Log in Join

Privacy Policy

Effective date: June 15th, 2022

This Privacy Statement (the “Privacy Statement”) is provided by:

Crypho AS (“Crypho”/“we”)

Crypho AS, Øvre Langgate 40, 3110 TØNSBERG

Business organization number NO 998713781


This policy describes what information we collect when you use Crypho’s sites, services, mobile applications, products, and content (“Services”). It also provides information about how we store, transfer, use, and delete that information, and what choices you have with respect to the information.

This policy applies to Crypho’s messaging application, including the website and mobile applications, and other Crypho websites (collectively “the Websites”), as well as other interaction (e.g. customer support conversations, user surveys and interviews etc.) you may have with Crypho.

This policy applies where we are acting as a Data Controller with respect to the personal data of users of our Services; in other words, where we determine the purposes and means of the processing of that personal data. For content and data that you upload to or make available through the Service (“User Content”), you are responsible for ensuring this content is in accordance with our Terms of Service, and that the content is not violating other users’ privacy.

How we collect, process and store information

We in Crypho are committed to safeguarding the privacy of our users. Our business model is to provide a paid service to organisations who need additional features on top of the free version, and does not rely on widespread collection of general user data. We will only collect and process information that we need to deliver the service to you, and to continue to maintain and develop the service. If you are on a paid account for professional use, we also collect public information about your company for our commercial purposes.

Crypho may collect, store and process various kinds of data, with different legal grounds, as listed below. For the categories of data that require your consent, we will actively ask you for consent before collecting any data. You can revoke your consent at any time by deleting your Crypho account and notifying us.

The following is a list of data we collect, process or store, with the purpose and legal ground listed for each item or group of items having the same purpose and legal ground:

Please note that, for some of our customers, we are the processor of the following and other data categories: Display Name, email address, phone number Admin user (yes / no), Organization affiliation (for personal user accounts associated with a Business account), groups created, group name, profile picture.

How we process media (audio/video)

Participants exchange media such as audio, video and screen sharing within meetings. We only process media to enable participants to use our Service; we do not process media for our own purposes.

The legal ground for processing media is to fulfill the contract (Terms of Service) cf. GDPR art. 6 (1) item b.

We will not store any meeting recordings or media sent between participants in a room, except on a strictly transient basis where this is a necessary part of the transmission. Customers who have access to the “Recording” feature will be able to record meetings, and they are then responsible for collecting consents from all participants in the meeting prior to starting the recording. They are also responsible for storing and processing the recording in compliance with regulations after downloading it from Crypho.


Rooms will by default be set to Group call mode. Group call mode is delivered over a dedicated server infrastructure to allow many people in conversation while ensuring good stability. Your stream will be sent through video router servers which transmits it to the other participants in the call, and also transmits their streams to you. Streams will always be encrypted (DTLS-SRTP) in transit, but will be decrypted and re-encrypted when passing through the video routers. We operate an infrastructure of video routers distributed across the world, and you will be automatically routed to the closest one. The video router servers and all of our infrastructure adhere to strict security measures, preventing any eavesdropping or interruption of the video/audio streams.

Users can also choose to use “Small meeting” mode in Room Settings if they wish to prioritise having end-to-end encryption over quality and stability. In “Small meeting” mode, communication between participants is primarily sent through peer-to-peer connections, where audio and video streams are sent directly between participants and do not pass through any of our servers. Video and audio transmitted in the Service is then sent directly between the participants in a room and is encrypted (DTLS-SRTP) with client-generated encryption keys. In cases where a user is behind a strict firewall or NAT, video and audio need to be relayed via a TURN server, but end-to-end encryption is still maintained.

Providing your personal data to others

We may share information with third parties in some circumstances, including: (1) with your consent; (2) to a service provider or partner who meets our data protection standards; (3) with academic or non-profit researchers, with aggregation, anonymization; (4) when we have a good faith belief it is required by law, such as pursuant to a subpoena or other legal process; (5) to protect the vital interest of others, when we have reason to believe that doing so will prevent harm to someone or illegal activities.

Our categories of service providers and partners are:

We only share data with co-marketing content partners when you, at your own initiative, fill a form to obtain the content. We will make sure it is clear to you that we have developed the content with our partner and that the partner will also obtain relevant information.

Business Transfers

We may disclose your personal data to any member of our group of companies (this means our subsidiaries, our ultimate holding company and all its subsidiaries) insofar as reasonably necessary for the purposes, and on the legal bases, set out in this policy.

In the case where we are involved in a merger, acquisition, bankruptcy, reorganization or sale of assets such that your information would be transferred or become subject to a different privacy policy, we will notify you in advance and give you the option to delete your data before the transfer.

International transfers of your personal data

In some circumstances your personal data may be transferred to countries outside the European Economic Area (EEA). You acknowledge that personal data that you submit for publication through our website or services may be available, via the internet, around the world. We cannot prevent the use (or misuse) of such personal data by others. For information about what types of content you as a user is responsible, see this Terms of Service.

We and our other group companies have offices and facilities in Norway, United Kingdom and United States. The hosting facilities for Account information stored by Crypho are situated in Ireland. The hosting facilities for Usage information are situated in Ireland and the United States. Transfers to the United States will be protected by appropriate safeguards, namely the use of Standard Contractual Clause (SCC) adopted or approved by the European Commission.

Please note that, for new data transfers, we will continue to rely on the old SCCs until September 27,2021. For existing transfer, we will continue to rely on SCCs until December 27, 2022, by which time all data transfers relying on the old SCCs will be moved over to the new SCCs adopted and approved by the European Commission

Retaining and deleting personal data

Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

We will retain your personal data as follows:

In some cases it is not possible for us to specify in advance the periods for which your personal data will be retained. In such cases, we will determine the period of retention based on the following criteria:

  1. Account information, Room information will be retained until you decide to delete your account or delete a room in Crypho.
  2. Information about you used for Product & Marketing communication will be retained until you opt-out or withdraw your opt-in.
  3. The period of retention of usage information will be determined based on the need for historical data to determine statistical validity and relevance for product decisions and technical monitoring.

Regardless of the provisions above, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

Changes to this policy

We can change these Terms at any time. If a change is material, we’ll let you know before it takes effect. By using Crypho on or after that effective date, you agree to the new Terms. If you don’t agree to them, you should delete your account before they take effect, otherwise your use of the Service and Content will be subject to the new Terms.

Managing and deleting your personal information

If you have a Crypho account, you can delete your account in under your profile. If you delete your account, your information and content will be unrecoverable after that time.

Your rights

As an individual you are granted rights according to the applicable data protection law:

If you have provided your consent to your processing of personal data, you may also withdraw your consent at any time, on our Settings > Consent page.

The rights are not absolute, and you may read more about your rights in the EU general data protection regulation Chapter III, or at https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens_en

To exercise your rights or if you otherwise have any questions regarding our processing of your personal data, we encourage you to contact us as described below. However, we also notify you that you may raise complaint to a data protection authority. As a Norwegian company, Crypho uses the Norwegian Data Protection Authority (Datatilsynet) as a supervising authority. You may find further information on their website: https://www.datatilsynet.no/. You may contact your national/state supervisory authority, but Crypho will retain the Norwegian Data Protection Authority as our lead supervisory authority.

Contact information

For any questions about this privacy policy, please contact info@Crypho.com.