Privacy Policy

The controller within the meaning of the GDPR is:
Zulfi Ismailov-Demiri
Richardstr. 14
26725 Emden
Email: [email protected]

For any privacy-related questions, please use the email address above.

Tockedup was built to collect as little personal data as possible. The platform does not maintain persistent user accounts, does not store chat history on servers, and does not share any personal data with third parties.

Email address

When you sign in, you provide your email address to receive a one-time verification code (OTP). This email address is not stored permanently and is never visible to other users. It is used solely to generate a cryptographically signed session token (JWT) and is not retained after that.

Legal basis: Art. 6(1)(b) GDPR — performance of a contract / pre-contractual measures.

Session token (JWT in localStorage)

After successful verification, Tockedup stores a JWT (JSON Web Token) in your browser's localStorage. This token contains your email address as a claim and is valid for 30 days. It is used to authenticate you with the server and to assign you an anonymous session ID.

localStorage is not a cookie — it never leaves your browser and is not automatically transmitted to the server. You can delete it at any time by clearing your browser storage for this site or signing out via the "Leave" button.

Legal basis: Art. 6(1)(b) GDPR.

Chat messages and files

Messages and shared files are stored exclusively in the browsers of the participants (IndexedDB). On the server, messages exist only transiently for the duration of the active WebSocket connection. There is no server-side message history.

Server logs

The server logs minimal technical information for operational and diagnostic purposes (connection events, anonymous session IDs). IP addresses are not retained long-term and are not linked to user identities.

Tockedup does not share any personal data with third parties. No analytics services, advertising networks, social media plugins, or any other third-party services are integrated into the platform.

Tockedup does not use cookies. Authentication is handled exclusively via localStorage, which is technically necessary and does not require your consent.

• Email address (for OTP): Discarded immediately after the JWT is issued. The one-time code expires after 10 minutes.
• JWT in localStorage: Expires automatically after 30 days or is deleted immediately when you sign out.
• Messages in the browser: Retained until you manually clear your browser storage or uninstall the browser.

You have the right to:

• Access your personal data (Art. 15 GDPR)
• Rectification of inaccurate data (Art. 16 GDPR)
• Erasure of your data ("right to be forgotten", Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection to processing (Art. 21 GDPR)

To exercise your rights, contact us at: [email protected]

You also have the right to lodge a complaint with a data protection supervisory authority. The competent authority depends on your place of residence or the company's registered address.

All communication between your browser and our server is encrypted using HTTPS and WSS (WebSocket Secure). Session tokens are signed with HMAC-SHA256 and cannot be forged.

We reserve the right to update this Privacy Policy as needed. The current version is always available at this URL. For material changes, active users will be notified.