Legal

Privacy Policy

Last updated: 1 May 2026

1. Introduction

LokyAssistant (“we”, “us”, “our” or “the Company”) respects your privacy. This document explains what data we collect, how we use it, and how we protect it.

2. Data we collect

2.1 Telegram data

  • Telegram ID — the unique identifier of your account
  • Username — your Telegram username (if any)
  • First and last name — from your Telegram profile
  • Message text — to process your requests

2.2 Integration data (if connected)

  • Google OAuth tokens — to access Gmail and Google Calendar (encrypted before storage)
  • Email configurations — login and password for IMAP/SMTP (encrypted)
  • LiqPay tokens — for payments (encrypted)
  • Slack tokens — if you connect the integration (encrypted)

2.3 Profile data

  • Email address
  • Date of birth (optional)
  • Location
  • Time zone
  • Preferred language
  • Short bio

2.4 Usage data

  • IP address
  • Device information (type, OS)
  • Time and type of requests
  • Conversation history (stored to keep context within the conversation)

3. How we use your data

Core functionality

  • Providing the service and processing requests
  • Integrating with Gmail, Google Calendar and other services
  • Generating PDF documents
  • Providing support and technical assistance

Service improvement

  • Usage analysis to improve functionality
  • Tracking errors and issues
  • Improving the service (anonymized data)

Commercial purposes

  • Issuing invoices and processing payments
  • Sending notifications about updates and offers
  • Analytics and market research

4. How we protect your data

Encryption

  • All sensitive data (passwords, tokens) is encrypted with Fernet (AES-128)
  • HTTPS for all HTTP requests
  • Data transmission over SSL/TLS

Access

  • Data is isolated by user_id (each user only sees their own data)
  • All access to sensitive data is logged
  • Restricted database access (developers only)

Backups

  • Daily encrypted database backups
  • Stored in a secure EU facility — Hetzner Cloud (Nuremberg, Germany) with a signed DPA (GDPR Art. 28)

5. Sharing data with third parties

We do not sell your data. However, we share data with the following services to provide the service (sub-processors per GDPR Art. 28):

  • Anthropic (Claude AI) — for text processing
  • Anthropic (Claude Vision) — for photo recognition and description
  • OpenAI (GPT Image 2) — for image editing and generation
  • Google — for Calendar and Drive integrations
  • Telegram — for message delivery
  • LiqPay / Stripe — for payment processing
  • OpenAI (Whisper) — for audio transcription (optional)

All third-party services have their own Privacy Policies. We recommend reading them.

5a. Photo processing

LokyAssistant lets you send photos for recognition, editing and generation of new images.

How photos are processed

  • Photos are processed ephemerally — we do not store originals locally on our servers.
  • Only the Telegram file_id is kept (up to 7 days) — the reference needed for multi-turn editing.
  • After your request is handled, the photo is removed from memory.
  • Photos and generated images are NOT used to train provider models.
  • Transfers to providers happen only over HTTPS/TLS.

Third-party providers for photos

  • Anthropic Claude Vision — recognizing and describing photo content (privacy).
  • OpenAI GPT Image 2 — editing and generating images (privacy).

Each provider has its own Content Policy that applies to your requests.

Prohibited content

We block processing of photos and requests that contain:

  • Documents with personal data: passports, ID cards, driving licenses, medical records, bank statements.
  • NSFW content, violence, discrimination, hate speech.
  • Photos of third parties without their explicit consent.
  • Copyrighted content (reproduction of protected works, brand logos).

When you try to process prohibited content the bot refuses and the provider cost is NOT charged against your quota (refund quota).

6. Data retention

  • Active users: data is kept while the account is active
  • Inactive users (1+ year): data may be deleted
  • After deletion: data is removed within 30 days (excluding legal obligations)
  • Backups: kept for up to 90 days
  • Photos (binary content): not stored (ephemeral processing)
  • Telegram photo file_id: up to 7 days (for multi-turn editing)

7. Your rights

GDPR / European law

If you are based in Europe, you have the following rights:

  • Right of access — request a copy of your data
  • Right to erasure — the “right to be forgotten”
  • Right to rectification — update incorrect data
  • Right to portability — receive your data in a machine-readable format
  • Right to object — opt out of data processing

To exercise these rights, write to support@lokyassistant.com.

8. Cookies

The lokyassistant.com website does not use cookies for tracking or analytics (no Google Analytics, Meta Pixel, etc.). Only technically necessary cookies are used:

  • Cloudflare Turnstile — anti-bot challenge on the contact form (privacy).
  • Session cookies — contact-form CSRF token (cleared when you close your browser).
  • lang_pref — remembers your website language choice (lifetime — 1 year).

You can disable cookies in your browser settings; the contact form will not work in that case.

9. Children

LokyAssistant is not intended for people under 13. We do not knowingly collect data from children. If we learn that a user is under 13, we will delete their account.

10. Contact

If you have questions about this Privacy Policy:

11. Changes to this Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via the bot or email.