Privacy Policy

What we collect, how it's processed, where it's stored, and how to delete it. Plain English, no legalese.

Last updated: 2026-05-03 (rev. 2)

Who we are

tgram-analytics is an independent, open-source analytics project. The hosted service at tgram-analytics.com and the bot @MyTelegramAnalyticsBot are operated by a single person. The server source code is public at github.com/tgram-analytics/server.

If you'd rather not trust a hosted service at all, you can self-host the same software on your own infrastructure. This policy applies only to the hosted version.

Two situations, two relationships

Whether we hold any data about you depends on which side of the system you're on:

1. You use the Telegram bot

If you talk to @MyTelegramAnalyticsBot to create projects, set alerts, or run reports, we are the controller of the small amount of account data described below. You're our user.

2. You visit a website or app that uses tgram-analytics

If a site or app you visit ships our SDK, the events from your visit flow into that operator's project. The operator decides what to track, what their retention is, and what to do with it. Legally, they are the controller; we are the processor acting on their behalf.

What we collect

From bot users

• Your numeric Telegram user_id, stored as the unique key for your account
• Your Telegram chat_id, stored on each project you own (so the bot knows where to send alerts and reports) and on any in-progress conversation state with the bot
• The projects, alerts, funnels, and scheduled reports you create
• For each project, only the SHA-256 hash of its API key — the raw key is shown to you once at creation and never persisted, so even a database breach wouldn't leak working keys
• An append-only audit log of administrative actions (create / delete / config change), keyed by your internal account ID. See Your rights for how this interacts with account deletion

We don't store your Telegram username, display name, or profile photo. We don't ask for your email, phone number, or any payment details. There's no account password — Telegram authenticates you for us.

From end-visitors of sites/apps using the SDK

Each event includes:

• An event name chosen by the operator (e.g. signup, page_view)
• A session ID, generated client-side and stored in sessionStorage — it lives until you close the tab. No cookies, no localStorage, no fingerprinting
• For pageviews: the URL and referrer of the page
• An optional properties bag (capped at 4 KB) with whatever the operator chose to attach. Keys named email, phone, password, token, credit_card, ssn, iban, etc. are automatically dropped by the server before storage
• A visitor hash — a one-way SHA-256 of (daily_salt + project_id + ip + user_agent), truncated to 16 hex characters. The salt rotates at midnight UTC and yesterday's salt is unrecoverable, so the same visitor on the same site gets a different hash every day. We use this to count unique visitors without storing IPs
• Coarse derived fields: browser family, OS family, device type (mobile / tablet / desktop / bot)

What we explicitly do not store

• Raw IP addresses — used only in-memory to compute the visitor hash, then discarded
• Raw User-Agent strings — parsed for the coarse derived fields above, then discarded
• Cookies — the browser SDK uses sessionStorage only
• Cross-site identifiers — the visitor hash is bound to a single project, so the same visitor on two different sites yields different hashes
• Third-party trackers — no ad networks, no Google/Meta pixels, no analytics-on-analytics

How long we keep it

Events have a per-project retention window (default 90 days). A nightly job deletes anything older. Operators can lower this for their project at any time.

Bot account data (your Telegram IDs, projects, alerts) stays until you delete it — see below. There's no automatic expiry on accounts.

Server logs pass through a redaction filter that strips API keys and obvious PII before they're written. They're retained on the host platform under its default rotation; we don't ship them to any third-party log aggregator.

Where it lives

The bot, ingestion API, and database all run on a single server hosted in the European Union, managed via Coolify. Event data and bot account data don't leave the EU on our end.

The stack on that server is: a FastAPI app and a PostgreSQL database, plus a self-hosted chart renderer (QuickChart) running as a separate container on the same host. Nothing is shipped to third-party data warehouses or analytics services.

Bot messages necessarily travel through Telegram's infrastructure. The marketing website at tgram-analytics.com is served separately by GitHub Pages and pulls fonts and the JS SDK bundle from public CDNs — see Sub-processors for the full picture.

Your rights and how to exercise them

Under the GDPR you have rights to access, correct, delete, port, or object to processing of your personal data. Here's how to actually do that with us:

If you're a bot user (you created projects)

• Delete one project and all its events: open the bot, send /projects, pick the project, choose Delete. The deletion cascades — every event ever sent to that project is gone immediately
• Delete everything (account + all projects): email us (see below) or DM the bot. We'll process it manually as soon as reasonably practicable. Caveat: we keep an append-only audit log of administrative actions (create / delete / config changes) for security and abuse-prevention purposes. After we delete your account, those rows survive but become orphaned — the only identifier left is an internal random UUID with no remaining link to your Telegram identity
• Export your data: email us. We'll send a JSON dump of your projects and events

If you're a visitor of a site that uses tgram-analytics

The site operator is your first point of contact — they decide what gets tracked and have direct, instant deletion controls (deleting the project wipes every event in it).

If the operator is unresponsive or you want to escalate, email us. Because we don't store IPs or names, locating events that belong to one specific visitor is best-effort: in practice, the cleanest way to honor an erasure request for end-visitor data is for the operator to delete the project.

Complaints

If you think we've mishandled your data, please email us first so we can fix it. You also have the right to lodge a complaint with your national EU data protection authority.

Sub-processors

These are the third parties that touch your data on the way through. We've split them by which surface they apply to, because the bot/API and the marketing website have different exposures.

Bot and ingestion API (where event and account data live)

• Coolify — hosting platform for the server and database. Located in the EU
• Telegram — bot transport. Every message you send to the bot, and every reply we send back, transits Telegram's servers
• QuickChart — open-source chart image renderer, self-hosted as a separate container on the same host as the bot. Chart requests don't leave our infrastructure

Marketing website (tgram-analytics.com)

If you're just reading these pages, your browser also makes requests to:

• GitHub Pages — hosts the website itself. GitHub sees your IP when you load any page on this site
• Google Fonts — the website loads two fonts (JetBrains Mono, Space Grotesk) from fonts.googleapis.com and fonts.gstatic.com. Google sees your IP when fonts are fetched. We're aware this isn't ideal for an EU-positioned privacy page; self-hosting the fonts is on the to-do list
• esm.sh — the homepage and docs page load our own JS SDK bundle from this CDN to dogfood our analytics. esm.sh sees your IP when the bundle is fetched. The privacy page itself does not load any JS

If you find this list annoyingly long, fair enough — most of these are commodity website plumbing rather than analytics, but they're third parties and we'd rather over-disclose than under-disclose.

What's not on this list

We don't use Stripe (no payments yet), AWS, GCP, Cloudflare, Plausible, Google Analytics, Meta Pixel, Hotjar, Sentry, or any other analytics/marketing/error-tracking service.

Changes to this policy

If we materially change what we collect, where it lives, or who has access to it, we'll update the date at the top of this page and try to notify active bot users via the bot. Minor wording or clarification edits don't get an announcement.

Contact

Questions, requests, complaints — all to: rignanese.leo@gmail.com.

Or DM @MyTelegramAnalyticsBot directly. The bot is operated by a human (just one).