Privacy Policy

Effective date: 2 April 2026

iMaliChat ("we", "us", or "our") operates the iMaliChat mobile application (the "App"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our App. Please read this policy carefully. By using the App you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

Personal information you provide:

• Phone number – used for account creation, OTP verification, and login.
• Display name, username, and profile photo – shown to other users within the App.
• Date of birth, gender, province, and city – used to personalise your experience and for audience targeting of earn opportunities.
• Languages and interests – used to match you with relevant earn opportunities.

Information collected automatically:

• Device information – device model, operating system version, platform, and hardware-backed key status, used for security and device binding.
• FCM tokens – Firebase Cloud Messaging tokens for push notifications.
• Usage data – login timestamps, engagement activity, and in-app actions for analytics and fraud prevention.
• Advertising ID – collected by Google AdMob to serve ads within the App.

2. Device Permissions

• Camera – to take profile photos, capture media for chat messages, and complete upload earn tasks. You can deny or revoke this permission at any time in your device settings.
• Microphone – for voice messages and voice/video calls. Audio is transmitted peer-to-peer and is not recorded by us.
• Contacts – to help you find friends already using iMaliChat. Contact data is not uploaded to our servers; matching is done locally on your device.
• Biometrics (fingerprint / face) – for secure app unlock and session authentication. Biometric data never leaves your device.
• Internet & network state – required for the App to function.
• Notifications – to alert you about messages, earn opportunities, and reward updates.

3. How We Use Your Information

• To create and manage your account.
• To verify your identity via OTP and device-based authentication.
• To provide and personalise earn opportunities (token rewards).
• To process token transactions and maintain your wallet balance.
• To send push notifications about login requests, security alerts, and engagement updates.
• To display advertisements via Google AdMob.
• To detect and prevent fraud, abuse, and security threats.
• To comply with legal obligations.

4. Messaging & Calls

All peer-to-peer messages are end-to-end encrypted using the Signal Protocol (X3DH key agreement + Double Ratchet encryption). We cannot read the content of your messages. Message metadata (timestamps, participant identifiers, read receipts) is stored on our servers. Voice and video calls are conducted peer-to-peer via WebRTC; call content is not recorded.

5. Token Economy & Financial Data

The App uses a token-based reward system. Tokens are earned by completing tasks and cannot be purchased with money. We maintain a double-entry ledger of all token transactions (earnings, transfers, and contributions). Transaction records include amounts, timestamps, and participant identifiers. Tokens may be redeemed for airtime, mobile data, or cash via third-party service providers; we share only the minimum information required to fulfil your redemption request. No fiat currency is stored or processed within the App.

6. Data Sharing & Disclosure

We do not sell your personal information. We may share data with:

• Firebase / Google Cloud – for authentication, database hosting, cloud functions, analytics, and push notifications.
• Google AdMob – for serving advertisements. AdMob may collect device and advertising identifiers. See Google's Privacy Policy.
• MyMobileAPI – our SMS gateway provider, which receives your phone number solely to deliver OTP verification codes.
• Brand partners – anonymised or aggregated engagement metrics only. Your personal details are never shared with advertisers.
• Law enforcement – when required by law or to protect the safety of our users.

7. Data Security

We implement industry-standard security measures including:

• Hardware-backed cryptographic device binding (ECDSA key pairs).
• Biometric session locks.
• Runtime Application Self-Protection (RASP).
• Encrypted HTTPS communication.
• Server-side rate limiting and risk event monitoring.

While we strive to protect your data, no method of electronic transmission or storage is 100% secure.

8. Data Retention

We retain your account data for as long as your account is active. If you delete your account, we will remove your personal information from our active databases within 30 days. Some data may be retained in anonymised form for analytics or as required by law.

9. Your Rights

Under the Protection of Personal Information Act (POPIA) and other applicable laws, you have the right to:

• Access the personal information we hold about you.
• Request correction of inaccurate information.
• Request deletion of your account and associated data.
• Object to the processing of your personal information.
• Withdraw consent at any time.

To exercise any of these rights, contact us at privacy@imalichat.com.

10. Children's Privacy

The App is not intended for children under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child under 18 has provided us with personal data, we will take steps to delete such information.

11. Third-Party Links

The App may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via in-app notification or push notification. The "Effective date" at the top indicates when the policy was last revised.

13. Contact Us

If you have questions or concerns about this Privacy Policy, please contact us:

iMaliChat
Email: privacy@imalichat.com
South Africa