ZenoChat

Privacy Policy

Last updated: April 21, 2026

This Privacy Policy explains what personal data ZenoChat (“we”, “us”, “the Service”) collects when you use our platform at app.zenochat.net and related subdomains, why we collect it, how we store it, and the rights you have over it.

1. Who we are

ZenoChat is an internal-use Telegram bot management platform operated by the ZenoChat team. The Service is currently offered to a limited group of authorized users on an invitation-only basis.

2. Data we collect

2.1 When you sign in with Telegram

• Telegram numeric user ID
• Username (if set)
• First and last name as reported by Telegram
• Profile photo URL (if public)
• Phone number (only if you explicitly share it during Telegram Login)

2.2 When you sign in with Google

• Email address
• First and last name
• Profile photo URL
• Google account subject identifier (a stable ID used to link sessions)

2.3 Operational data

• Access tokens and refresh tokens (hashed, server-side) for maintaining your session
• IP address and user agent of each login for security auditing
• Audit log of administrative actions you perform inside the Service
• Language preference, role, and permissions

3. How we use your data

• To authenticate you and maintain your session
• To enforce access control (whitelist, role/scope permissions)
• To provide product functionality (bot management, dialogues, analytics)
• To keep an audit trail of security-relevant actions
• To investigate abuse or suspected unauthorized access

We do not sell your personal data to third parties and do not use it for advertising.

4. Where we store data

Personal data is stored in our own PostgreSQL database, hosted on infrastructure operated by the ZenoChat team. Backups are encrypted at rest. Refresh tokens are stored as SHA-256 hashes so that the raw token cannot be recovered from the database.

5. Third-party identity providers

When you sign in we rely on two external identity providers:

• Telegram (OAuth 2.0 / OIDC). Their terms apply at the moment of sign-in.
• Google (OAuth 2.0). Their privacy policy applies.

6. Data retention

• Active user profile — retained while the account is active.
• Refresh tokens — 30 days from issue or until revoked.
• Audit logs — up to 12 months.
• On account deletion, personal fields are deleted or anonymized within 30 days.

7. Your rights

You may request at any time to:

• access the personal data we store about you;
• correct inaccurate data;
• delete your account and associated personal data;
• revoke any active session or refresh token;
• disconnect a linked identity provider (Telegram or Google).

To exercise these rights, email [email protected]. We will respond within 30 days.

8. Automatic revocation

If your Google account is disabled or deleted, the Service revokes your linked session automatically on next sign-in attempt. If you remove ZenoChat from the list of authorized applications in your Google Account or Telegram profile, your next login will fail and you will be treated as a new user.

9. Security

We use HTTPS for all traffic, hashed refresh tokens, short-lived access tokens (15 minutes), strict scope-based authorization on the server, and an allow-list of approved email domains / Telegram accounts. We log every administrative action to an audit trail.

10. Contact

Questions about this policy? Email [email protected].