← Back to home

Sidecall › Privacy Policy

Privacy Policy

Last updated: April 2026

Contents

  1. Overview
  2. Two Modes: Free P2P vs Paid TURN
  3. P2P Mode (Default, Free)
  4. TURN Relay Mode (Optional, Paid)
  5. What We Collect
  6. Payment & Subscription Data
  7. What We Do NOT Collect
  8. Data Storage
  9. Third-Party Services
  10. Browser Permissions
  11. Data Deletion
  12. Children's Privacy
  13. Changes to This Policy
  14. Contact

1. Overview

Sidecall is a Chrome extension for peer-to-peer (P2P) audio and video calls with encrypted messaging. This Privacy Policy explains exactly what data we collect, when, and why.

We designed Sidecall to collect the absolute minimum data necessary to operate the service. However, certain features — especially the optional paid TURN relay subscription — require us to handle additional data such as email addresses. This policy describes both scenarios clearly.

2. Two Modes: Free P2P vs Paid TURN

Sidecall operates in two different modes, and the data we handle depends on which mode you use:

🟢 Free P2P Mode (Default): No personal information required. You get a random User ID, add contacts, and start calling. We do not know your name, email, or phone number.

💳 Paid TURN Relay (Optional): If you choose to subscribe to TURN relay for better connectivity, we collect and store your email address for subscription management. Payments are processed by Stripe.

3. P2P Mode (Default, Free)

By default, all calls and messages use peer-to-peer (P2P) technology via WebRTC. In this mode:

  • Your audio, video, and messages travel directly between browsers — they do not pass through any Sidecall server.
  • All media is encrypted end-to-end using DTLS-SRTP, a standard WebRTC encryption protocol.
  • Text messages are encrypted using ECDH key exchange and AES-GCM encryption.
  • Our signaling server is used only to help two browsers find each other and establish a connection. It handles small signaling messages (connection offers, network addresses) but never touches call content.
  • Once the P2P connection is established, the signaling server is no longer involved in the call.

In P2P mode, no server can see or hear your conversation. Data flows directly from your browser to your contact's browser.

4. TURN Relay Mode (Optional, Paid)

Some networks (corporate firewalls, strict NAT configurations, hotel or campus Wi-Fi) block direct P2P connections. In these cases, you may enable TURN relay — an optional paid feature ($5/month) that routes your call through a relay server.

What this means for your privacy:

  • Your encrypted call data passes through a third-party TURN server (provided by Twilio).
  • The TURN server cannot decrypt, read, or listen to your calls — it only relays encrypted packets.
  • TURN is only active when you explicitly enable it. You will see a clear indicator in the extension when TURN is in use.
  • To subscribe, you must provide an email address (see Payment & Subscription Data section below).
  • If you expect fully serverless communication, leave TURN disabled and use P2P only.

Important: When TURN is active, a relay server is involved in passing your data. However, all data remains encrypted end-to-end — the relay cannot see the content of your calls or messages.

5. What We Collect (Free Users)

For all users, including free users, we collect the absolute minimum needed to operate the service:

  • User ID: A randomly generated identifier (e.g., "user_abc123"). It is not tied to your name, email, or phone number. This ID is generated locally in your browser and stored on your device.
  • Online/offline status: Our signaling server knows which User IDs are currently connected, so it can route incoming call notifications to the right device.
  • Offline messages: If someone sends you a message while you're offline, it is stored temporarily on our server (encrypted) and delivered when you come back online. These are deleted after delivery or after 7 days maximum.
  • IP address (transient): Your IP address is visible to our signaling server during the brief connection process, as is the case with any web service. We do not log, store, or analyze IP addresses.

Free users do not provide any personal information. No name, email, phone number, or payment details are required.

6. Payment & Subscription Data (TURN Subscribers Only)

If you choose to subscribe to the optional TURN relay feature, additional data is collected and stored for subscription management purposes:

  • Email address: Required for subscription management, account recovery across devices, and sending important notifications about your subscription (e.g., payment failures, cancellation confirmations). Your email is stored on our server and associated with your Sidecall User ID.
  • Stripe customer ID: A unique identifier provided by Stripe to link your subscription to your payment method. We store this to manage your subscription status.
  • Subscription status & expiration date: We store whether your subscription is active, cancelled, or expired, along with the renewal/expiration date.
  • Authentication token: A randomly generated token used to verify your subscription across devices. This is not a password and is generated by our server.

What we do NOT store regarding payments:

  • Credit card numbers, CVV codes, or any card details
  • Billing addresses or personal identification numbers
  • Bank account information
  • Full transaction history (handled entirely by Stripe)

All payment processing is handled exclusively by Stripe, a PCI-DSS compliant payment processor. When you click "Subscribe" in the extension, you are redirected to Stripe's secure checkout page, which is where you enter your payment details. Stripe handles all card data; Sidecall never sees or stores your card information.

You can cancel your subscription at any time through the Stripe customer portal, accessible from the extension settings. Upon cancellation, your email and subscription data can be deleted upon request (see Data Deletion section).

7. What We Do NOT Collect

  • Call content (audio, video)
  • Message content (text of your conversations) — even offline messages are encrypted
  • Call history or metadata (who called whom, when, for how long)
  • Your real name, phone number, or physical location
  • Browsing activity, history, or any data from other websites you visit
  • Keystroke data, mouse movements, or other behavioral analytics
  • Credit card numbers or banking information
  • Contacts or address book from your device

8. Data Storage

  • Contacts, call history, messages, and settings are stored locally in your browser using Chrome's storage API. They never leave your device unless you explicitly send a message to another user.
  • Signaling data (connection offers, ICE candidates) is processed in real-time and not stored after the connection is established.
  • Offline messages are stored temporarily (up to 7 days) on our signaling server until delivered, then deleted.
  • Subscription data (email, Stripe customer ID, subscription status, auth token) is stored on our server only for users who subscribed to TURN relay. This data is retained as long as the subscription is active, or until you request deletion.

9. Third-Party Services

  • Twilio — provides TURN relay servers for premium subscribers. Twilio processes encrypted call data but cannot decrypt it. Twilio Privacy Policy
  • Stripe — processes subscription payments and stores payment methods for TURN subscribers. Stripe is a PCI-DSS compliant payment processor. Sidecall does not have access to your card details. Stripe Privacy Policy
  • Google STUN servers — used to discover your public network address for P2P connections. These are standard, free servers provided by Google that only process minimal network information.
  • Railway — our signaling server is hosted on Railway's infrastructure. Railway may log basic request metadata (timestamps, IP addresses) as part of standard hosting operations. Railway Privacy Policy

10. Browser Permissions

Sidecall requests the following Chrome permissions:

  • tabs — to open a dedicated call page in a new tab when a call starts. Only used for call windows; we do not read or track your other tabs.
  • notifications — to alert you about incoming calls and new messages when the extension panel is not visible.
  • storage — to save your contacts, messages, settings, and User ID locally in your browser.
  • sidePanel — to display the extension interface in Chrome's native side panel.
  • host permission for our signaling server — to establish WebSocket connections for P2P signaling. This is the only external host the extension connects to directly.

The extension only activates when you interact with it. It does not monitor your browsing activity, read website content, or track any data outside its own interface.

11. Data Deletion

Free users (P2P only):

  • All your data (contacts, messages, settings, User ID) is stored locally in your browser. To delete it, simply uninstall the extension or clear the data in Chrome's extension settings.
  • Offline messages temporarily stored on our server are auto-deleted after 7 days or upon delivery.

TURN subscribers:

  • You can cancel your subscription at any time via the Stripe customer portal accessible from the extension settings.
  • To request permanent deletion of your email, subscription record, and auth token from our server, email us at support@sidecall.online. We will process deletion requests within 30 days.
  • Payment history is retained by Stripe according to their own policies and legal requirements.

12. Children's Privacy

Sidecall is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated date. For significant changes (e.g., new data collection), we will notify existing TURN subscribers via email. Continued use of the extension after changes constitutes acceptance of the updated policy.

14. Contact

If you have questions about this Privacy Policy, want to request data deletion, or have any other concerns, contact us at ayanchimitov@gmail.com.