytics * Contact lists from other services We do not use Google Analytics or any other third-party tracking software. How We Use Your Data ==================== We use your data to: * Operate the service: deliver messages, manage your account, authenticate you * Verify your age: ensure compliance with COPPA (minimum age 13) * Secure your account: detect unauthorized access via IP on auth tokens * Send transactional emails: account verification, password recovery, and policy updates only * Process payments: if you purchase a subscription (handled by third parties) * Report errors: only if you opt in (see below) We do NOT use your data to: * Send marketing emails or newsletters * Serve advertisements * Build behavioral profiles * Sell or rent to third parties Legal Basis for Processing (GDPR) ---------------------------------- If you are in the EU/EEA, here is the legal basis we rely on for each type of processing: * Contract (Art. 6(1)(b)): account registration, message delivery, payment processing, and all core service functionality. We need your email, username, password, and messages to provide the service you signed up for. * Legal obligation (Art. 6(1)(c)): age verification (COPPA), IP logging on media uploads (NCMEC/child safety law), and responding to lawful government requests. * Legitimate interest (Art. 6(1)(f)): IP address on auth tokens for account security and fraud prevention. This is essential to protecting all accounts on the platform and cannot be disabled on a per-user basis. * Consent (Art. 6(1)(a)): opt-in error reporting via Sentry. You can withdraw consent at any time in your preferences. Third-Party Services ==================== These services receive limited data to provide specific functionality: * SendGrid: delivers transactional emails (verification, password recovery, policy updates). We have disabled click tracking. Privacy policy: https://www.twilio.com/legal/privacy * Sentry: receives error reports, but ONLY if you opt in via your preferences. You can disable this at any time. * Stripe: processes card payments, subscription billing, and checkout sessions. We never see or store your full payment card details. Privacy policy: https://stripe.com/privacy * Apple App Store / Google Play: processes in-app purchases on mobile. Privacy policies: - Apple: https://www.apple.com/legal/privacy/en-ww/ - Google: https://www.google.com/policies/privacy/ * Firebase Cloud Messaging: delivers push notifications on Android. * Tenor: powers GIF search. Your GIF favorites are stored on our servers, not shared with Tenor. We do not share your data with advertisers, data brokers, or any parties not listed above. International Data Transfers ----------------------------- Our servers and several of our third-party service providers (SendGrid, Sentry, Stripe, Firebase) are based in the United States. If you are located outside the US, your data will be transferred to and processed in the US. Our third-party providers each publish their own GDPR compliance documentation and data processing terms, which you can review at the links in the Third-Party Services section above. These transfers are necessary to perform our contract with you (Art. 49(1)(b)) and are further protected by our providers' data processing agreements. Valour Software LLC is the data controller. Our third-party service providers act as data processors under data processing agreements. Error Reporting (Opt-In) ======================== Valour uses Sentry for error reporting. This is fully opt-in. By default, no error data is sent. You can control this in your user preferences: * Off (default): no error data is sent * On: error logs, stack traces, and basic device info are sent to Sentry You can change this setting at any time. Data Retention and Deletion =========================== We retain your data for as long as your account exists. We do not maintain long-term backups of user data — deleted data is not recoverable from backup systems. Data may be retained beyond account deletion only if required by law (e.g. a valid legal hold or regulatory obligation). You can permanently delete your account at any time through the app. When you delete your account, we delete: * All your messages and attachments * Your profile and private information * Your credentials and authentication tokens * Your friend relationships and memberships * Your notification history and channel states * Your referral records This deletion is permanent and cannot be undone. Data Security ============= Passwords are hashed and salted before storage. Authentication uses token-based sessions stored in your browser's local storage — we do not use HTTP cookies for authentication or tracking. Push notification endpoints (Firebase) use device-level tokens managed by your operating system, not browser cookies. You can view and revoke individual sessions from your account settings. No method of electronic storage is 100% secure. While we use reasonable measures to protect your data, we cannot guarantee absolute security. If you are a security professional and discover a vulnerability, please report it to us at support@valour.gg and consider contributing to our open-source codebase to help us improve security. Your Rights =========== Regardless of where you live, you can: * Access your data: view your profile, messages, and active sessions through the app * Correct your data: update your profile, email, and username at any time * Delete your data: permanently delete your account and all associated data * Revoke sessions: individually revoke any active login session * Control error reporting: opt in or out of error reporting at any time For EU/EEA Residents (GDPR) ---------------------------- You additionally have the right to: * Request a copy of your personal data * Object to processing of your data * Request restriction of processing * Data portability: receive your data in a machine-readable format * Withdraw consent at any time * Lodge a complaint with your local data protection authority For California Residents (CCPA/CPRA) ------------------------------------- We do not sell or "share" (as defined by the CPRA) your personal information for cross-context behavioral advertising. The table below fulfills our disclosure obligations under Cal. Civ. Code § 1798.110 and § 1798.115: Category | What we collect | Source | Purpose | Shared with ----------------------|---------------------------|------------|--------------------------|------------------- Identifiers | Email, username, IP | You / auto | Account operation, | SendGrid (email), | address | | security | Sentry (opt-in) ----------------------|---------------------------|------------|--------------------------|------------------- Customer records | Email, hashed password | You | Authentication | None (Cal. Civ. 1798.80e) | | | | ----------------------|---------------------------|------------|--------------------------|------------------- Internet activity | Device type (mobile/ | Automatic | Online status, | None | desktop flag) | | service delivery | ----------------------|---------------------------|------------|--------------------------|------------------- Sensory data | User-uploaded images, | You | Message delivery, | None | video, audio | | content sharing | ----------------------|---------------------------|------------|--------------------------|------------------- Commercial info | Subscription status | You / | Payment processing | Stripe, Apple, | | Stripe | | Google ----------------------|---------------------------|------------|--------------------------|------------------- Age / DOB | Date of birth | You | COPPA age verification | None We do not collect: protected classifications, biometrics, geolocation, professional/employment info, education records, or inferences. Your CCPA/CPRA rights: * Right to know: what data we collect and how we use it (see above) * Right to delete: request deletion of your data at any time * Right to opt-out of sale: we do not sell your data, so there is nothing to opt out of * Right to non-discrimination: we will not treat you differently for exercising your rights To exercise any of these rights, contact us at support@valour.gg. Children's Privacy ================== Valour requires users to be at least 13 years old. We collect date of birth at registration to verify this. If you believe a child under 13 has created an account, please contact us at support@valour.gg and we will delete it. Disclosure for Legal Reasons ============================ We may disclose your data if required by law, court order, or government request. We also reserve the right to reject unlawful requests to protect our users' privacy and safety. Changes to This Policy ====================== We will notify you of significant changes by posting the updated policy and updating the date above. Continued use of Valour after changes constitutes acceptance of the revised policy. Contact ======= If you have questions about this Privacy Policy: * Email: support@valour.gg