Start a Meeting

Data Minimisation Statement

1. Purpose and Scope of This Data Minimisation Statement

At EXTRA SAFE, data minimisation is not an add-on but the foundation of our product development. For modern chat apps used in both personal and professional contexts, data minimisation and anonymity are essential for safety, autonomy, and trust. This statement is separate from our Privacy Policy to explain this principle clearly.

For EXTRA SAFE, data minimisation means enabling communication without knowing users’ identities or creating digital footprints. Our goal is to provide a safe space where users are not required to share personal information.

This statement is intended for anyone who uses EXTRA SAFE individually, in a team setting, or for regulators. It applies to the EXTRA SAFE Mobile App and Browser Lite, including all their various components.

2. Data Minimisation by Design

At EXTRA SAFE, data minimisation is built into the product’s architecture. It guides communication design at every level, so we avoid creating unnecessary data from the outset rather than collecting data and deciding later how to protect it.

This approach is based on privacy by design and privacy by default. The system operates without user profiles, personal identifiers, or records, as it does not require them to function.

By limiting what the platform can access, store, and control, we reduce its influence over user data. We adhere to the principle: 'Unused data is a liability, not an asset.' We do not collect data 'just in case' because unused data represents a risk, not a resource. This approach reinforces our commitment to minimizing data risks, keeping our users in control over their data.

3. Data We Do Not Collect

EXTRA SAFE is intentionally designed to operate without collecting a lot of common personal data types:

  • 1.We do not collect personal identifiers such as real names, email addresses, or phone numbers.
    In the mobile app, users select a display name visible only to their contacts and receive a unique EXTRA SAFE number as their sole in-app identifier.
    In Browser Lite, users can start a conversation by clicking a link, with no sign-up or download required.

  • 2.We do not request access to users’ contact lists, location data, or advertising identifiers.

  • 3.We do not conduct behavioral tracking or build profiles linked to identifiable individuals. Any analysis we perform is aggregated, non-identifying, and used only to improve users' experience.

The absence of this data is intentional and central to our mission.

4. How We Process Data

EXTRA SAFE processes only the minimum technical data required for secure communication. This includes data to confirm participant legitimacy, establish device connections, and transmit messages or media. The system uses data solely for communication and does not create user records.

We distinguish between data processed for communication and data stored on a user’s device. When users connect to EXTRA SAFE, their device generates cryptographic keys that are created and remain on their devices. Communication content is end-to-end encrypted during transmission and stored temporarily by default, according to the user’s timer settings.

Any storage required for technical operation is minimal, encrypted, and temporary by default. Data may pass through system components to enable chats or calls, but it is not accumulated, archived, or stored beyond what is strictly necessary for communication.

5. User Identity and Account Structure

Users in EXTRA SAFE remain anonymous. There are no accounts linked to real-world identities. In the mobile app, each user receives a unique EXTRA SAFE number as their sole identifier. In Browser Lite, users can start a conversation by clicking a link, without creating an account.

EXTRA SAFE anonymous identifiers are verified using cryptographic signatures. This allows the app to confirm that a request or connection originates from the same device without revealing the user’s identity. Users can have secure conversations without disclosing personal information.

Unlike most messaging platforms, EXTRA SAFE does not collect, infer, enrich, or monetize user data for advertising. Users can communicate within our system without being profiled.

6. Messages, Calls, and Shared Content

EXTRA SAFE ensures that communication is visible only to intended recipients and retained only as long as necessary.

1. Calls

When a user makes a call in EXTRA SAFE, the platform connects them directly to another caller via peer-to-peer (P2P) using WebRTC. Audio and video streams are transmitted directly between devices and are not stored by the platform. Messages sent inside the call chat are E2E encrypted, P2P, and available only for the duration of the call; once the call ends, the messages are gone.

2. Chats

Messages, images, voice notes, and files shared in standalone chats are protected with end-to-end encryption. Content is encrypted on the user’s device before sending, remains encrypted in transit, and is decrypted only on the recipient’s device. By default, chat history is automatically cleared according to a user-defined timer.

EXTRA SAFE cannot access the content of users’ conversations at any point. Messages and media are created on users’ devices, delivered securely, and deleted automatically under user control.

7. Metadata Processing and Limitations

In communication systems, metadata refers to technical information that describes how communication happens rather than what is being communicated. For messaging and calling apps, this can include details such as:

  • connection timing

  • message delivery status

  • or basic technical parameters needed to route data

EXTRA SAFE does not collect or retain metadata in any way that allows identification of communication partners, user locations, contact graphs, message content, or communication frequency.

The app is designed so that conversations remain anonymous and cannot be linked to real-world identities.

However, like any modern application, EXTRA SAFE processes a minimal set of technical and aggregated data strictly to ensure functionality, reliability, security, and product improvement.

This data does not identify users and cannot be used to trace individual conversations or behavior.

The limited data processed may include:

7.1 Message & Session Timing (Technical)

Timestamps required to:

  • deliver messages correctly

  • enforce message expiration and automatic deletion

  • synchronize call and session lifecycle events

These timestamps are not used to build communication patterns or user profiles.

7.2. Content Handling Metadata (Non-content)

File size and data volume indicators to:

  • manage bandwidth usage

  • prevent abuse

  • ensure stable delivery of files and media

File contents, filenames, and message text are never analyzed or stored.

7.3 App & Device Environment (Anonymous, High-Level)

Collected in aggregated form to ensure compatibility and stability:

  • App version

  • Operating system and OS version

  • Platform type (e.g., mobile OS family)

  • Device category (e.g., phone vs tablet)

No persistent device identifiers, advertising IDs, or hardware fingerprints are collected.

7.4 Language & Localization Signals

Device language setting. Used solely to:

  • display the interface in the correct language

  • detect localization issues

Language data is not linked to geography or identity.

7.5 Usage Events (Aggregated & Anonymized)

Basic in-app events such as:

  • app open

  • feature usage (e.g., call started, screen shared)

  • error and crash signals

These events help:

  • detect bugs and performance issues

  • improve usability and stability

  • understand feature adoption at an aggregate level only.

No individual user journeys or behavioral profiles are created.

7.6 Acquisition & Performance Analytics (Non-identifying)

Attribution data may be used in aggregate to understand:

  • general acquisition channels (e.g., app store vs referral)

  • overall campaign performance

This data does not include personal identifiers, contact details, or cross-app tracking.

8. Data Storage and Retention Periods

EXTRA SAFE uses ephemeral data handling by default. Data is retained only as long as necessary to support ongoing conversations, after which it is deleted.

“Temporary” means data exists only in memory or short-lived encrypted storage while a conversation is active or until a user-defined timer expires. Once that condition is met, the data is automatically removed.

When users leave a call session, all in-call messages and related content are deleted immediately. EXTRA SAFE does not maintain historical archives or message logs.

9. Server-Side Data Processing

EXTRA SAFE servers facilitate connections and message delivery but do not access communication content or user identity data.

We keep routing and content separate. While limited technical data may pass through servers to enable connections, communication content, and user identity data are excluded by design. Messages, calls, and files are not stored or readable by server-side systems.

Our servers are primarily stateless and do not retain user data. Where a short-lived state is required, it is minimal, encrypted, and temporary. Persistent storage of communication content or identity data is not part of the system architecture.

10. Client-Side Processing and Local Data

Most security-critical operations in EXTRA SAFE happen on the user’s device. That includes generating encryption keys, encrypting and decrypting messages, and verifying requests before any communication is established.

By keeping these operations local, the system avoids central points where sensitive data could be exposed. The user’s device generates and retains encryption keys, which are not transmitted elsewhere. This eliminates a central point of failure.

Client-side processing allows users to control their data lifecycle. Content is created, secured, and removed on the device according to user preferences. This decentralized approach ensures privacy by default.

11. Regulatory Alignment and Legal Basis

EXTRA SAFE is built with the core GDPR principles in mind. For example, data minimisation under Article 5(1)(c) directly translates into features like not accessing users' contact lists, ensuring that we only process the data strictly necessary for communication. Our design practices align with privacy by design principles, ensuring that default settings favor the least possible data exposure.

Purpose limitation is integrated into the system. We use data only for its intended purpose and do not reuse, repurpose, or retain it for other reasons.

EXTRA SAFE does not rely on user consent to justify collecting additional data. Instead, the system is designed to function without creating excess data in the first place.

12. Third-Party Access and Data Sharing

EXTRA SAFE doesn't sell users’ data to third parties – and we don't share the content of users’ messages or calls with anyone.

We do not use third-party analytics to inspect or process communication content. Infrastructure providers are involved only to support technical operation, such as connectivity and availability, and are limited to what is strictly necessary for that role. They do not receive access to message content or user identity data.

Data is managed to ensure that information enabling conversation is not repurposed for secondary uses. EXTRA SAFE does not use technical data for advertising, profiling, or unrelated analysis.

13. How Data Minimisation Reduces Risk

Minimising data reduces risks instantly by limiting what could get out or be used in ways we don't want. When less data exists, the impact of a potential breach is inherently smaller. There are no large datasets to leak, correlate, or exploit.

By not collecting identity data and long-term metadata, we are reducing the risk of surveillance, profiling, and pattern analysis. We want users’ conversations to be about now, not about building some history or keeping a record of their behaviour.

Minimizing the amount of collected data also reduces the scope of legal or coercive requests. Only the data we possess can be requested. EXTRA SAFE retains communication data only briefly and in minimal amounts. Data that is never collected or retained cannot be leaked or misused.

14. User Control and Transparency Measures

EXTRA SAFE is built with privacy-first defaults. Communication is temporary by default, and data minimisation does not rely on hidden settings or opt-outs. Optional features, such as message timers, are explicit and user-controlled.

Data is handled consistently, with no background collection or silent changes. No other data is being collected beyond what we need to make communication work.

Users can learn more or verify EXTRA SAFE’s data handling through this statement and related technical documentation. Predictable behavior builds trust.

15. Limitations of This Statement

This statement describes how EXTRA SAFE processes and minimises data within its own systems. It does not address risks outside our platform and control, such as operating system vulnerabilities, device security, network environments, or user behavior.

No communication system can eliminate all risk. Some risks are beyond EXTRA SAFE’s control, including compromised devices, unsafe environments, or misuse of shared links.

Transparency is central to building trust. EXTRA SAFE reduces risk through minimisation and decentralisation, rather than promising complete protection. Clear boundaries are essential for trust.

16. Statement Versioning and Accountability

Version: 2.0
Created: 1st September 2025
Last updated: 20th December 2025

This Data Minimisation Statement reflects how EXTRA SAFE operates today. We will not make undocumented changes to our data handling. Any significant changes will be recorded and included in future versions of this statement.

EXTRA SAFE views data minimisation as an ongoing commitment, not just a promise. This is a living document that will evolve with the product, while maintaining its core principles.