This Privacy Policy sets out how we, Bufa Messenger Inc. (“Bufa”), use and protect your personal data that you provide to us, or that is otherwise obtained or generated by us, in connection with your use of our cloud-based messaging services (the “Services”). For the purposes of this Privacy Policy, ‘we’, ‘us’ and ‘our’ refers to Bufa, and ‘you’ refers to you, the user of the Services.
Bufa has two fundamental principles when it comes to collecting and processing private data:
This Privacy Policy forms part of our Terms of Service, which describes the terms under which you use our Services . This Privacy Policy should therefore be read in conjunction with those terms.
This Privacy Policy explains the following:
We process your personal data on the ground that such processing is necessary to further our legitimate interests (including: (1) providing effective and innovative Services to our users; and (2) to detect, prevent or otherwise address fraud or security issues in respect of our provision of Services), unless those interests are overridden by your interest or fundamental rights and freedoms that require protections of personal data.
Bufa is a communication service. You provide your mobile number and basic account data (which may include profile name, profile picture and about information) to create a Bufa account.
To make it easier for your contacts and other people to reach you and recognize who you are, the screen name you choose, your profile pictures, and your username (should you choose to set one) on Bufa are always public. We don't want to know your real name, gender, age or what you like.
We do not require your screen name to be your real name. Note that users who have you in their contacts will see you by the name they saved and not by your screen name.
We do not collect your email address.
Bufa is a cloud service. We store messages, photos, videos and documents from your cloud chats on our servers so that you can access your data from any of your devices anytime without having to rely on third-party backups. All data is stored heavily encrypted . This way local engineers or physical intruders cannot get access to user data.
Secret chats use end-to-end encryption. This means that all data is encrypted with a key that only you and the recipient know. There is no way for us or anybody else without direct access to your device to learn what content is being sent in those messages. We do not store your secret chats on our servers. We also do not keep any logs for messages in secret chats, so after a short period of time we no longer know who or when you messaged via secret chats. For the same reasons secret chats are not available in the cloud — you can only access those messages from the device they were sent to or from.
When you send photos, videos or files via secret chats, before being uploaded, each item is encrypted with a separate key, not known to the server. This key and the file’s location are then encrypted again, this time with the secret chat’s key — and sent to your recipient. They can then download and decipher the file. This means that the file is technically on one of Bufa’s servers, but it looks like a piece of random indecipherable garbage to everyone except for you and the recipient. We don’t know what this random data stands for and we have no idea which particular chat it belongs to. We periodically purge this random data from our servers to save disk space.
In addition to private messages, Bufa also supports public groups. All public chats are cloud chats (see section 3.3.1 above). Like everything on Bufa, the data you post in public groups is encrypted, both in storage and in transit — but everything you post in public will be accessible to everyone.
Bufa uses phone numbers as unique identifiers so that it is easy for you to switch from SMS and other messaging apps and retain your social graph. We ask your permission before syncing your contacts.
We store your up-to-date contacts in order to notify you as soon as one of your contacts signs up for Bufa and to properly display names in notifications. We only need the number and name (first and last) for this to work and store no other data about your contacts.
If you are using Android, Bufa will ask you for permission to access your phone call logs (READ_CALL_LOG). If you grant this permission, Bufa will be able verify your account by transmitting a phone call instead of asking you to enter a code. Bufa uses this permission only to confirm receipt of the confirmation call by verifying the number in the call log.
If you share a location in a chat, this location data is treated like other messages in cloud or secret chats respectively.
If you share your Live Location in any chat or turn on ’Make Myself Visible’ in People Nearby, Bufa will use your data to display your location to those users with whom you are sharing it, even when the app is closed – for as long as you keep these optional features activated.
If you signed up for Bufa, your data is stored in data centers in the Singapore. These are third-party provided data centers in which Bufa rents a designated space. However, the servers and networks that sit inside these data centers and on which your personal data is stored are owned by Bufa. As such, we do not share your personal data with such data centers. All data is stored heavily encrypted so that local Bufa engineers or physical intruders cannot get access.
Your messages, media and files from secret chats (see section 3.3.2 above), as well as the contents of your calls and the data you store in your Bufa are processed only on your device and on the device of your recipient. Before this data reaches our servers, it is encrypted with a key known only to you and the recipient. While Bufa servers will handle this end-to-end encrypted data to deliver it to the recipient, we have no ways of deciphering the actual information. In this case, we neither store nor process your personal data, rather we store and process random sequences of symbols that have no meaning without the keys which we don’t have.
Unless stated otherwise in this Privacy Policy, the personal data that you provide us will only be stored for as long as it is necessary for us to fulfill our obligations in respect of the provision of the Services.
Bufa is a cloud service. We will process your data to deliver your cloud chat history, including messages, media and files, to any devices of your choosing without a need for you to use third-party backups or cloud storage.
Bufa supports massive groups which we have to police against abuse and Terms of Service violations. To improve the security of your account, as well as to prevent abuse, and other violations of our Terms of Service, we may collect metadata such as your IP address, devices and Bufa apps you've used, history of username changes, etc. If collected, this metadata can be kept for 12 months maximum.
Other users of our Services with whom you choose to communicate with and share certain information. Note that by entering into the Terms of Service and choosing to communicate with such other users of Bufa, you are instructing us to transfer your personal data, on your behalf, to those users in accordance with this Privacy Policy. We employ all appropriate technical and organizational measures (including encryption of your personal data) to ensure a level of security for your personal data that is appropriate to the risk.
You can control how your data is used (e.g., delete synced contacts) in Me > Privacy (using one of our mobile apps).
If you would like to delete your account, you can wait Account Self-Destruction. Deleting your account removes all messages, media, contacts and every other piece of data you store in the Bufa cloud.
By default, if you stop using Bufa and do not come online for at least 6 months, your account will be deleted along with all messages, media, contacts and every other piece of data you store in the Bufa cloud. You can go to Security > Privacy to change the exact period after which your inactive account will self-destruct.
Revised: 29 March 2023