Privacy Policy
OChat is operated by OC Global Technology Sdn Bhd. We take your privacy seriously. This policy explains what we collect, how we use it, and the choices you have.
Data We Collect
We collect only the minimum information necessary to operate OChat: phone number and/or email address (account identifier); profile name and avatar; device information (model, OS version, app version, language, timezone); push notification token; crash diagnostics and error logs; basic security logs (IP address, access timestamps); your address-book contacts (only if you grant Contacts permission, used solely to detect which of your contacts also use OChat — hashed before transmission); coarse and fine location (only when you actively share live location in a chat); audio and camera capture (only when you record voice messages or take photos); and message metadata (timestamps, sender/recipient identifiers, delivery and read status). We do not store the plaintext content of end-to-end encrypted messages on our servers.
How We Use It
Your data is used exclusively to operate and improve OChat. We do not sell or rent your personal information to third parties, and we do not use it for advertising. We do not use the content of your messages, photos, voice notes, or any other communications to train artificial intelligence or machine-learning models, whether our own or third parties'. Specific uses: authenticate your account; route and deliver messages; send push notifications; populate your contact list with friends who also use OChat; diagnose crashes and bugs; investigate abuse reports; and comply with legal obligations.
End-to-End Encryption
OChat uses end-to-end encryption (E2EE) for personal messages and group messages where supported. We cannot access or read the plaintext content of E2EE messages on our servers. E2EE does not cover all data: we still process account identifiers, device and connection information, message metadata (timestamps, sender/recipient IDs, delivery and read status), and any content you choose to submit when reporting abuse. E2EE may not apply to certain features (for example, system messages, backups you enable, or content you choose to share in a report).
Third-Party Service Providers
We use a limited set of named third-party providers to operate the service. Each receives only the minimum data needed for its function and is contractually bound to protect it. (a) Google Firebase Cloud Messaging (FCM) — receives your Android device push token to deliver chat-message notifications. (b) Apple Push Notification service (APNs) — receives your iOS device push token to deliver chat-message notifications. (c) Reverb (open-source WebSocket server by Laravel, built on the Pusher protocol) — relays real-time presence, typing indicators, and encrypted message envelopes between connected devices. The relay receives your user identifier and ephemeral signalling metadata; message contents remain end-to-end encrypted and are not readable by the relay. (d) Amazon Web Services (S3) — stores encrypted media files (images, audio, documents). (e) Cloud hosting providers — operate our application servers. (f) Sentry (Functional Software Inc, United States) — may receive sanitized server-side exception data (error class, stack trace, and request metadata) when application errors occur. Message content, ciphertext, authentication tokens, and one-time passcodes are stripped by a server-side scrubber before transmission. (g) Google Drive (Google LLC, United States) and Apple iCloud (Apple Inc, United States) — only if you enable Cloud Backup, they store your end-to-end-encrypted backup file inside your own Google Drive or iCloud account. The backup is encrypted on your device before upload; neither Google, Apple, nor OChat can read its contents without your recovery key. We do not use third-party advertising SDKs, third-party analytics SDKs, or tracking SDKs.
Account Deletion
You may delete your account at any time inside the app via Profile → Delete Account. You may also request deletion without installing the app by visiting https://ochat.ocgt.app/delete-account or emailing [email protected]. After deletion, we permanently remove your profile information and service data within 90 days (some encrypted backup copies may persist during that window before being purged). Messages and media already delivered to other users' devices are not deleted by us — they remain on the recipients' devices subject to their own retention.
User Safety & Reporting
If you experience harassment, spam, illegal content, or impersonation, you may block the user from their contact info screen and report abuse in-app or by emailing [email protected]. We commit to acknowledging reports within 24 hours and acting on confirmed violations promptly. Because message content may be end-to-end encrypted, we may not be able to review content unless you choose to share relevant information (screenshots, message text, media, identifiers) as part of a report. Enforcement actions may include warnings, feature restrictions, suspension, or permanent account termination. We cooperate with law enforcement on credible threats to life or other matters where required by applicable law. For security vulnerabilities, account-compromise reports, or other responsible-disclosure submissions, email [email protected] — we acknowledge security reports within 72 hours.
Data Retention
We retain data only as long as necessary. Active account data: kept while your account is open. Crash logs and diagnostic logs: 90 days. Security logs (IP, access timestamps): 90 days. Encrypted message ciphertext on our servers: deleted once delivered to all recipients, or 30 days, whichever is sooner. Cloud Backup files: stored in your own Google Drive or iCloud account and retained until you delete them or turn off Cloud Backup; we cannot access or remove them on your behalf. Upon account deletion: personal data permanently removed within 90 days.
International Data Transfers
Your data may be processed in countries outside Malaysia, including the United States and other jurisdictions where our service providers (Google Firebase, Amazon Web Services) operate. Under the Malaysia Personal Data Protection Act 2010 (as amended in 2024), we transfer personal data outside Malaysia only where one of the following applies: (a) you have consented to the transfer; (b) the transfer is necessary for the performance of our service to you; (c) the recipient is in a place that ensures a level of protection substantially similar to, or adequate under, the PDPA; or (d) the recipient is bound by contractual safeguards (such as Standard Contractual Clauses) that provide protection equivalent to the PDPA. We do not collect sensitive personal data as defined under section 4 of the PDPA (information about your physical or mental health, religious beliefs, political opinions, or the commission of any offence) outside of content you choose to share inside end-to-end encrypted messages, which we cannot access.
Your Rights
Depending on where you live, you have specific rights over the personal data we hold about you, and you may exercise them by emailing [email protected]. Malaysia (PDPA 2010): (a) the right of access — to obtain a copy of your personal data; (b) the right to correction of inaccurate or incomplete data; (c) the right to withdraw consent for any processing that relies on it; (d) the right to prevent processing likely to cause damage or distress; (e) the right to prevent processing for direct marketing (we do not engage in direct marketing); and (f) the right to lodge a complaint with the Personal Data Protection Commissioner of Malaysia. EU/UK (GDPR): the rights of access, rectification, erasure, restriction of processing, data portability, objection to processing, withdrawal of consent, and to lodge a complaint with your local supervisory authority. California (CCPA/CPRA): the right to know what personal information we collect, to request its deletion, to correct inaccurate information, to opt out of the sale or sharing of personal information (we do not sell or share personal information for cross-context behavioural advertising), and to non-discrimination for exercising these rights. We do not sell, rent, or share your personal data for advertising or behavioural profiling. We respond within the timeframe required by applicable law — within 21 days under the PDPA, within one month under the GDPR, and within 45 days under the CCPA/CPRA — extendable once where permitted by law.
Your Consent & Children
OChat requires users to be at least 13 years old to create an account. We enforce this minimum age via a mandatory checkbox at signup: the registration form blocks submission until you affirmatively confirm you are 13 or older. OChat is not intended for, marketed to, or directed at anyone under 13. We do not knowingly collect personal data from anyone under 13. If you believe we have inadvertently collected data from a person under 13, contact [email protected] and we will delete it promptly. By creating an account and using OChat, you confirm that you are at least 13 years old and you acknowledge that you have read this Privacy Policy and consent to the collection and use of your information as described above.
App Permissions & Why We Ask
Every permission OChat requests is tied to a specific feature you control. Contacts (READ_CONTACTS) — optional, to detect which of your address-book contacts also use OChat; phone numbers are hashed on your device with SHA-256 before transmission and we never upload contact names. You may deny this permission; you can still add friends by typing a phone number on the New Contact screen, and core messaging remains fully functional. Location (ACCESS_FINE_LOCATION / ACCESS_COARSE_LOCATION) — only when you tap Share Location inside a chat to send live or static location. Microphone (RECORD_AUDIO) — to record voice messages. Camera — to take photos and scan QR codes. Photos, Media & Files (READ_MEDIA_IMAGES / READ_MEDIA_VIDEO on Android 13+) — when you attach a photo, video, or document to a chat you choose it through your device's system media picker, so OChat receives only the single file you select and never scans or uploads your gallery; when you save media you have received, OChat writes that one file to your gallery using add-only access. Notifications (POST_NOTIFICATIONS) — to deliver new-message alerts. OChat does not request the legacy READ_EXTERNAL_STORAGE or WRITE_EXTERNAL_STORAGE permissions, nor SYSTEM_ALERT_WINDOW, SCHEDULE_EXACT_ALARM, or the carrier CALL_PHONE permission. You may revoke any permission at any time in your device settings; revoking a permission will disable the related feature only and will not delete your account or other data.
Malaysia PDPA 2010 Compliance
OC Global Technology Sdn Bhd complies with Malaysia's Personal Data Protection Act 2010 (PDPA). We process your personal data in accordance with the seven PDPA principles: General, Notice and Choice, Disclosure, Security, Retention, Data Integrity, and Access. You have the right to access the personal data we hold about you, request correction of inaccurate or incomplete data, withdraw consent where consent is the basis of processing, and lodge a complaint about how we handle your data. To exercise any PDPA right — including access requests, correction requests, complaints, or consent withdrawal — contact [email protected]. We will acknowledge your request promptly and respond within the timeframe required by the PDPA.
Legal Basis & Breach Notification
Legal basis for processing under the Malaysia PDPA 2010: we process your personal data on the basis of (a) your consent given at sign-up and through device permissions (Contacts, Location, Microphone, Camera, Notifications); (b) performance of our service to you (delivering messages and account features under section 6(2)(b) PDPA); (c) compliance with legal obligations imposed on us under Malaysian law; and (d) legitimate purposes connected with the operation of the service, including security, fraud prevention, and abuse investigation. You may withdraw consent at any time by revoking the related device permission, deleting your account, or emailing [email protected]. Breach notification: in the event of a personal data breach that is likely to cause significant harm to affected data subjects, we will notify the Personal Data Protection Commissioner of Malaysia within 72 hours of becoming aware of the breach, in accordance with the Personal Data Protection (Notification of Personal Data Breach) Regulations 2024, and we will notify affected users without undue delay where the risk to them is high.
End-to-End Encryption & Content Moderation
OChat encrypts personal and group messages end-to-end (E2EE). As a result, OChat servers cannot read, scan, filter, or proactively moderate the content of your messages. We rely on a layered safety model to identify and respond to abuse. (a) Pre-signup gating — every new account must affirmatively confirm they are at least 13 years old and accept these Terms and this Privacy Policy before an account can be created; the signup form presents a single mandatory checkbox and blocks submission until it is ticked. (b) Filter — you control what reaches you: delete any received message from your device, mute any conversation, clear chat history at any time, and use device-level keyboard or system content filters where available. (c) Report — every contact-info screen and every 1:1 chat header exposes an in-app Report action. Submit a reason (spam, harassment, inappropriate content, fake account, other) and an optional 512-character context note. Reports go directly to our trust-and-safety team. (d) Block — every chat-info and contact screen exposes a Block action that prevents further messages and contact discovery from the blocked user. Blocks take effect immediately and persist until you reverse them. (e) 24-hour review SLA — every submitted report is acknowledged and human-reviewed by our trust-and-safety team within 24 hours. Enforcement actions following confirmed violations may include warnings, feature restrictions, suspension, or permanent account termination. Because of E2EE, our review of message content is limited to information you choose to share inside your report (screenshots, message text, identifiers, attachments) — we cannot retrieve E2EE plaintext from our servers. When you file a report from within a chat, OChat automatically attaches a plaintext snapshot of your most recent messages in that conversation — excluding view-once and deleted messages — so our trust-and-safety team can act on reported content despite E2EE. You can review exactly which messages will be shared before submitting, and this snapshot is deleted on the same schedule as the report.
AI Training & Cross-App Tracking
No AI training. We do not use your messages, media, profile information, or any other personal data to train, fine-tune, evaluate, or improve artificial-intelligence or machine-learning models, whether developed by OChat or by any third party. We do not transmit your data to any third-party AI provider for any purpose. No cross-app tracking. OChat does not track you across other companies' apps and websites. We do not collect, share, or sell data for cross-app advertising, behavioural profiling, audience-building, or interest-based advertising. We do not collect the Apple Advertising Identifier (IDFA) or the Android Advertising ID (AAID). On iOS, the App Tracking Transparency (ATT) prompt is not shown because we do not engage in any activity that requires user permission to track. We do not embed third-party advertising SDKs, third-party analytics SDKs, or tracking SDKs in OChat.
Contact: [email protected]