Privacy & Safety Center
Duruha is designed to be an intentional, reputation-aware community. Review our strict data safeguards, identity protections, and community guidelines below.
Verification IDs Deleted
Government IDs uploaded for persona verification are permanently deleted immediately after approval or rejection. We store no copies.
Signal Protocol E2EE
Private messages use the Signal Protocol (Double Ratchet). Encryption keys reside on-device. We cannot decrypt or read your chats.
No Background Tracking
Location coordinates are captured once at onboarding to place you in the community hierarchy. No passive or background tracking.
No Advertising Profiles
We do not sell, rent, trade, or lease personal data. Duruha is completely free from third-party advertising trackers.
Privacy Policy
Effective date: May 19, 2026
This Privacy Policy explains what information Duruha collects from you when you use the Duruha mobile application ("App"), why we collect it, how we use and protect it, and what choices you have. By creating an account, you agree to the collection and use of information described here.
1. Information We Collect
We collect information you provide directly such as email address, password (stored hashed), display name, and optional profile info (date of birth, bio, photo). Location coordinates may be shared at onboarding to place you in the community hierarchy. For Verified Personas, we collect unredacted government-issued IDs for immediate verification (instantly deleted upon approval/rejection) and redacted copies displayed publicly. The app does not integrate third-party analytics or crash reporting and collects no advertising IDs.
1.1 Information You Provide Directly
Account details (email, hashed password, display name), profile data (DOB, bio, photo, labels), optional GPS coordinates during onboarding, and user-generated posts/media.
1.2 Verification and Persona Information
Unredacted Government IDs are used strictly for internal compliance check and permanently deleted upon resolution. Redacted public copies are uploaded by the user to display verified status.
1.3 Automatically Collected Information
No third-party analytics trackers, device IDs, or advertising IDs. We only process session auth tokens and internal app activity signals (votes, views) for reputation scoring.
2. How We Use Your Information
We use details to manage accounts, authenticate sessions, populate geographic feeds, calculate credibility scores, enable encrypted messaging, and process verification applications. We do NOT use personal info for targeted advertising, build profiles, or sell/rent data to third parties.
3. Verification Documents and Proof
Unredacted copies are encrypted in transit/at rest and accessible only to authorized compliance staff before immediate deletion. Users must manually redact sensitive fields on the public copy. Verification does not constitute an endorsement.
4. Location Data
GPS coordinates place users in the community hierarchy (barangay, city, province). Precise location matching is needed for local boards. Background location access is not requested or tracked. Permissions can be revoked at any time.
5. User-Generated Content
Posts, comments, and media are visible depending on the community context. Users should not post sensitive identifiers publicly. In-app controls allow users to delete posts/comments at any time.
6. Encrypted Private Messaging
Private messages use the Signal Protocol (X3DH key agreement + Double Ratchet). Message content is encrypted on-device. Servers store only room metadata, participant lists, and encrypted ciphertext. Ephemeral message mechanisms include burn-after-read and time-based TTL. Chat exports are local-only.
Signal Protocol E2EE Specs
Duruha utilizes the Signal Protocol (X3DH and Double Ratchet) for client-side cryptographic encryption. Message logs and encryption keys are stored strictly locally on your physical device. If you discard your backup PIN, your chat logs are physically irrecoverable.
7. Sharing of Information
We use Supabase as our secure backend infrastructure provider (auth, database, file storage). Google Fonts deliver fonts directly. Profile data is shared only with other platform members. No data broker or advertiser sharing.
8. Data Retention Policy
Account details and reputation are held until account deletion. Unredacted verification IDs are deleted instantly upon review. Public copies are held until requested or deleted within 30 days. Private message ciphertext is ephemeral and deleted after session end.
| Data Category | Retention Period |
|---|---|
| Account Data (email, profile) | Until account deletion |
| Verification Copy (unredacted) | Deleted immediately upon approval/rejection |
| Verification Copy (public) | Until request or account deletion (within 30 days) |
| Posts, Comments & Media | Until deleted by user or account deletion |
| Private Message Ciphertext | Ephemeral — deleted automatically on session end |
| Reputation & Auth Tokens | Until account deletion / session scope expired |
9. User Rights and Controls
Users have the right to access, correct, and delete accounts (Profile -> Settings -> Delete/Backup Account). You can mute geographic feeds, block users, delete individual posts, and withdraw consent.
10. Security Safeguards
We employ TLS/HTTPS encryption, AES-256 for resting data, secure local keys via Android Keystore, Signal Protocol, PIN-protected backups (Argon2id + AES-GCM), and strict device backup exclusions.
11. Children and Minors
Duruha is restricted to users aged 18 and older. We do not knowingly collect minor data and will suspend accounts immediately if a minor is detected.
12. Philippines Context & Data Privacy Act
Duruha is developed and operated in the Philippines. Filipino users enjoy rights under the Data Privacy Act of 2012 (Republic Act No. 10173). Issues may be referred to the National Privacy Commission (NPC).
RA 10173 - Data Privacy Act of 2012
Duruha fully supports your rights to access, object, delete, rectify, and file concerns with the National Privacy Commission (NPC) of the Philippines. Contact lmrtamayor@gmail.com for DPA inquiry handling.