Privacy Policy

1. Introduction & Definitions

Welcome to SheraChat ("Application," "App," "Service," "Platform," or "SheraChat"). This Privacy Policy ("Policy") explains how SheraAI Technologies ("Company," "we," "us," "our"), a technology company founded and operated by Shaheer ("Developer," "Owner"), collects, uses, processes, discloses, stores, and protects your information when you use our SheraChat application and all related services, websites, features, and functionalities.

1.1 Key Definitions

For the purposes of this Privacy Policy:

• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on Personal Data (collection, recording, storage, use, etc.)
• "Data Subject" means the individual to whom Personal Data relates (you, the user)
• "Data Controller" means the entity determining purposes and means of Processing (SheraAI Technologies)
• "Data Processor" means an entity processing Personal Data on behalf of the Data Controller
• "Consent" means any freely given, specific, informed, and unambiguous indication of agreement
• "End-to-End Encryption" means cryptographic protection where only communicating parties can read messages
• "Biometric Data" means personal data resulting from specific technical processing of physical or behavioral characteristics
• "Sensitive Personal Data" includes racial/ethnic origin, political opinions, religious beliefs, health data, sexual orientation

1.2 Our Privacy Commitment

SheraChat is built with privacy as a foundational principle, not an afterthought. We believe:

• Privacy is a fundamental human right that must be protected
• Your data belongs to you, not to us
• Security and privacy should be default, not optional
• Transparency builds trust
• Minimal data collection is the best data collection

2. Data Controller Information

The Data Controller responsible for your Personal Data is:

3. Information We Collect

3.1 Information You Provide Directly

When you register and use SheraChat, you may provide:

• Account Registration Data: Phone number (required for verification), display name, profile picture (optional), about/status text (optional)
• Contact Information: Phone numbers from your device's address book (only with your explicit permission) to help you find and connect with other SheraChat users
• Communication Content: Messages, voice notes, images, videos, documents, and other files you choose to send (all encrypted end-to-end)
• User-Generated Content: Status updates, stories, profile information, and any content you create within the app
• Customer Support Data: Information provided when you contact our support team, including correspondence, feedback, and bug reports
• Survey Responses: Optional feedback and survey responses you choose to provide

3.2 Information Collected Automatically

When you use SheraChat, we automatically collect:

• Device Information: Device type, model, operating system version, unique device identifiers (Android ID, IDFA), screen resolution, language settings
• App Usage Data: Features used, frequency of use, time spent in app, interaction patterns, crash reports, performance data
• Connection Information: IP address, internet service provider, mobile network information, connection type (WiFi/cellular)
• Log Data: Access times, pages viewed, app crashes, system activity, hardware settings
• Location Data: Only if you explicitly grant permission for location-based features; we do not track location by default

3.3 Information from Third Parties

• Firebase Authentication: Basic authentication tokens when you sign in
• App Store/Play Store: Basic installation and update information
• Payment Processors: If premium features are offered, limited payment confirmation (not full payment details)

3.4 Special Categories of Data

SheraChat does NOT intentionally collect sensitive personal data including racial/ethnic origin, political opinions, religious beliefs, genetic data, biometric data for identification, health data, or sexual orientation. If such data is inadvertently shared in messages, it is encrypted end-to-end and inaccessible to us.

4. End-to-End Encryption

SheraChat implements military-grade AES-256 end-to-end encryption for all private communications. This is a critical feature of our privacy architecture:

4.1 What End-to-End Encryption Means

• Only You and Recipients Can Read Messages: Messages are encrypted on your device before transmission and can only be decrypted by the intended recipient's device
• We Cannot Read Your Messages: Even if legally compelled, we cannot provide message content because we do not possess decryption keys
• Keys Stored Locally: Your encryption keys are generated and stored exclusively on your device(s), never on our servers
• Forward Secrecy: Unique encryption keys are generated for each message session, limiting the impact of any potential key compromise

4.2 What Is Encrypted

• Text messages and group messages
• Voice notes and audio messages
• Photos, videos, and documents
• Voice and video calls
• Location shares (when manually shared)
• Status updates to selected recipients

4.3 What Is NOT Encrypted End-to-End

• Profile information (name, photo, about) - visible to contacts
• Phone number - required for account identification
• Metadata (timestamps, delivery status) - required for message delivery
• Cloud backups - if enabled, encrypted with user-provided password or device key

5. How We Use Your Information

We use collected information for the following purposes:

5.1 Service Provision (Legal Basis: Contract Performance)

• Create and manage your SheraChat account
• Enable message delivery and real-time communication
• Facilitate voice and video calls
• Sync your conversations across devices
• Process and deliver media files
• Enable group chat functionality

5.2 Service Improvement (Legal Basis: Legitimate Interest)

• Analyze anonymized usage patterns to improve features
• Fix bugs and optimize performance
• Develop new features based on user needs
• Conduct research and development

5.3 Security & Safety (Legal Basis: Legitimate Interest, Legal Obligation)

• Verify identity and prevent fraud
• Detect and prevent spam, abuse, and security threats
• Enforce our Terms of Service
• Protect users from malicious activity
• Comply with legal requirements

5.4 Communication (Legal Basis: Legitimate Interest, Consent)

• Send service-related notifications (security alerts, updates)
• Respond to your inquiries and support requests
• Send promotional communications (only with consent, easily unsubscribable)

6. Artificial Intelligence & Machine Learning

SheraChat incorporates AI-powered features to enhance your messaging experience. We are committed to transparent and ethical AI practices:

6.1 AI Features and Data Processing

• Smart Reply Suggestions: AI analyzes message context to suggest quick replies. Processing occurs locally on your device when possible.
• Grammar Enhancement: Optional AI-assisted writing improvement. Text is processed temporarily and not stored.
• Translation Services: If cloud translation is used, text is sent securely, processed, and immediately discarded.
• Chatbot Interactions: Conversations with AI chatbots may be processed by third-party AI providers (OpenAI) under strict data processing agreements.

6.2 AI Data Protection Commitments

• AI does NOT have access to your encrypted private messages
• We do NOT use your personal communications to train AI models
• AI processing is anonymized and not linked to your identity
• You can disable all AI features in Settings
• AI suggestions are automated and may not always be accurate - you are responsible for content you send

6.3 Third-Party AI Providers

When cloud-based AI features are used, data may be processed by:

• OpenAI: For advanced language processing - governed by OpenAI's data usage policies, with no training on user data

7. Data Sharing & Disclosure

7.1 When We May Share Data

A. Service Providers (Data Processors)

We engage trusted third parties to perform services on our behalf:

• Firebase (Google Cloud): Backend infrastructure, authentication, database, cloud functions - Google acts as Data Processor under strict contractual terms, SOC 2 and ISO 27001 certified
• Cloud Storage Providers: For encrypted backup storage (if enabled by user)
• Analytics Services: Anonymized usage analytics to improve the service

B. Legal Requirements

We may disclose information if required by law:

• To comply with valid legal processes (subpoenas, court orders, government requests)
• To protect the rights, property, or safety of SheraAI Technologies, users, or the public
• To detect, prevent, or address fraud, security, or technical issues
• Note: Due to end-to-end encryption, we CANNOT provide message content even if legally required - we simply don't have access to it

C. Business Transfers

If SheraAI Technologies is involved in a merger, acquisition, or asset sale, your information may be transferred. We will provide notice before Personal Data becomes subject to a different privacy policy.

D. With Your Consent

We may share data with third parties when you explicitly consent to such sharing.

8. Cookies & Tracking Technologies

8.1 Website Cookies

Our website (sherachat73.web.app and shera-ai.com) uses minimal cookies:

• Essential Cookies: Required for website functionality (session management, security tokens)
• Analytics Cookies: Anonymous usage statistics via Firebase Analytics to understand website traffic
• Preference Cookies: Remember your settings (language, theme)

8.2 What We Do NOT Use

• Advertising or targeting cookies
• Social media tracking pixels
• Third-party marketing trackers
• Cross-site tracking technologies

8.3 Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies may affect website functionality.

9. Data Retention

9.1 Retention Periods

• Messages: Stored encrypted on our servers until you delete them or delete your account. Encrypted locally on your device.
• Account Data: Retained while your account is active and for 30 days after deletion request
• Device Tokens: Retained until you log out or uninstall the app
• Backups: Retained according to your configured backup schedule; deleted when you disable backups or delete account
• Usage Analytics: Anonymized data retained for up to 26 months for trend analysis
• Support Tickets: Retained for 3 years for quality assurance and legal purposes
• Legal Hold: Data may be retained longer if required for legal proceedings

9.2 Account Deletion

When you delete your account:

• Your profile information is immediately removed from visibility
• Your messages remain encrypted in recipients' devices (we cannot remotely delete them)
• Your server-side data is permanently deleted within 30 days
• Backups are deleted according to the backup provider's retention policy
• Some anonymized, aggregated data may be retained for analytics

10. Security Measures

We implement comprehensive security measures to protect your data:

10.1 Technical Safeguards

• Encryption in Transit: TLS 1.3 for all data transmission
• Encryption at Rest: AES-256 for stored data
• End-to-End Encryption: For all private communications
• Secure Key Management: Hardware security modules where applicable
• Regular Security Audits: Penetration testing and vulnerability assessments
• Intrusion Detection: Real-time monitoring for suspicious activities

10.2 Operational Safeguards

• Access controls and principle of least privilege
• Employee security training and confidentiality agreements
• Incident response procedures
• Regular backups with encryption

10.3 Infrastructure Security

• Firebase/Google Cloud Platform: SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018 certified
• Geographic data redundancy
• DDoS protection

10.4 Your Security Responsibilities

• Keep your device secure with screen lock
• Enable biometric app lock in SheraChat settings
• Keep your app updated to the latest version
• Never share your account credentials
• Report suspicious activity immediately

11. Your Rights Under GDPR (EU/EEA Residents)

If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR):

11.1 Your Rights

• Right of Access (Art. 15): Request a copy of your Personal Data we hold
• Right to Rectification (Art. 16): Correct inaccurate or incomplete Personal Data
• Right to Erasure (Art. 17): Request deletion of your Personal Data ("Right to be Forgotten")
• Right to Restriction (Art. 18): Limit how we process your data
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
• Right to Object (Art. 21): Object to processing based on legitimate interests
• Right to Withdraw Consent (Art. 7): Withdraw previously given consent at any time
• Right to Lodge Complaint: File a complaint with your local Data Protection Authority

11.2 Legal Bases for Processing

• Contract Performance: Processing necessary to provide SheraChat services
• Legitimate Interest: Service improvement, security, fraud prevention (balanced against your rights)
• Consent: For optional features, marketing communications
• Legal Obligation: Compliance with laws and regulations

11.3 Exercising Your Rights

To exercise any GDPR right, contact us at privacy@shera-ai.com with subject "GDPR Request". We will respond within 30 days.

12. Your Rights Under CCPA (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you specific rights:

12.1 Your California Rights

• Right to Know: What Personal Information we collect, use, disclose, and sell
• Right to Delete: Request deletion of your Personal Information
• Right to Correct: Correct inaccurate Personal Information
• Right to Opt-Out: Opt out of the sale or sharing of Personal Information
• Right to Non-Discrimination: Not be discriminated against for exercising your rights
• Right to Limit Use of Sensitive Personal Information: Limit how we use sensitive data

12.2 Categories of Personal Information Collected

In the past 12 months, we have collected:

• Identifiers (phone number, device ID, IP address)
• Internet/network activity (app usage, log data)
• Geolocation data (only with permission)
• Audio/visual data (voice messages, photos - encrypted)
• Inferences (AI-generated suggestions)

12.3 Sale of Personal Information

We do NOT sell your Personal Information. We do not exchange Personal Information for monetary or valuable consideration.

12.4 Exercising Your California Rights

Submit a verifiable consumer request via:

• Email: privacy@shera-ai.com (subject: "CCPA Request")
• Website: Contact form at shera-ai.com

12.5 Verification

We will verify your identity before processing requests using your account phone number and email.

13. International Privacy Rights

13.1 Brazil (LGPD)

Brazilian users have rights under Lei Geral de Proteção de Dados including access, correction, deletion, portability, and information about sharing.

13.2 Canada (PIPEDA)

Canadian users have rights to access and correct personal information under the Personal Information Protection and Electronic Documents Act.

13.3 Australia (Privacy Act)

Australian users have rights under the Australian Privacy Principles to access and correct personal information.

13.4 Other Jurisdictions

We respect privacy rights in all jurisdictions. Contact us if you have questions about your local rights.

14. Children's Privacy

14.1 COPPA Compliance (USA)

• We do not target or knowingly collect information from children under 13
• If we discover we have collected data from a child under 13, we will delete it immediately
• Parents can contact us to request deletion of their child's data

14.2 Parental Notice

If you believe your child has provided us with Personal Data without your consent, please contact us immediately at privacy@shera-ai.com.

15. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws.

15.1 Transfer Safeguards

• Standard Contractual Clauses (SCCs): EU-approved contract terms for data transfers
• Data Processing Agreements: Contractual protections with all service providers
• Encryption: Data is encrypted in transit and at rest
• Privacy Shield Principles: We adhere to applicable privacy framework principles

15.2 Data Locations

• Firebase/Google Cloud servers (various global locations)
• Your local device storage

16. Changes to This Privacy Policy

We may update this Privacy Policy periodically. Changes will be handled as follows:

• Minor Changes: Updated "Last Updated" date; continued use constitutes acceptance
• Material Changes: In-app notification, email notification (if provided), and 30-day notice before new terms take effect
• Objection: If you disagree with changes, you may delete your account before the effective date

We recommend reviewing this policy periodically. Previous versions are available upon request.

17. Contact Us

For privacy-related questions, requests, or concerns:

We aim to respond to all privacy inquiries within 30 days.