Privacy Policy

1. Scope and controller

This Policy applies to Graphref-operated touchpoints, including the website, the Telegram bot, purchase and credit flows, and support communications. For the personal information described in this Policy, Graphref acts as the controller or business responsible for deciding why and how that information is processed.

Questions, requests, or complaints can be sent to [email protected].

2. Categories of personal information we collect

Depending on how you interact with Graphref, we may collect the following categories of personal information:

• Telegram identity data: Telegram user ID or chat ID, username, display name, and other Telegram account fields made available to us through the bot or Telegram login flow.
• Authentication data: Telegram login payload fields required to verify that a login request is genuine, together with website authentication state stored in cookies such as `tg_auth` and `tg_user`.
• Service input data: keywords, domains, URLs, job instructions, and related command content you submit to run the service.
• Account and usage data: credit balance, purchased plans, refund events, job history, job status, timestamps, and support history.
• Transaction data: checkout identifiers, plan selections, provider transaction references, payment status, and limited billing metadata made available to us by payment providers. We do not store full card numbers or full payment credentials.
• Technical and device data: IP address, browser type, operating system, user agent, request timestamps, referrer data, and similar server or security log data generated when you use the website or APIs.
• Support communications: the contents of emails, Telegram messages, and any files or screenshots you send to us for support or dispute resolution.

3. How we collect information

• Directly from you when you message the bot, submit keywords or domains, purchase credits, or contact support.
• From Telegram when you authenticate through the Telegram login widget or interact with the Graphref bot.
• From payment providers, including PayPal and Telegram payment features such as Telegram Stars, when they notify us of purchase status, checkout identifiers, or refunds.
• Automatically from your device and browser through essential cookies, request metadata, and normal server-side logging.

4. Purposes of processing and legal bases

We process personal information only for legitimate business and operational purposes related to Graphref. Where GDPR, UK GDPR, or similar laws apply, we generally rely on one or more of the following legal bases:

• Performance of a contract: to authenticate users, run requested jobs, maintain credits, process purchases, issue refunds, and provide the service you asked us to provide.
• Legitimate interests: to secure the service, prevent fraud or abuse, debug and maintain the product, enforce our Terms, communicate about service status, and respond to support requests in a way users reasonably expect.
• Legal obligation: to comply with applicable accounting, tax, law-enforcement, or regulatory obligations.
• Consent: where a specific use of personal information legally requires consent, we will rely on consent and allow withdrawal where required by law.

5. Cookies, local storage, and similar technologies

Graphref uses essential cookies needed to operate the web experience. Our current website authentication flow stores server-set cookies such as `tg_auth` and `tg_user` to remember Telegram connection state and identify the connected account in the dashboard.

We also load the Telegram login widget from Telegram's servers when you choose to connect your Telegram account. That third-party widget may independently collect device, network, or cookie information subject to Telegram's own privacy terms. If you disable essential cookies, some parts of the Service may not function properly.

6. Disclosures to third parties

We do not sell personal information. We do not disclose personal information to third parties except as reasonably necessary to operate the Service, comply with law, or protect our rights.

• Telegram: for bot messaging, user authentication, and Telegram-native payment flows.
• PayPal: for hosted checkout, payment processing, transaction reporting, and refund administration.
• Hosting and infrastructure providers: for website delivery, storage, security, and service operations, to the extent needed to host or support Graphref.
• Professional advisers and authorities: where disclosure is reasonably necessary for legal compliance, dispute handling, fraud prevention, or protection of Graphref, users, or the public.
• Corporate transactions: if Graphref is involved in a merger, acquisition, financing, asset sale, or business restructuring, personal information may be disclosed as part of that transaction subject to applicable confidentiality and legal safeguards.

7. International transfers

Graphref operates online and may use service providers that process data in multiple countries. Telegram, PayPal, and infrastructure providers may process information outside your home jurisdiction. Where required by applicable law, we will take reasonable steps to use legally recognized transfer mechanisms or comparable safeguards for cross-border transfers.

8. Data retention

We keep personal information only for as long as reasonably necessary for the purposes described in this Policy, unless a longer retention period is required or permitted by law.

• Website authentication cookies are generally retained for the browser session unless cleared earlier.
• Job instructions, keywords, domains, and job-status data are ordinarily retained while a job is active and for up to 30 days after completion, except where longer retention is reasonably necessary for fraud review, abuse prevention, dispute handling, backups, or legal compliance.
• Credit, transaction, refund, and account records may be kept for as long as the account remains active and thereafter for a reasonable period needed to maintain accurate financial records, resolve disputes, enforce our Terms, and comply with legal obligations.
• Support communications may be retained for as long as needed to respond to the request, maintain an accurate support history, and protect against repeat abuse or fraud.

9. Security measures

We use reasonable technical, administrative, and organizational measures designed to protect personal information against unauthorized access, loss, misuse, or alteration. These measures may include server-side verification of Telegram login payloads, HTTP-only authentication cookies on the website, access restrictions, and operational monitoring for abuse or fraudulent activity.

No internet-based system is completely secure. We therefore cannot guarantee absolute security, and you use the Service at your own risk.

10. Your rights and choices

Depending on your location and applicable law, you may have the right to request access to personal information we hold about you, request correction or deletion, object to certain processing, request restriction of processing, request portability, withdraw consent where consent is the legal basis, or complain to a data protection regulator.

To exercise these rights, contact [email protected]. We may need to verify your identity before acting on a request. We may also retain limited information where required to complete a transaction, detect fraud, resolve disputes, comply with law, or enforce our agreements.

11. Sale of data, advertising, and automated decision-making

Graphref does not sell personal information for money. We do not use the Service to run third-party behavioral advertising, and we do not make solely automated decisions that produce legal or similarly significant effects about users.

12. Children's privacy

Graphref is not directed to children, and we do not knowingly collect personal information from children in violation of applicable law. If you believe a child has provided personal information to us, contact us and we will review and delete the information where required.

13. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes to the Service, legal requirements, security practices, or operational needs. When we make material changes, we will update the "Last updated" date and may provide additional notice where required by law.

14. Contact

For privacy-related questions or requests, contact [email protected] or reach us through @graphrefbot.