Privacy Policy
Last updated: 15 April 2026
This Privacy Policy explains how Deegram ("Deegram", "we", "us") processes personal data when you use our website, mobile app, or API (together, the "Service"). We follow the GDPR (Regulation (EU) 2016/679) as it applies in Norway through the EEA Agreement and the Norwegian Personal Data Act (personopplysningsloven).
Important — blockchain data is permanent. Deegram publishes posts, comments, votes, and transfers to the public Hive blockchain. These on-chain records are irreversible and cannot be deleted, not by us and not by anyone else. Before you publish, understand that the content will remain publicly accessible forever. GDPR erasure rights apply to the data we hold on our own servers, not to data on the blockchain.
1. Data controller
The data controller for personal data processed through the Service is:
Robin Amir Rondestvedt Moudnib
Sole proprietor, Norway
Contact for privacy requests: privacy@deegram.com
2. Personal data we process
We process only the data needed to operate the Service:
- Account identifiers — your Hive blockchain username and public keys. We do not store your private keys; they stay on your device.
- Age verification — your date of birth, collected during registration to enforce the 13+ age requirement and 18+ gating for NSFW content.
- Profile data — any display name, bio, avatar, and preferences you set through the Service.
- Content metadata — drafts, mutes, blacklist entries, notification preferences, and similar data tied to your account.
- Push notification tokens — device tokens from Expo or Apple/Google push services, so we can deliver notifications.
- Technical data — IP address, user-agent, and request logs, kept in server logs for up to 30 days for security and debugging.
- Analytics — aggregate usage events via PostHog, only if you consent.
- Error diagnostics — crash reports and exceptions via Sentry; we disable the collection of personally-identifiable information by default.
3. Purposes and lawful basis
| Purpose | Lawful basis (GDPR Art. 6) |
|---|---|
| Operating your account and serving the feed | Performance of a contract — Art. 6(1)(b) |
| Age-gating and NSFW compliance | Legal obligation / legitimate interest — Art. 6(1)(c), 6(1)(f) |
| Security, abuse prevention, moderation | Legitimate interest — Art. 6(1)(f) |
| Error tracking (Sentry) | Legitimate interest — Art. 6(1)(f) |
| Product analytics (PostHog) | Consent — Art. 6(1)(a) |
| Push notifications | Consent — Art. 6(1)(a) (OS permission prompt) |
4. Where your data goes (sub-processors)
We use the following providers to run the Service. All are GDPR-compliant under SCCs or EU data centres:
- PlanetScale — PostgreSQL database hosting, EU (eu-west-2, London).
- Cloudflare R2 — media storage, EU region.
- Fly.io — API server hosting (Amsterdam).
- Vercel — web frontend hosting; global edge network.
- Sentry — error tracking (EU region where available).
- PostHog — product analytics (EU Cloud).
- Expo / Apple / Google — push notification delivery to your device.
- Hive blockchain — public, permanent ledger. Any post, comment, vote, or transfer you publish is recorded on Hive and cannot be removed by us.
5. Retention
- Account and profile data: kept until you delete your account.
- Server access logs: 30 days.
- Error diagnostics: 90 days.
- Analytics events: up to 12 months, then aggregated or deleted.
- Soft-deleted accounts: we mark your account as deleted immediately and hard-delete personal data within 30 days, except where law requires us to retain it.
- Blockchain data: permanent. Any content published to Hive is outside our control and cannot be deleted.
6. Your GDPR rights
You have the following rights over your personal data:
- Access (Art. 15) — request a copy of the data we hold on you. Use the data-export endpoint in the app, or email us.
- Rectification (Art. 16) — correct inaccurate or incomplete data.
- Erasure (Art. 17) — delete your account and the personal data we hold on our servers. Blockchain data cannot be erased.
- Restriction (Art. 18) and objection (Art. 21) — pause or limit how we process your data.
- Portability (Art. 20) — receive your data in a machine-readable (JSON) format.
- Withdraw consent (Art. 7) — turn off analytics or notifications at any time from Settings.
To exercise any of these rights, email privacy@deegram.com. We respond within 30 days.
7. Right to complain
If you believe we process your data unlawfully, you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet):
Datatilsynet, Postboks 458 Sentrum, 0105 Oslo, Norway
www.datatilsynet.no
8. Cookies and similar technologies
We use a minimal set of cookies and local storage items:
| Name | Purpose | Type |
|---|---|---|
dg_access_token | Authentication session (JWT) | Essential — no consent required |
dg_consent_v1 | Remembers your consent choices | Essential — no consent required |
PostHog (ph_*) | Product analytics | Optional — set only if you accept analytics |
You can change your consent choices any time from the Cookie preferences link in the footer.
9. Children
The Service is not directed at children under 13, and we do not knowingly collect data from anyone under 13. Accounts marking NSFW content must be 18 or older.
10. Security
We use TLS in transit, encrypted storage at rest, least-privilege access, and monitoring via Sentry. We never store your Hive private keys — they are held on your device only, and we cannot recover them if you lose them.
11. Changes
We may update this Policy. When we make material changes, we will update the "last updated" date and, where appropriate, notify you in the app. Continued use of the Service after changes take effect means you accept the updated Policy.
12. Contact
Questions or requests: privacy@deegram.com.
See also our Terms of Service.