Introduction
TeleBoost (“we”, “us”, or “our”) operates the TeleBoost platform (the “Service”), a cloud-based tool for Telegram outreach management. This Privacy Policy applies to all users of the Service and describes our practices regarding the collection, use, storage, and disclosure of personal data.
By accessing or using TeleBoost, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with these practices, please discontinue use of the Service.
We treat all users — regardless of their location — with GDPR standards as a baseline. Where local laws provide stronger protections, we aim to comply with those as well.
Data We Collect
We collect data in the following categories:
2.1 Account Data
- Username and email address (provided at registration)
- Password (stored as a salted SHA-256 hash — never in plain text)
- Subscription plan and billing information (managed by a third-party payment processor)
- Account preferences and settings
2.2 Telegram Account Data
To connect your Telegram accounts to TeleBoost, we collect and store:
- Phone number(s) associated with your Telegram accounts
- Telegram session strings (encrypted at rest using Fernet — AES-128-CBC — before storage; never stored in plain text)
- Telegram API credentials (api_id, api_hash) you provide or we retrieve on your behalf
- Device fingerprint data (user-agent, screen resolution, locale) used to spoof session metadata and reduce Telegram ban rates
- Proxy configuration (host, port, credentials) if provided
2.3 Scraped Group Member Data
When you use TeleBoost's scraping feature, we collect and store, on your behalf, data about Telegram group members including:
- Telegram user IDs and usernames
- First and last names
- Profile bios and other publicly available profile fields
- Phone number (only when accessible through the Telegram API)
- Online/activity status at time of scraping
- Group membership metadata
Important: You, as the user, are the data controller for scraped group member data. You are solely responsible for ensuring your use of this data complies with Telegram's Terms of Service, GDPR, and all applicable privacy and anti-spam laws.
2.4 Campaign & Usage Data
- Direct message campaign configurations, templates, and logs
- Group messaging campaign configurations and message logs
- Contacted client records and conversation histories
- Activity logs (actions performed within the platform)
- Daily quota usage per account
2.5 Technical Data
- IP address (for security monitoring and fraud prevention)
- Browser type and operating system
- Session tokens (for single-session enforcement)
- Server-side logs and error reports
How We Use Your Data
We use the data we collect for the following purposes:
- Service provision: To operate TeleBoost, authenticate users, process Telegram connections, run scraping operations, and execute messaging campaigns.
- Security: To enforce single-session policies, detect unauthorized access, prevent fraud, and encrypt sensitive credentials.
- AI message generation: Campaign context and message templates may be sent to third-party AI providers (Google Gemini, Groq) to generate suggested messages on your behalf.
- Transactional emails: To send account verification, password reset, team invitation, and campaign notification emails via Resend.
- Billing: To process subscription payments and maintain billing records.
- Service improvement: To analyze usage patterns, troubleshoot issues, and improve platform features.
- Legal compliance: To comply with applicable laws, respond to legal requests, and enforce our Terms of Service.
Legal Basis for Processing
For users in the European Economic Area (EEA), we rely on the following legal bases under GDPR:
| Data / Activity | Purpose | Legal Basis |
|---|---|---|
| Account data (email, username, password) | Authentication and account management | Contract (Art. 6(1)(b)) |
| Telegram session data (encrypted) | Core service: Telegram integration | Contract (Art. 6(1)(b)) |
| Scraped group member data | Campaign targeting on your behalf | Contract + Your consent (Art. 6(1)(a)(b)) |
| Campaign logs and message history | Service provision and campaign management | Contract (Art. 6(1)(b)) |
| AI processing of message context | AI message generation feature | Consent (Art. 6(1)(a)) |
| Transactional emails | Account notifications and invitations | Contract (Art. 6(1)(b)) |
| IP address and security logs | Fraud prevention and single-session enforcement | Legitimate interests (Art. 6(1)(f)) |
| Billing data | Payment processing and tax records | Contract + Legal obligation (Art. 6(1)(b)(c)) |
| Activity logs | Audit trail and security monitoring | Legitimate interests (Art. 6(1)(f)) |
Data Sharing & Sub-processors
We do not sell your personal data. We share data only with the following third-party processors, each bound by data processing agreements requiring GDPR-equivalent protections:
| Provider | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Google AI Studio (Gemini) | AI message generation (primary) | Message templates, campaign context, tone settings | cloud.google.com/terms/cloud-privacy-notice |
| Groq (Llama 3) | AI message generation (fallback) | Message templates, campaign context | groq.com/privacy-policy |
| Resend | Transactional email delivery | Email address, email content | resend.com/legal/privacy |
| Hostinger (VPS) | Cloud infrastructure and database hosting | All platform data (encrypted at rest) | hostinger.com/privacy-policy |
| Stripe, Inc. | Subscription billing and invoicing | Email, billing address, payment amount (card data processed directly by Stripe — never stored by TeleBoost) | stripe.com/privacy |
AI providers process only the message context you provide for a given campaign. They do not have access to your Telegram credentials, scraped contact lists, or session data.
We may also disclose data where required by law, court order, or to protect the rights, property, or safety of TeleBoost, our users, or the public.
Data Security
We implement the following technical and organizational security measures:
- Session encryption: All Telegram session strings are encrypted at rest using Fernet (AES-128-CBC) before being written to the database. Encryption keys are managed separately from application data.
- Password hashing: User passwords are stored as salted SHA-256 hashes and never in plain text.
- Transport security: All data transmitted between your browser, our servers, and third-party services is encrypted via TLS/HTTPS.
- Single-session enforcement: Only one active login session is permitted per user. A new login invalidates all previous sessions.
- Access control: Database access is restricted to authenticated backend services. Direct database access from the public internet is disabled.
- Parameterized queries: All database queries use parameterized statements to prevent SQL injection.
While we take security seriously, no method of transmission or storage is 100% secure. If you become aware of a security vulnerability, please contact us at support@teleboost.app.
Data Retention
We retain your data only as long as necessary for the purposes described in this policy:
| Data Type | Retention Period |
|---|---|
| Account data (profile, email) | Duration of account + 30 days after deletion |
| Telegram session data | Until account disconnected or account deleted |
| Scraped group member data | Until manually deleted by you, or 12 months after last campaign |
| Campaign logs and message history | 12 months after campaign completion |
| Contacted client records | Until manually deleted by you or account deleted |
| Billing records and invoices | 7 years (tax/accounting legal obligation) |
| Security and activity logs | 90 days rolling window |
| AI processing logs | Not stored on our servers (processed transiently by provider) |
Upon account deletion, we delete or anonymize your personal data within 30 days, except where we are required by law to retain it longer (e.g., billing records).
Your Rights
Regardless of your location, you have the following rights regarding your personal data. EEA residents have these rights under GDPR (Articles 15–22):
Right to Access
Request a copy of the personal data we hold about you.
Right to Rectification
Request correction of inaccurate or incomplete data.
Right to Erasure
Request deletion of your data ("right to be forgotten"), subject to legal retention requirements.
Right to Restriction
Request that we limit how we process your data in certain circumstances.
Right to Portability
Receive a copy of your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interests or for direct marketing purposes.
Automated Decision-Making
TeleBoost does not make automated decisions with legal effects based solely on your data.
Right to Complain
Lodge a complaint with your local data protection authority if you believe we have violated your rights.
To exercise any of these rights, email us at contact@teleboost.app. We will respond within 30 days. We may ask you to verify your identity before processing your request.
International Data Transfers
TeleBoost's servers are located outside the EEA. When data of EEA residents is transferred to countries that may not have equivalent data protection laws, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements with all sub-processors requiring GDPR-equivalent protections
- Technical measures (encryption at rest and in transit) to protect data regardless of jurisdiction
For more details on our international transfer mechanisms, contact contact@teleboost.app.
Children's Privacy
TeleBoost is not intended for persons under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete such data promptly. If you believe we have inadvertently collected data from a minor, please contact us at contact@teleboost.app.
Policy Changes
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the “Last Updated” date at the top of this page
- Send a notification email to your registered address at least 30 days before changes take effect
- Display a prominent notice within the platform
Continued use of TeleBoost after the effective date of changes constitutes acceptance of the updated policy.
Contact Us
If you have questions, concerns, or requests related to your privacy or this policy, please contact us:
TeleBoost
General & GDPR enquiries: contact@teleboost.app
Security issues: support@teleboost.app
Response time: within 30 days of receipt
© 2025–2026 TeleBoost. All rights reserved. TeleBoost and its associated software, design, and branding are proprietary and protected by copyright and intellectual property law.