Privacy Overview

CatRealm Privacy Summary

Plain-language overview of how CatRealm handles account data, messages, calls, and security controls across central and self-hosted deployments.

Last refreshed: February 19, 2026
Identity Username + authenticator app 2FA (TOTP)
Messaging Stored on the chat server you join
Tracking No ad-tech tracking by default

Accounts and Identity

  • Account model: username + authenticator app 2FA (TOTP). No passwords (Passwords only if using decentralized/local account, only saved on that Hosted Server).
  • Central Saved Account Data includes username, account ID, 2FA setup secret, profile fields, friend relationships/requests, and encrypted server-list sync blobs.
  • Session/auth tokens are stored client-side to keep you signed in (for example browser local storage).
  • Pending registrations auto-expire after about 10 minutes.

Messaging, Calls, and Storage

  • Messages/files are stored on the chat server you join, Central only deals with DMs & End to End Encrypted.
  • Voice and Screenshare use WebRTC. The auth server does not store call recordings. (Self Hosted Servers may use fallback or their own.)
  • Server-list sync is encrypted client-side before upload.
  • Account secrets used for authentication/sync (for example TOTP setup secret and sync key) are encrypted at rest.

Security and Infrastructure

  • Transport security depends on deployment: HTTPS/WSS protects data in transit when enabled.
  • Security controls include JWT auth, endpoint rate limits, and permission-based access checks.
  • Third-party infrastructure may process data depending on deployment choices (for example hosting, CDN, TURN/ICE relays, DNS, TLS providers).
  • Some operational metadata may exist in server/network logs (timestamp & user agent) depending on host/proxy setup. Central does not log IPs itself. Self Hosted Server does not log them by default.

Operator Policies and Limits

  • Self-hosted operators can define their own logging, moderation, retention, and backup policies for their self servers.
  • If a server operator creates backups, deleted content may persist in backup sets until those backups rotate or are removed.
  • Users can manage/remove many profile and friend fields in-app; full account/server-data deletion depends on the server/operator environment.
  • No ad-tech tracking is included by default as we do not sell personal data.

This page is a summary, not a legal contract; it should be read together with each server operator's own policy/rules.

Back to Home Request a Clarification