Privacy Policy

1. Introduction

Phantom Messages Forwarder ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

We comply with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable data protection laws. By using the Service, you consent to the practices described in this policy.

2. Information We Collect

2.1 Account Information

When you register for the Service, we collect:

• Telegram Phone Number: Used for authentication via Telegram's official API
• Telegram User ID: Unique identifier assigned by Telegram
• Telegram Session Data: Encrypted authentication tokens for API access
• Account Settings: Preferences, plan selection, notification settings

2.2 Service Usage Data

• Forwarding Rules: Source/destination chats, filters, transformation settings
• Message Metadata: Timestamps, chat IDs, message counts (we do NOT store message content)
• Analytics: Forwarded message counts, filter statistics, error logs
• AI Usage: Tokens consumed, operation types (translation, summarization)

2.3 Payment Information

Payment processing is handled by Stripe. We collect:

• Billing name and email
• Subscription plan and billing cycle
• Stripe Customer ID (tokenized)

We do NOT store credit card numbers, CVV codes, or full payment details. All payment data is securely managed by Stripe's PCI-compliant infrastructure.

2.4 Technical Data

• IP address (for security and fraud prevention)
• Browser type and version
• Operating system
• Session duration and pages visited
• Error logs and crash reports

3. How We Use Your Information

We use collected data for the following purposes:

• Service Delivery: Execute forwarding rules, process messages, maintain Telegram connectivity
• Account Management: Authenticate users, manage subscriptions, enforce plan limits
• Billing: Process payments, issue invoices, handle refunds
• Customer Support: Respond to inquiries, troubleshoot issues, provide technical assistance
• Service Improvement: Analyze usage patterns, optimize performance, develop new features
• Security: Detect fraud, prevent abuse, protect against unauthorized access
• Legal Compliance: Comply with regulations, respond to legal requests, enforce Terms of Service

4. Data Security

We implement industry-standard security measures to protect your data:

• Encryption: Telegram session data is encrypted using AES-256 before storage
• Secure Transmission: All API communication uses HTTPS/TLS 1.3
• Access Controls: Role-based access limitations for staff members
• Database Security: Hosted on Supabase with automatic backups and replication
• Monitoring: 24/7 automated security monitoring and intrusion detection
• Regular Audits: Quarterly security reviews and penetration testing

While we take extensive precautions, no system is 100% secure. You are responsible for maintaining the confidentiality of your Telegram account credentials.

5. Third-Party Services

We integrate with the following third-party services:

5.1 Telegram API

We use Telegram's official MTProto API to send/receive messages. Your session is authenticated directly with Telegram's servers. Review Telegram's Privacy Policy.

5.2 Stripe (Payment Processing)

Payment data is processed by Stripe Inc. Review Stripe's Privacy Policy.

5.3 Supabase (Database Hosting)

Data is stored on Supabase (PostgreSQL). Servers located in EU data centers. Review Supabase's Privacy Policy.

5.4 Anthropic (AI Features)

AI translation and summarization use Anthropic's Claude API. Message content is sent to Anthropic servers for processing. Review Anthropic's Privacy Policy.

6. Data Sharing and Disclosure

We do NOT sell, rent, or trade your personal information. We may share data only in these circumstances:

• With Your Consent: When you explicitly authorize data sharing
• Service Providers: Third-party vendors (hosting, payment processing) under strict confidentiality agreements
• Legal Obligations: When required by law, court order, or government request
• Business Transfers: In case of merger, acquisition, or sale of assets (users will be notified)
• Security Threats: To prevent fraud, protect user safety, or enforce our Terms of Service

7. Cookies and Tracking

We use cookies and similar technologies for:

• Essential Cookies: Session management, authentication tokens (required for Service functionality)
• Analytics Cookies: Usage statistics, page views, feature adoption (anonymized)
• Preference Cookies: Remember your settings and preferences

You can disable cookies via browser settings, but this may limit Service functionality. We do NOT use third-party advertising cookies.

8. Your Rights (GDPR)

If you are an EU resident, you have the following rights:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restriction: Limit how we process your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Opt-out of certain data processing activities
• Right to Withdraw Consent: Revoke previously granted permissions

To exercise these rights, contact us via our contact form. We will respond within 30 days.

9. Data Retention

We retain your data for the following periods:

• Active Accounts: Data retained as long as your account is active
• Cancelled Subscriptions: Retained for 30 days to allow reactivation, then deleted
• Billing Records: Retained for 7 years (tax/legal requirements)
• Error Logs: Retained for 90 days
• Analytics Data: Aggregated and anonymized after 12 months

You can request immediate deletion of your account and data at any time via the dashboard or by contacting support.

10. Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect data from children. If we discover that a minor has provided personal information, we will delete it immediately. Parents who believe their child has registered should contact us via our contact form.

11. International Data Transfers

Your data may be transferred to and processed in countries outside your jurisdiction. We ensure adequate protection through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Hosting providers with GDPR compliance certifications
• Encryption during transmission and storage

12. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via:

• Email notification
• In-app notification banner
• Updated "Last modified" date at the top of this page

Continued use of the Service after changes constitutes acceptance of the updated policy.