Legal

Privacy policy

What we collect, why we collect it, who can see it, and how long we keep it. We minimize by default and document by exception.

Last updated: 2026-04-30

1. Overview

This policy describes how Telegram OS (the "Service", "we", "us") collects, uses, and protects information about operators ("you") who use the platform. It applies to the dashboard, marketing pages, and any APIs we expose.

2. Who we are

The Service is operated by the Telegram OS organization, a centralized structure of multiple specialized teams. The legal entity that operates the Service is the data controller for account data and the data processor for customer-loaded content. The identities of the individual founders are not published; the entity itself is incorporated and reachable via the contact channels.

3. Information we collect

3.1 Account information

Email address, full name, username (provided by you).
Hashed password (we never store it in plain text).
Two-factor secret and backup codes, if enabled.
API keys, if you create them.

3.2 Operational data

Telegram session payloads for accounts you rent through the Service. Encrypted at rest with per-tenant keys.
Inbox messages and metadata necessary to render the inbox.
Automation task definitions, executions, and outcomes.
Account health metrics, ban-risk signals, and engagement counters.

3.3 Telemetry and security data

IP address and user-agent at sign-in and on privileged actions.
Audit-log entries for member changes, role changes, and sensitive endpoint calls.
Aggregated request metrics for capacity planning. No third-party analytics SDKs.

3.4 Billing data

Wallet balance and transaction ledger.
Provider-side metadata returned by Stripe or NOWPayments. We do not store card or wallet credentials.

4. Why we use it

To operate the Service: render the dashboard, run automations, process payments.
To secure the Service: detect abuse, investigate incidents, enforce rate limits.
To meet legal obligations: respond to lawful requests under applicable law.
To communicate with you: account, billing, and security notices.

We do not sell personal data, and we do not use your data to train third-party models.

5. Legal bases (GDPR)

Contract. To provide the Service you signed up for.
Legitimate interest. For security telemetry, fraud detection, and product safety.
Legal obligation. For tax records and lawful disclosure.
Consent. For any optional processing we may add later (none today).

Sub-processors. Payment providers (Stripe, NOWPayments), cloud infrastructure providers, and email delivery. A current list is available on request via the contact page.
Team members. If you join a team workspace, members of that team can see data within that workspace per their role.
Lawful requests. Only when legally compelled, and limited to what is required.

We do not share data with advertisers, data brokers, or analytics aggregators.

7. Retention

Account data: kept while your account is active, deleted within 30 days of account closure.
Audit logs: retained for the lifetime of the workspace.
Billing records: retained for 7 years to satisfy tax and accounting obligations.
Backups: rolling 30-day window, then permanently purged.

8. Your rights

Depending on jurisdiction, you have the right to access, correct, port, or delete your personal data, and to object to or restrict certain processing. Email privacy@telegramos.app to exercise any of these rights. We respond within 30 days.

9. Security

The technical and organizational measures we use are documented on the Security page. Highlights: tenant-bound queries, per-tenant session encryption, role-rank guards, append-only audit logs, required two-factor for staff, and signed releases.

10. International transfers

Where personal data is transferred across borders we rely on the EU Standard Contractual Clauses and the UK IDTA, and apply additional safeguards where required by local law.

11. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children.

12. Changes to this policy

We will publish material changes on this page and on the changelog. Continued use of the Service after a change constitutes acceptance.

13. Contact

Privacy questions: privacy@telegramos.app. Data Protection Officer requests: dpo@telegramos.app. For DPA requests see the Data Processing Addendum.

2. Who we are

3. Information we collect

3.1 Account information

Email address, full name, username (provided by you).

Hashed password (we never store it in plain text).

Two-factor secret and backup codes, if enabled.

API keys, if you create them.

3.2 Operational data

Telegram session payloads for accounts you rent through the Service. Encrypted at rest with per-tenant keys.

Inbox messages and metadata necessary to render the inbox.

Automation task definitions, executions, and outcomes.

Account health metrics, ban-risk signals, and engagement counters.

3.3 Telemetry and security data

IP address and user-agent at sign-in and on privileged actions.

Audit-log entries for member changes, role changes, and sensitive endpoint calls.

Aggregated request metrics for capacity planning. No third-party analytics SDKs.

3.4 Billing data

Wallet balance and transaction ledger.

Provider-side metadata returned by Stripe or NOWPayments. We do not store card or wallet credentials.

4. Why we use it

To operate the Service: render the dashboard, run automations, process payments.

To secure the Service: detect abuse, investigate incidents, enforce rate limits.

To meet legal obligations: respond to lawful requests under applicable law.

To communicate with you: account, billing, and security notices.

We do not sell personal data, and we do not use your data to train third-party models.

6. Who we share data with

Sub-processors. Payment providers (Stripe, NOWPayments), cloud infrastructure providers, and email delivery. A current list is available on request via the contact page.

Team members. If you join a team workspace, members of that team can see data within that workspace per their role.

Lawful requests. Only when legally compelled, and limited to what is required.

We do not share data with advertisers, data brokers, or analytics aggregators.