Privacy Policy
Last updated: May 2026 · Operated by tlgrm
This Privacy Policy explains how tlgrm (“we”, “us”, “our”) collects, uses, shares, and protects your personal data when you use the tlgrm service (“Service”) available at tlgrm.mystackmint.com. Please read it carefully alongside our Terms & Conditions and Disclaimer.
1. Data Controller
The data controller responsible for your personal data is:
- Company: tlgrm
- Registered address: Registered Address
- Privacy contact: [email protected]
If you are located in the EU / EEA or UK and have questions about our processing of your personal data, please contact us at the address above.
2. Data We Collect
We collect the following categories of personal data:
- Account data: Email address, hashed password (or OAuth token if you sign in via a third-party provider), account creation date, and account status.
- Profile data: Display name, profile picture (optional), language preference, and timezone.
- Billing data: Subscription plan, billing cycle, payment method type (e.g., last four digits of card — full card details are held by our payment processor, not by us), transaction IDs, and invoice history.
- Communications: Support tickets, email correspondence, and any feedback or survey responses you submit.
- Consent records: A versioned record of the consents you have granted or withdrawn, including the consent text version, timestamp, and IP address at time of consent.
- Usage data: Feature interactions (pages viewed, buttons clicked, searches performed), feed subscription list, notification settings, and export history.
- Technical data: Browser type and version, operating system, device type, screen resolution, and referring URL.
- Log data: Server-side access logs including IP address, request path, HTTP method, response code, and timestamp. Logs are retained for 90 days.
- Cookies and similar technologies: Session cookies (authentication), preference cookies, and analytics cookies. See Section 14 for details.
- Third-party sources: If you authenticate via Google OAuth or another third-party provider, we receive your email address and profile name from that provider, subject to your privacy settings with them.
We do not store the content of your Telegram messages beyond what is temporarily cached to render your feed. Feed content is not used for advertising, profiling, or sold to third parties.
3. Legal Basis for Processing
Where the GDPR applies, we rely on the following legal bases (GDPR Art. 6) for processing your personal data:
| Processing purpose | Legal basis |
|---|---|
| Providing the Service (account management, feed delivery) | Art. 6(1)(b) — Performance of a contract |
| Billing and payment processing | Art. 6(1)(b) — Performance of a contract |
| Audit logging for compliance and security | Art. 6(1)(c) — Legal obligation; Art. 6(1)(f) — Legitimate interests |
| Security monitoring and fraud prevention | Art. 6(1)(f) — Legitimate interests |
| Sending transactional emails (receipts, security alerts) | Art. 6(1)(b) — Performance of a contract |
| Sending marketing emails and product updates | Art. 6(1)(a) — Consent |
| Analytics to improve the Service (anonymised) | Art. 6(1)(f) — Legitimate interests |
| Retaining billing records for tax / accounting | Art. 6(1)(c) — Legal obligation |
| Responding to legal requests from authorities | Art. 6(1)(c) — Legal obligation |
Where we rely on legitimate interests, you have the right to object to that processing (see Section 11).
4. How We Use Your Data
We use your personal data to:
- Create and manage your account and authenticate you when you sign in.
- Deliver the Service — aggregating and displaying Telegram channel content in your feed.
- Process subscription payments and send billing confirmations.
- Send transactional communications: security alerts, password resets, and service notices.
- Send marketing communications and product updates where you have consented (you can unsubscribe at any time).
- Detect, investigate, and prevent fraudulent activity and security incidents.
- Maintain our immutable audit log for compliance and security purposes.
- Analyse anonymised and aggregated usage patterns to improve the Service (no individual profiling).
- Comply with applicable legal obligations, including responding to lawful requests.
- Resolve disputes and enforce our Terms & Conditions.
5. Audit Logging
As part of our security and compliance controls, we maintain an immutable audit log that records significant events in your account:
- Login and logout events (with IP address and device fingerprint).
- Data export requests and their fulfilment.
- Changes to account settings, privacy preferences, and consent records.
- Administrative actions taken on your account by tlgrm staff (if any).
- Subscription and billing events.
The audit log records metadata only — it does not capture the content of your Telegram feed. Audit logs are retained for six to seven years to satisfy financial, legal, and regulatory obligations. You can view and export your audit log via Settings → Security → Audit Log or request it as part of a Subject Access Request.
6. Consent Management
Where we rely on your consent for processing (e.g., marketing emails, certain analytics cookies), we:
- Present a clear, unbundled consent request at the time of collection, stating the specific purpose.
- Record the consent version, timestamp, IP address, and the exact consent text you agreed to.
- Allow you to review and withdraw consent at any time via Settings → Privacy → Consent Management.
- Never make access to the core Service conditional on consent to optional processing.
Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
7. Data Sharing and Disclosure
We do not sell your personal data. We share it only in the following circumstances:
- Cloud infrastructure providers: We use cloud hosting providers to operate the Service. These providers process data on our behalf under Data Processing Agreements (DPAs) and are prohibited from using your data for their own purposes.
- Payment processors: Subscription payments are handled by a third-party payment processor (e.g., Stripe). We share only the data necessary to process your payment. Full payment-card details are never transmitted to or stored on our servers.
- Analytics (anonymised): We may use privacy-preserving analytics tools that process anonymised or aggregated data. No individually identifiable data is shared with analytics providers.
- Customer support tools: Support enquiries may be processed via a support platform. Only data necessary to resolve your ticket is shared.
- Legal authorities: We may disclose personal data to law-enforcement, regulators, or courts where required by applicable law, a court order, or to protect the rights, property, or safety of tlgrm, our users, or others. We will notify you of such requests where permitted by law.
- Business transfers: In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity, subject to the same protections as set out in this Policy. We will notify you before your data is transferred and becomes subject to a different privacy policy.
8. International Data Transfers
If your personal data is transferred outside the European Economic Area (EEA) or UK, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs): We execute the EU Commission’s approved SCCs (2021 version) with sub-processors located outside the EEA.
- UK IDTA: For transfers from the UK, we use the UK International Data Transfer Agreement (IDTA) or addendum where applicable.
- Adequacy decisions: Where the destination country benefits from a European Commission adequacy decision, we rely on that decision.
For more information about the safeguards in place for international transfers, contact [email protected].
9. Data Security
We implement industry-standard technical and organisational measures to protect your data:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
- Encryption at rest: Personal data stored in our databases is encrypted using AES-256.
- Multi-factor authentication: MFA is available for all user accounts and mandatory for administrative accounts.
- Access controls: Production systems are accessible only to authorised personnel on a least-privilege basis.
- Security testing: We conduct regular vulnerability assessments and annual penetration tests.
- Breach notification: In the event of a personal data breach posing a risk to individuals, we will notify the relevant supervisory authority within 72 hours of becoming aware, and will notify affected users without undue delay, as required by GDPR Art. 33–34.
10. Data Retention
We retain your personal data for the following periods:
| Data category | Retention period |
|---|---|
| Account and profile data | Duration of account + 30 days after closure |
| Billing and transaction records | 7 years (tax / accounting law) |
| Audit log entries | 6–7 years (compliance and legal obligations) |
| Support correspondence | 2 years from resolution |
| Server access logs | 90 days |
| Consent records | Duration of account + 7 years (evidential purposes) |
| Encrypted backups | Purged within 90 days of account closure as backups rotate |
Data retained beyond account closure is held securely, isolated from active processing, and used only for the purpose that justified its retention.
11. Your Rights
Subject to applicable law, you have the following rights in respect of your personal data:
- Right of access (GDPR Art. 15): Request a copy of the personal data we hold about you and information about how we process it.
- Right to rectification (GDPR Art. 16): Ask us to correct inaccurate or incomplete personal data.
- Right to erasure / “right to be forgotten” (GDPR Art. 17): Request deletion of your personal data where the legal basis for retention no longer applies.
- Right to restrict processing (GDPR Art. 18): Ask us to restrict processing of your data in certain circumstances (e.g., while a rectification request is pending).
- Right to data portability (GDPR Art. 20): Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) for transfer to another controller.
- Right to withdraw consent (GDPR Art. 7(3)): Withdraw consent for any consent-based processing at any time without affecting prior processing.
- Right to object (GDPR Art. 21): Object to processing based on legitimate interests or for direct marketing.
- Right not to be subject to automated decisions (GDPR Art. 22): We do not make solely automated decisions that produce legal or similarly significant effects about you.
To exercise any of these rights, email [email protected] with the subject line “Data Subject Request”. We will acknowledge your request within 72 hours and respond within 30 days (or the statutory period if shorter). We may ask you to verify your identity before fulfilling the request.
12. Closing Your Account
You can close your account in two ways:
- In-app: Settings → Account → Close Account.
- By email: Send a request to [email protected] from your registered email address.
Upon closure, your active account data and feed preferences will be deleted within 30 days. Data retained for legal reasons (billing records, audit logs) will be held for the minimum period required and then permanently deleted. You will receive an email confirmation once deletion is complete.
13. Children’s Privacy
The Service is not directed at children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data without appropriate consent, please contact [email protected] and we will delete the data promptly.
14. Cookies
We use cookies and similar tracking technologies to operate and improve the Service. The categories of cookies we use are:
- Strictly necessary cookies: Required for authentication, session management, and security. These cannot be disabled without breaking the Service.
- Preference cookies: Store your theme, language, and layout preferences.
- Analytics cookies: Collect anonymised information about how users interact with the Service to help us improve it. Used only with your consent.
You can manage cookie preferences via the cookie banner displayed on your first visit, or at any time via Settings → Privacy → Cookie Preferences. For more detail, refer to our Cookie Policy (available on request).
15. Changes to This Policy
We may update this Privacy Policy periodically. For material changes — changes that substantially affect how we process your personal data or your rights — we will:
- Notify you by email and/or an in-app banner at least 14 days before the change takes effect.
- Obtain fresh consent where required by law (e.g., if we introduce a new purpose that requires consent, or extend processing beyond what you originally agreed to).
For non-material changes (e.g., clarifications, contact details), we may update the Policy without prior notice. The “Last updated” date at the top of this page will always reflect the most recent revision.
If you do not agree to the revised Policy, you may close your account before the effective date by following the steps in Section 12.
16. Contact and Complaints
For any questions about this Privacy Policy or to exercise your data rights, please contact us:
- Privacy enquiries / DSARs: [email protected]
- General support: [email protected]
- Legal enquiries: [email protected]
If you are not satisfied with our response, you have the right to lodge a complaint with your relevant supervisory authority:
- EU / EEA: Your national Data Protection Authority (DPA) — see edpb.europa.eu.
- UK: The Information Commissioner’s Office (ICO) — ico.org.uk.
- India: The Data Protection Board of India (under DPDPA 2023).
- US (healthcare): HHS Office for Civil Rights (OCR) — hhs.gov/ocr.
This Privacy Policy applies to all users of tlgrm at tlgrm.mystackmint.com.