Our Commitment to GDPR
TeleBoost applies GDPR principles as a baseline standard for all users, regardless of their location. The General Data Protection Regulation (EU 2016/679) establishes rights for individuals and obligations for organizations that process personal data. We believe these are the right standards for everyone.
Our GDPR compliance is built into the architecture of the platform:
- Privacy by Design: Telegram session data is encrypted before storage; passwords are hashed and never stored in plain text.
- Data Minimization: We collect only what is necessary to operate the Service.
- Purpose Limitation: Data is used only for the purposes disclosed in our Privacy Policy.
- Storage Limitation: Data is deleted on a defined schedule and upon account deletion.
- Security: Technical and organizational measures are implemented to protect all data we hold.
Data Controller
Under GDPR, TeleBoost acts as the Data Controller for the personal data of registered users (account information, usage data, billing data). TeleBoost operates under European Union jurisdiction and applies GDPR as its primary data protection framework.
TeleBoost acts as a Data Processor for the personal data of third parties (Telegram group members, campaign targets) that you — as the Data Controller — choose to manage through our platform. You are responsible for ensuring you have a lawful basis to process this data and must have a Data Processing Agreement (DPA) in place if required by GDPR Art. 28. Contact us to request a DPA.
Data Controller Contact
TeleBoost — European Union
Contact: contact@teleboost.app
Privacy Policy: teleboost.app/privacy
Response time: within 30 days of receipt as required by GDPR Art. 12
Your GDPR Rights
As a data subject, you have the following rights under GDPR (Articles 15–22). These apply to all EEA residents. We extend equivalent rights to all users regardless of location.
Right to Access
Art. 15You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data, along with information about how it is processed.
Right to Rectification
Art. 16You have the right to request correction of inaccurate personal data and completion of incomplete data without undue delay.
Right to Erasure
Art. 17You have the right to request deletion of your personal data (the "right to be forgotten") where it is no longer necessary for the purpose it was collected, or where you withdraw consent.
Right to Restriction
Art. 18You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest its accuracy or object to our processing.
Right to Data Portability
Art. 20You have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit that data to another controller where technically feasible.
Right to Object
Art. 21You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds.
Automated Decision-Making
Art. 22TeleBoost does not make decisions with significant legal effects based solely on automated processing. All consequential decisions involve human review.
Right to Complain
Art. 77You have the right to lodge a complaint with your local supervisory authority if you believe we have violated your rights. See the Supervisory Authority section for details.
How to Exercise Your Rights
To exercise any of your GDPR rights, please contact us with a clear description of your request:
What to include
- Your registered email address
- The specific right you wish to exercise
- Any relevant details to help us locate your data
Response time
We will respond within 30 days of receiving your request. We may request proof of identity before processing the request.
Many rights can also be exercised directly from your account settings (e.g., data export, account deletion, profile updates).
Legal Bases for Processing
We rely on the following legal bases (GDPR Article 6) to process personal data:
| Processing Activity | Data Involved | Legal Basis (Art. 6) |
|---|---|---|
| User authentication and account management | Email, username, password hash | Contract — Art. 6(1)(b) |
| Telegram session management | Encrypted session strings, phone numbers, API credentials | Contract — Art. 6(1)(b) |
| Campaign execution (DM and group messaging) | Contact lists, message templates, campaign logs | Contract — Art. 6(1)(b) |
| AI message generation (when enabled) | Message context, tone settings, group context snippets | Consent — Art. 6(1)(a) |
| Transactional email delivery | Email address, notification content | Contract — Art. 6(1)(b) |
| Fraud detection and security monitoring | IP addresses, session tokens, activity logs | Legitimate interests — Art. 6(1)(f) |
| Subscription billing | Email, payment token, billing amount | Contract + Legal obligation — Art. 6(1)(b)(c) |
| Tax and accounting records | Invoice data, billing records | Legal obligation — Art. 6(1)(c) |
| Service analytics and improvement | Aggregated usage statistics (anonymized) | Legitimate interests — Art. 6(1)(f) |
Where we rely on legitimate interests, we have conducted a Legitimate Interests Assessment (LIA) and determined that our interests do not override your fundamental rights and freedoms. You have the right to object to such processing (see Your Rights).
Sub-Processors
We engage the following third-party sub-processors, each subject to data processing agreements and GDPR-equivalent protections:
| Provider | Role | Data Processed | Location | Privacy Policy |
|---|---|---|---|---|
| Google AI Studio (Gemini) | AI message generation (primary) | Message context, templates, tone | USA (SCCs in place) | cloud.google.com/terms/cloud-privacy-notice |
| Groq | AI message generation (fallback) | Message context, templates | USA (SCCs in place) | groq.com/privacy-policy |
| Resend | Transactional email | Email address, email content | USA (SCCs in place) | resend.com/legal/privacy |
| Hostinger (VPS KVM2) | Infrastructure & database hosting | All platform data (encrypted) | EU/EEA data centers available | hostinger.com/privacy-policy |
| Stripe, Inc. | Subscription billing | Email, billing address, payment amount (card data processed solely by Stripe) | USA (SCCs in place) + EU entities available | stripe.com/privacy |
We do not transfer your data to sub-processors for any purpose other than providing the Service. If we add or replace a sub-processor, we will update this page and notify affected users if required by law.
Data Retention Schedule
We retain personal data only for as long as necessary for the purpose it was collected, or as required by law:
| Data Category | Retention Period | Basis for Retention |
|---|---|---|
| User profile data (email, username) | Duration of account + 30 days post-deletion | Contract |
| Telegram session data (encrypted) | Until account disconnected or deleted | Contract |
| Scraped contact data | 12 months after last campaign, or until manually deleted | Contract / Legitimate interests |
| DM and group campaign logs | 12 months after campaign completion | Contract / Legitimate interests |
| Contacted client records and conversations | Until manually deleted or account deleted | Contract |
| Security and activity logs | 90 days rolling | Legitimate interests (security) |
| Billing records and invoices | 7 years | Legal obligation (tax law) |
| AI processing inputs/outputs | Not stored by TeleBoost (processed transiently) | N/A |
| Data subject requests (GDPR) | 3 years (to demonstrate compliance) | Legal obligation (GDPR accountability) |
Upon receiving a valid erasure request, we will delete your data within 30 days, except where retention is legally required.
Security Measures
We implement the following technical and organizational measures (TOMs) to protect personal data:
Encryption at Rest
Telegram session strings are encrypted using Fernet (AES-128-CBC) with PBKDF2-derived keys. Encryption keys are stored separately from application data.
Encryption in Transit
All communications between users, the TeleBoost server, and sub-processors are encrypted via TLS 1.2+/HTTPS. No data is transmitted unencrypted.
Password Security
Passwords are stored as salted SHA-256 hashes. Plain-text passwords are never stored or logged.
Access Control
Database access is restricted to the backend application. No direct public database access is permitted. Role-based access control enforces data isolation between teams and users.
Single-Session Enforcement
Each user account permits only one active session at a time. New logins invalidate all previous sessions, limiting the risk of account sharing or unauthorized access.
SQL Injection Prevention
All database queries use parameterized statements. No raw string interpolation with user input is used in SQL queries.
Audit Logging
Key user actions are recorded in an activity log with timestamps, supporting audit trails and incident investigation.
Vulnerability Management
Dependencies are reviewed and updated regularly. Security patches are applied promptly to production infrastructure.
International Data Transfers
Some of our sub-processors (Google AI Studio, Groq, Resend) are based outside the EEA. When personal data of EEA residents is transferred to these providers, we rely on the following transfer mechanisms:
- Standard Contractual Clauses (SCCs): We use the European Commission's approved SCCs (as per Commission Implementing Decision 2021/914) with all US-based sub-processors.
- Adequacy decisions: For transfers to countries covered by an EU adequacy decision, no additional safeguards are required.
- Technical measures: Transferred data is encrypted in transit (TLS) and we minimize data shared with AI providers to what is necessary for the requested AI generation (no credentials, no contact lists).
For details on specific transfer mechanisms for each provider, contact contact@teleboost.app.
Data Breach Policy
In the event of a personal data breach, TeleBoost will:
- Assess the breach and determine the risk to affected data subjects within 24 hours of detection
- Notify the relevant supervisory authority (DPA) within 72 hours of becoming aware of a breach that poses a risk to individuals, as required by GDPR Article 33
- Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34)
- Document the breach, its causes, scope, and remediation steps in an internal breach register
- Take immediate steps to contain, remediate, and prevent recurrence of the breach
If you discover or suspect a security vulnerability or breach, please report it immediately to support@teleboost.app.
Contact the Privacy Team
For all GDPR-related questions, right exercise requests, DPA requests, sub-processor inquiries, or data processing concerns:
TeleBoost
GDPR & general enquiries: contact@teleboost.app
Security issues: support@teleboost.app
Privacy Policy: teleboost.app/privacy
Response time: within 30 days of receipt (GDPR Art. 12)
© 2025–2026 TeleBoost. All rights reserved. TeleBoost and its associated software, design, and branding are proprietary and protected by copyright and intellectual property law.