Privacy Policy

Last updated: 1 March 2026

Agora is designed from the ground up to minimise the data it holds about you. No messages, no conversation metadata, and no behavioural tracking ever reach or are stored on Agora servers.

What data is stored

When you authenticate and complete onboarding, the following is stored:

  • A pseudonymous identifier from your eID provider — an opaque string (a persistent NameID or OIDC sub claim) assigned by the government ID system. This is not your real name, national identity number, or any other field from your identity document.
  • An identifier for the eID provider you used (e.g. nemlogin for MitID, mobywatel for mObywatel).
  • A random UUID that serves as your Agora user ID.
  • Your ECDSA P-256 public key and a CA-signed certificate linking your user ID to that key. Your private key is generated in your browser and never transmitted.
  • Timestamps for when your account was created and last updated.

What is never stored

  • Your real name, date of birth, national identity number, or any personal document field from your eID
  • Message content — messages travel directly between browsers via WebRTC and never touch the server
  • Your IP address
  • Conversation history or metadata
  • Browser fingerprint, device identifiers, or any behavioural tracking data

What is stored on your device only

The following is stored in your browser's IndexedDB and never transmitted to the server:

  • Your chosen alias — the username you pick during onboarding. It is shared with contacts you message via the peer-to-peer channel, but never uploaded to any server.
  • Your private key — generated locally, marked non-extractable, and never leaves the browser.
  • Your conversation history — all message blocks are stored only in your browser's IndexedDB.

Authentication

When you click a login button, your browser is redirected to the relevant government ID provider (MitID operated by the Danish government, or mObywatel operated by the Polish government). Agora never receives your identity document, biometric data, or credentials — authentication is handled entirely by the provider.

During the redirect flow, a temporary server-side session is maintained solely to carry cryptographic state (a nonce and relay state) between redirects to the eID provider. This session is discarded immediately after authentication completes.

After successful authentication, Agora issues a JSON Web Token (JWT) stored in your browser's sessionStorage. Session storage is cleared automatically when you close the tab. No persistent session cookies are used by Agora.

Tracking and logging

No analytics, no cookies beyond those strictly necessary for the authentication redirect, no third-party tracking scripts, and no logging of page views or user behaviour takes place on the Agora website or server.

Encryption keys

Encryption and signing keys are generated in your browser using the Web Cryptography API and stored in your browser's IndexedDB. Private keys are marked non-extractable and cannot be read by any script, including Agora's own. They never leave your device. Only your public key is transmitted to and stored by the server.

A new key pair is generated on each new login session. Previous sessions' keys remain in the browser that created them; key recovery across devices is not supported.

GDPR

If you are located in the European Union or European Economic Area, the General Data Protection Regulation (GDPR) applies to the processing of your personal data.

Legal basis for processing

Processing is based on Article 6(1)(b) GDPR — it is necessary for the performance of the service. Storing your pseudonymous eID identifier and public key is the minimum required to authenticate you and issue a cryptographic certificate. Without this, the service cannot function.

Data minimisation

Agora stores only what is technically required to operate. No fields beyond those listed in the “What data is stored” section above are collected, and no data is used for any purpose beyond providing the service.

No profiling or automated decision-making

Agora performs no profiling, behavioural analysis, or automated decision-making that produces legal or similarly significant effects on you (Article 22 GDPR).

No third-party data sharing

Your data is not sold, rented, or shared with any third party for commercial purposes. The only external parties involved in processing are the government eID providers (MitID, mObywatel) at the point of authentication — they act as independent controllers of the authentication step and are subject to their own privacy regulations. Agora receives only the resulting pseudonymous identifier.

Your rights

Under GDPR you have the right to:

  • Access (Art. 15) — request a copy of the personal data Agora holds about you
  • Erasure (Art. 17) — request deletion of your account and all associated server-side data; note that local data (keys, messages) must be cleared from your browser separately
  • Restriction (Art. 18) — request that processing be restricted while a dispute is resolved
  • Portability (Art. 20) — receive the personal data you provided in a structured, machine-readable format
  • Rectification (Art. 16) — note that the pseudonymous identifier is assigned by your government eID provider and cannot be altered by Agora; your public key can be rotated via the settings page

To exercise any of these rights, open an issue on the project's public repository.

Right to lodge a complaint

You have the right to lodge a complaint with your national data protection supervisory authority. In Denmark this is Datatilsynet; in Poland, UODO. A full list of EU supervisory authorities is maintained by the European Data Protection Board.

Contact

Agora is a project by Effective Activism. For questions or requests relating to this privacy policy, including exercising your GDPR rights, please get in touch via that site.