Privacy Policy
Last updated: 15 June 2026
Telepathy is a browser extension that synchronizes video playback between people in a private room and adds live chat. This policy explains exactly what data we handle, why, and your choices. We collect the minimum needed to run the service and we never sell your data.
By creating an account, continuing as a guest, joining a room, or otherwise using Telepathy, you acknowledge that you have read and agree to this Privacy Policy. If you do not agree, please do not use the extension.
1. Who we are (data controller)
The data controller is Telepathy — the operator who deploys and runs this backend. For any privacy question or data request, contact privacy@telepathy.video. Telepathy is self-hosted, so the operator running your room’s backend is responsible for the data described here. If Telepathy is operated by a registered business, that entity’s legal name and address apply and will be listed here.
2. Single purpose
Telepathy exists for one purpose: to keep video playback in sync across people in a shared room and let them chat about it. Every permission below serves that purpose.
3. What we collect and why
| Data | Why | Where it lives |
|---|---|---|
| Email + password (account) | So you can sign in and keep your identity across sessions. Passwords are stored only as a salted scrypt hash — never in plain text. | Backend server |
| IP address | Abuse prevention, rate-limiting and bans. Logged on sign-up, sign-in and room join. | Backend logs |
| Approximate location (country / region / city) | Operator security visibility. Derived from your IP — never a precise/street address. | Backend logs |
| Chat messages | Relayed to the room and shown to participants; recent messages are kept so late joiners get context. | Relayed; recent kept in memory + activity log |
| Watched page (domain + URL) | So the room can open the same page and stay in sync. | Room state + logs |
| Display name & avatar, preferences | Shown to your room; preferences make the panel yours. | Your browser (local storage) |
| Session token | Keeps you signed in without re-entering your password. | Your browser (local storage) |
We do NOT collect: the video/audio you watch (it stays in your browser), your browsing history on other sites, keystrokes, biometric data, or any payment information. We do not sell your data or use it for advertising.
4. Legal basis for processing (GDPR Art. 6)
- Performance of a contract — account, session, chat and sync data are processed to provide the service you asked for.
- Legitimate interests — IP address, approximate location and activity logs are processed to keep the service secure (abuse prevention, bans, debugging). You may object (see Your rights).
- Consent — guest use and optional features rely on your choice to use them; you can withdraw at any time by stopping use / deleting the extension.
5. Browser permissions
- storage — save your name, avatar, preferences and session token locally.
- sidePanel — show Telepathy in the browser side panel.
- scripting + host access (all sites) — detect and control the
<video>element on whatever page you choose to watch, so play/pause/seek can be synchronized. Telepathy only acts on the tab where you open it; it does not read or transmit page content beyond what is needed to find and control the video player.
6. Third-party services (sub-processors)
- Approximate geolocation — your IP may be sent to a geolocation provider (ip-api.com) to derive country/city for security display.
- AI player detection (optional) — if automatic detection of the video element fails, a compressed, anonymized snapshot of the page structure (no personal content) may be sent to an AI service (e.g. Groq) to locate the player.
- Connectivity (optional) — for cross-network rooms the host may run a secure tunnel (e.g. ngrok). The backend is self-hosted by the operator who deployed it.
7. How we protect your data
Passwords are stored only as salted scrypt hashes (never plaintext). Sessions use random tokens with a 30-day expiry. Credentials are compared in constant time, requests are rate-limited, and inputs are validated and HTML-escaped to prevent injection. Connections to the backend use HTTPS/WSS in production. No method is 100% secure, but we apply reasonable, industry-standard safeguards.
8. Retention
Account records persist until the account is deleted. Activity logs are retained for operational and security purposes and may be capped or rotated. In-memory data (live room state, recent chat) is cleared when the server restarts. You can request deletion of your account at any time (see Contact); deleting an account removes it and signs it out everywhere.
9. International data transfers
Depending on where the operator hosts the backend and where the third-party services above are located, your data may be processed in countries outside your own, including outside the EEA. Where required, the operator relies on appropriate safeguards (such as Standard Contractual Clauses) for such transfers.
10. Your rights
Subject to applicable law (including the GDPR), you have the right to:
- Access the personal data we hold about you, and obtain a copy (portability).
- Rectify inaccurate data and complete incomplete data.
- Erase your data (“right to be forgotten”) — delete your account at any time.
- Restrict or object to processing based on legitimate interests.
- Withdraw consent at any time, without affecting prior processing.
- Lodge a complaint with your local data protection / supervisory authority (in the EEA, your member-state authority).
- Use Telepathy as a guest — no account, no stored email — and clear local data any time by removing the extension.
To exercise any right, contact us (Section 14). We respond within the legally required time frame.
11. Children
Telepathy is not directed to children under 13 (or the minimum age in your jurisdiction) and we do not knowingly collect their data. If you believe a child has provided data, contact us and we will delete it.
12. Cookies & local storage
Telepathy does not use advertising or third-party tracking cookies. It stores only functional data in your browser’s local storage (your display name, avatar, preferences and a session token) so the side panel works and keeps you signed in. Removing the extension or clearing browser storage erases it.
13. Changes
We may update this policy; material changes will be reflected by the “Last updated” date above and, where appropriate, announced in the app.
14. Contact & data requests
Questions, complaints or data requests (access, deletion, etc.): privacy@telepathy.video.