SafeVoice Logo
SafeVoice
Home
Admin Login
Back to HomeTerms of ServiceAdmin Login
Privacy Policy

Privacy isn't a policy.
It's the architecture.

SafeVoice collects zero personal data from reporters by design. This isn't a legal promise — it's a technical constraint. Here's exactly how it works.

Last updated: March 15, 20266 min readVersion 2.0
Table of Contents

Contents

Trust Architecture

SafeVoice is designed so we cannot identify reporters even if we wanted to. No database column for personal data exists. No IP logs are stored. This is structural, not just policy.

Zero Personal Data by Design

SafeVoice does not collect any personal data from people who send messages. This is not a privacy policy — it's a technical impossibility. The platform is architecturally incapable of storing:

Names
Email addresses
Phone numbers
IP addresses
Device IDs
Location data
Browser fingerprints
Cookies

Why this matters

When someone reports harassment or misconduct, their safety depends on there being nothing to trace. SafeVoice's database has no column for "reporter email" or "reporter IP." Even if compelled by law, we cannot produce what we never stored.

Anonymous IDs

When someone starts a chat, they receive a human-readable ID like HOPE-2847-STAR. This ID is:

  • Randomly generated — no connection to the user's identity, device, or session
  • Stored in the database only as a hash — not directly readable if breached
  • Used only to allow the reporter to return to their conversation
  • Impossible to reverse-engineer into any identifying information

The anonymous ID is the only credential a reporter has. There is no password, no email reset, no account recovery. If they lose it, the conversation cannot be retrieved — by anyone.

Message Permanence

SafeVoice has no message deletion functionality. This is a deliberate architectural choice, not a missing feature.

No deletion API

Once sent, a message exists permanently. Not even SafeVoice engineers can delete it.

No editing

Messages cannot be edited after sending. The record is immutable.

This protects both parties. A reporter has proof their message was sent. An organization has a permanent record of every report and response. In legal, HR, or compliance contexts, this matters enormously.

What We Store (Admins Only)

For organization staff who log in to the admin portal, we collect:

DataPurposeRetention
Email addressLogin, notifications, verificationUntil account deletion
Password hashAuthenticationUntil account deletion
Name (optional)Display in admin portalUntil account deletion
Admin activity logAudit trailPermanent

We never sell admin data. We never use it for marketing. It exists solely to operate the platform.

Retention & Deletion

Reporter Messages

Reporter messages are retained permanently by design. This is not negotiable — it's a feature, not a limitation. The permanent record protects both the reporter and the organization.

Organization Accounts

Organizations may request account deletion by contacting support@safevoice.co. The process:

  1. Request must come from the verified account owner (not any admin)
  2. Data export is offered before deletion
  3. Deletion is completed within 48 hours of verified request
  4. All messages, admin accounts, and configuration are permanently destroyed

Note: There is no self-service account deletion button. This is intentional — it prevents accidental deletion and ensures the request is verified by the organization owner.

Data Sharing

SafeVoice does not sell, rent, or trade any data — reporter or admin — to third parties. Period.

The only exceptions are:

  • Service providers who enable platform operation (Railway for hosting, Cloudflare R2 for file storage, SendGrid for email, Paystack for payments). All are contractually bound to process data only on our behalf.
  • Legal requirements if compelled by law. However, because we store zero reporter personal data, compliance would reveal nothing about who sent messages — only the messages themselves and the organization they belong to.

Your Rights

For Reporters (Anonymous Users)

Because SafeVoice stores no personal data about reporters, there is no data to access, correct, or delete. You are anonymous by architecture. The only credential is your anonymous ID — if lost, the conversation cannot be recovered.

For Admins

You may:

  • Access your account data via the admin portal
  • Update your name and email in account settings
  • Request account deletion (organization owners only)

For GDPR or other data protection requests, contact privacy@safevoice.co.

Security

MeasureImplementation
Password hashingbcrypt with 12 rounds
AuthenticationJWT tokens with 7-day expiry
Data isolationMulti-tenant with organization_id on every query
TransportHTTPS enforced on all connections
File storageCloudflare R2 with MIME validation

Children's Privacy

SafeVoice is used by schools and organizations that may serve children. The platform itself does not collect age information or verify user age — because it collects no personal data at all.

Organizations deploying SafeVoice are responsible for complying with applicable child protection laws (such as COPPA in the US) and for ensuring appropriate safeguarding protocols are in place.

If you believe a child has shared information that creates risk, contact the organization directly — they control the admin portal and can respond appropriately.

Changes to This Policy

If we make material changes to this privacy policy, we will notify organizations via email and post the updated policy on this page with a new "Last updated" date.

Material changes will never include retroactively claiming ownership of reporter messages or introducing personal data collection. The core promise of anonymity is structural and cannot be changed without rebuilding the platform.

Questions?

If you have any questions about this privacy policy or SafeVoice's data practices, contact us:

privacy@safevoice.cosupport@safevoice.co