Legal

Privacy Policy

Last updated: 1 May 2026

1. Introduction

LokyAssistant (“we”, “us”, “our” or “the Company”) respects your privacy. This document explains what data we collect, how we use it, and how we protect it.

Data controller: [Full name], a sole proprietor (FOP) registered in Ukraine [registration number available on request]. A correspondence address is available on request. Data protection contact: support@lokyassistant.com.

2. Data we collect

2.1 Telegram data

  • Telegram ID — the unique identifier of your account
  • Username — your Telegram username (if any)
  • First and last name — from your Telegram profile
  • Message text — to process your requests

2.2 Integration data (if connected)

  • Google OAuth tokens — to access Google Calendar and Drive/Docs/Sheets (encrypted before storage)
  • Email configurations — login and password for IMAP/SMTP (encrypted)
  • Payment data — payments are processed by Telegram (Telegram Stars). Card payment details never reach us; we only store the Telegram payment identifier for potential refunds

2.3 Profile data

  • Email address
  • Date of birth (optional)
  • Location
  • Time zone
  • Preferred language
  • Short bio

2.4 Usage data

  • IP address
  • Device information (type, OS)
  • Time and type of requests
  • Conversation history (stored to keep context within the conversation)

3. How we use your data

Core functionality

  • Providing the service and processing requests
  • Integrating with Google Calendar, Google Drive and other services
  • Generating PDF documents
  • Providing support and technical assistance

Service improvement

  • Usage analysis to improve functionality
  • Tracking errors and issues
  • Improving the service (anonymized data)

Commercial purposes

  • Issuing invoices and processing payments
  • Sending notifications about updates and offers
  • Market research on aggregated and anonymized data

For users in the EU/EEA we process personal data on the following grounds:

  • Performance of a contract (Art. 6(1)(b)) — providing the service, processing your requests, the integrations you connect, and billing.
  • Consent (Art. 6(1)(a)) — connecting external accounts (Google, email), optional profile fields and marketing messages. You can withdraw consent at any time.
  • Legitimate interests (Art. 6(1)(f)) — service security, abuse prevention, the blocked-accounts registry, error detection and service improvement on anonymized data.
  • Legal obligation (Art. 6(1)(c)) — payment records and compliance with applicable law.

4. How we protect your data

Encryption

  • All sensitive data (passwords, tokens) is encrypted with Fernet (AES-128)
  • HTTPS for all HTTP requests
  • Data transmission over SSL/TLS

Access

  • Data is isolated by user_id (each user only sees their own data)
  • All access to sensitive data is logged
  • Restricted database access (developers only)

Backups

  • Daily encrypted database backups
  • Stored in a secure EU facility — Hetzner Cloud (Nuremberg, Germany) with a signed DPA (GDPR Art. 28)

5. Sharing data with third parties

We do not sell your data. However, we share data with the following services to provide the service (sub-processors per GDPR Art. 28):

  • Anthropic (Claude AI) — for text processing
  • Anthropic (Claude Vision) — for photo recognition and description
  • OpenAI (GPT Image 2) — for image editing and generation
  • OpenAI — for voice processing (speech recognition and synthesis) if you use voice features
  • Google — for Google Calendar and Drive integrations (if connected)
  • Serper.dev / Google — for web search: when you ask to look something up online, your search query is sent to this service
  • Cloudflare — website CDN and anti-bot protection (Turnstile); processes your IP address
  • Hetzner — infrastructure and backup hosting (EU, Germany)
  • Telegram — for message delivery
  • Telegram (Telegram Stars) — for payment processing

All third-party services have their own Privacy Policies. We recommend reading them.

International data transfers

Some sub-processors (Anthropic, OpenAI, Serper.dev/Google, Cloudflare) are located in the United States. Transfers of personal data outside the EU/EEA rely on the European Commission's adequacy decision for the EU-US Data Privacy Framework (for providers certified under the DPF) and/or Standard Contractual Clauses (SCCs, GDPR Art. 46) as an additional safeguard. Infrastructure and backups are stored in the EU (Hetzner, Germany).

5a. Photo processing

LokyAssistant lets you send photos for recognition, editing and generation of new images.

How photos are processed

  • Photos are processed ephemerally — we do not store originals locally on our servers.
  • Only the Telegram file_id is kept (up to 7 days) — the reference needed for multi-turn editing.
  • After your request is handled, the photo is removed from memory.
  • Photos and generated images are NOT used to train provider models.
  • Transfers to providers happen only over HTTPS/TLS.

Third-party providers for photos

  • Anthropic Claude Vision — recognizing and describing photo content (privacy).
  • OpenAI GPT Image 2 — editing and generating images (privacy).

Each provider has its own Content Policy that applies to your requests.

Prohibited content

The assistant will refuse to process photos and requests that contain:

  • Third parties' documents with their personal data (passports, ID cards, etc.) without a lawful basis — you are responsible for the lawfulness of processing other people's documents.
  • NSFW content, violence, discrimination, hate speech.
  • Images of real people created for harmful purposes: deepfakes, intimate imagery without the depicted person's consent, impersonation, harassment or humiliation.
  • Copyrighted content (reproduction of protected works, brand logos).

When you try to process prohibited content the bot refuses and the provider cost is NOT charged against your quota (refund quota).

5b. Your clients' data (Client Cards)

The Client Cards feature lets you store information about your clients and contacts: name, company, phone, notes and calendar events.

  • You are the data controller, we are the processor. By entering third-party data (your clients), you become the controller of that personal data under the GDPR, while LokyAssistant acts as a processor on your instructions (like CRM systems such as HubSpot or Pipedrive). You are responsible for having a lawful basis for processing and for informing your clients.
  • What we store: only the fields you enter. Data is isolated per your account (user_id) — other users cannot see it.
  • Export (portability): you can export all client cards at any time in a machine-readable format (CSV/vCard).
  • Deletion: deleting a card means real erasure of the data (not just hiding it) — so you can fulfil your client's "right to be forgotten" request. Deleting your account via /delete_me also erases all client cards.
  • Special categories: do not enter special categories of personal data (health, biometric data, religious beliefs, etc.) without the explicit consent of the data subject — see the Terms.

5c. Google Workspace data (Drive & Calendar)

If you connect your Google account, LokyAssistant accesses a limited set of Google data only to perform the actions you ask for in chat.

Scopes we request

  • .../auth/drive.file (non-sensitive) — per-file access limited to the documents and spreadsheets the assistant itself creates, or that you explicitly open with it. We cannot see or access any other files in your Google Drive.
  • .../auth/calendar.events (sensitive) — to read, create, update and delete events in your calendar at your request. We do not manage your calendar list, settings or sharing.

We do not request access to Gmail or to your full Google Drive.

What we do with this data

  • We act only on your explicit instruction (e.g. “create a budget sheet”, “add a meeting tomorrow at 3 pm”).
  • Calendar event data is processed transiently to fulfil your request and give the assistant context — we do not build a persistent copy of your calendar.
  • We do not store the contents of your Google files on our servers. We keep only the technical identifiers (file IDs / event IDs) needed to act on items you created through the assistant.

Storage, retention and deletion

  • OAuth tokens are encrypted (Fernet) and stored until you disconnect.
  • You can disconnect at any time via the bot (/services), which revokes the tokens at Google.
  • Deleting your account with /delete_me revokes your Google tokens at Google and erases the stored identifiers.

Limited Use

LokyAssistant's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. In particular, we do not:

  • use Google user data for advertising;
  • sell Google user data, or transfer it to third parties except as needed to provide or improve the service, for security, or to comply with law;
  • use Google user data to train generalized AI/ML models — our AI sub-processor (Anthropic) does not use API data for training by default (Commercial Terms);
  • allow humans to read this data, except with your consent, for security, to comply with law, or where the data is aggregated/anonymized.

6. Data retention

  • Active users: data is kept while the account is active
  • Inactive users (1+ year): data may be deleted
  • After deletion: data is removed within 30 days (excluding legal obligations)
  • Backups: kept for up to 90 days
  • Photos (binary content): not stored (ephemeral processing)
  • Telegram photo file_id: up to 7 days (for multi-turn editing)

7. Your rights

GDPR / European law

If you are based in Europe, you have the following rights:

  • Right of access — request a copy of your data
  • Right to erasure — the “right to be forgotten”
  • Right to rectification — update incorrect data
  • Right to portability — receive your data in a machine-readable format
  • Right to object — opt out of data processing
  • Right to restriction of processing (Art. 18) — request that we temporarily suspend processing of your data
  • Right to lodge a complaint (Art. 77) — you may contact the data protection supervisory authority in your country of residence (for the EU/EEA)

To exercise these rights, write to support@lokyassistant.com.

Exception for suspended accounts

If your account has been suspended for violating the Terms, your Telegram ID is retained in a separate registry of blocked IDs even after your other data is deleted via /delete_me. This is necessary to prevent ban evasion. The registry contains ONLY: Telegram ID, suspension date, duration, reason. Entries with a temporary duration are automatically deleted once it expires. Permanent suspensions are removed only upon a successful appeal via support@lokyassistant.com.

8. Cookies

The lokyassistant.com website does not use cookies for tracking or analytics (no Google Analytics, Meta Pixel, etc.). Only technically necessary cookies are used:

  • Cloudflare Turnstile — anti-bot challenge on the contact form (privacy).
  • Session cookies — contact-form CSRF token (cleared when you close your browser).
  • lang_pref — remembers your website language choice (lifetime — 1 year).

You can disable cookies in your browser settings; the contact form will not work in that case.

9. Children

LokyAssistant is not intended for people under 16. We do not knowingly collect data from children. If we learn that a user is under 16, we will take steps to delete their data.

10. Contact

If you have questions about this Privacy Policy:

11. Changes to this Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via the bot or email.