Privacy Policy

Last updated: December 17, 2025

We respect your privacy and are committed to protecting your personal data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR"). This policy explains what we collect, why, how long we keep it, who we share it with, and your rights.

1. Controller and Contact Details

Valnovo OÜ
Registry code: 16470340
Address: Narva mnt 7-557, 10117 Tallinn, Estonia
Email: support@bot2site.com
Website: https://bot2site.com

Data Protection Officer (DPO): Not appointed (optional for companies of our size under Estonian law).

2. What Personal Data We Process

We collect and process the following categories of personal data:

a) Account and identification data:

  • Telegram User ID (unique identifier)
  • Telegram username (if publicly visible)
  • First and last name (as provided in your Telegram profile)
  • Language preference
  • Account creation date

b) Website content and configuration:

  • Text, images, and other content you submit via our Telegram bot
  • Website structure, design choices, and settings
  • Custom domain name (if you connect one)
  • Website metadata (creation date, last update)

c) Billing and subscription data:

  • Subscription plan and status
  • Payment method type (processed by Stripe; we don't store full card details)
  • Transaction history and invoice records
  • Billing email address

d) Technical and security logs:

  • IP addresses (for security and fraud prevention)
  • Device information and browser type
  • Access logs and timestamps
  • Error logs and debugging information

e) Communications:

  • Support inquiries and correspondence with our team
  • Feedback and feature requests

f) Optional analytics (with your consent):

  • Anonymized usage statistics
  • Page views and interaction patterns
  • Anonymized performance metrics

3. Purpose and Legal Basis for Processing

We process your personal data for the following purposes:

Purpose Legal Basis GDPR Article
Create and manage your account Performance of contract Art. 6(1)(b)
Generate and host your website Performance of contract Art. 6(1)(b)
Process payments and subscriptions Performance of contract & Legal obligation Art. 6(1)(b) & 6(1)(c)
Provide customer support Performance of contract Art. 6(1)(b)
Prevent fraud and abuse Legitimate interests (security) Art. 6(1)(f)
Maintain system security Legitimate interests (security) Art. 6(1)(f)
Comply with legal obligations (e.g., tax, accounting) Legal obligation Art. 6(1)(c)
Optional analytics Your explicit consent (16+) Art. 6(1)(a)
Send service updates and important notices Performance of contract & Legitimate interests Art. 6(1)(b) & 6(1)(f)

Legitimate interests assessment: Where we rely on legitimate interests, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms.

4. Sources of Personal Data

  • Directly from you through interactions with our Telegram bot
  • From Telegram as the messaging platform through which you access our service
  • Automatically generated during your use of the service (e.g., logs, technical data)
  • From Stripe regarding payment confirmations and subscription status

5. Data Processors and Recipients

We share your personal data only as necessary with the following categories of recipients:

a) Essential service providers (data processors):

  • Hetzner Online GmbH (Germany, EU) — hosting and infrastructure
  • Stripe, Inc. — payment processing (appropriate safeguards in place per Art. 46 GDPR)
  • Telegram Messenger — communication platform (independent controller; see section 6)

b) Legal recipients:

  • Estonian tax authorities (MTA) — for tax compliance under Estonian law
  • Law enforcement or regulatory authorities — when legally required by court order or applicable law

c) No other third parties: We do not sell, rent, or share your personal data with third parties for their marketing purposes.

Data Processing Agreements: We have concluded Data Processing Agreements (DPAs) with all processors where required by Art. 28 GDPR.

6. Telegram as Independent Controller

Important notice: Telegram Messenger is an independent data controller for the data you share through their platform. When you use our bot:

  • Telegram processes your messages according to their own Privacy Policy: telegram.org/privacy
  • We receive your content from Telegram to deliver our service
  • Telegram does not provide us with a Data Processing Agreement
  • Telegram's servers may be located outside the EEA
  • We have no control over Telegram's data processing practices

By using our Telegram bot, you acknowledge that Telegram independently processes your data under their terms.

7. International Data Transfers

Within the EEA: Your website data is hosted on servers located in Germany (Hetzner), which is within the European Economic Area.

Outside the EEA:

  • Stripe (USA): We use Stripe for payment processing. Data transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission under Art. 46(2)(c) GDPR.
  • Telegram: As an independent service, Telegram may transfer data globally. We have no control over these transfers. See: telegram.org/privacy

No other international transfers are performed by us.

8. Data Retention Periods

We retain your personal data only as long as necessary for the purposes outlined above:

Data Category Retention Period Criteria
Account and website content Duration of your account + 30 days after deletion Service provision + backup retention
Billing records and invoices 7 years from creation Estonian accounting law requirement
Payment transaction logs 7 years Estonian tax law and fraud prevention
Security and access logs Up to 12 months Security monitoring and abuse prevention
Support communications 2 years after case closure Customer service quality and legal claims
Analytics data (if consented) 24 months, anonymized thereafter Usage analysis
Marketing consent records Until withdrawn + 3 years Legal compliance (proof of consent)

Deletion: After retention periods expire, data is securely and permanently deleted or anonymized beyond recovery.

9. Your Rights Under GDPR

Under the GDPR, you have the following rights:

  • Right of access (Art. 15): Request a copy of your personal data we hold.
  • Right to rectification (Art. 16): Correct inaccurate or incomplete data.
  • Right to erasure / "right to be forgotten" (Art. 17): Request deletion of your data when it's no longer necessary, you withdraw consent, or you object to processing.
  • Right to restriction of processing (Art. 18): Limit how we use your data in certain circumstances.
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format (JSON).
  • Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing.
  • Right to withdraw consent (Art. 7(3)): Withdraw consent at any time for analytics or marketing (does not affect prior lawful processing).
  • Right not to be subject to automated decision-making (Art. 22): We do not use automated decision-making or profiling.

How to exercise your rights: Email us at support@bot2site.com with your request. We will respond within 30 days.

10. Access to Your Personal Data

You have the right to request access to the personal data that we process about you. This includes information about the categories of personal data, the purposes of processing, the recipients of the data, and the period for which data is retained.

To request a copy of your personal data stored by Bot2Site, you may use the "🔐 Meine Daten" option in the Support section of our Telegram bot, or contact us at:

support@bot2site.com

We will provide your personal data in a structured, commonly used, machine-readable format upon request.

11. Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with the supervisory authority:

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Website: https://www.aki.ee/en
Email: info@aki.ee
Address: Tatari 39, 10134 Tallinn, Estonia

You may also contact the supervisory authority in your EU country of residence or workplace.

12. Age Restriction and Children's Data

Our service is intended for users aged 16 and above in accordance with Art. 8 GDPR. We do not knowingly collect or process personal data from children under 16 without verifiable parental consent.

If you are a parent or guardian and believe your child under 16 has provided us with personal data, please contact us at support@bot2site.com, and we will delete it promptly.

13. Cookies and Local Storage

Cookie consent: We use a minimal consent mechanism. Analytics cookies are disabled by default and enabled only if you opt in (Art. 6(1)(a) GDPR).

Essential cookies: We use strictly necessary cookies for:

  • Session management and authentication
  • Security and fraud prevention
  • Service functionality

These cookies do not require consent under ePrivacy Directive Art. 5(3).

Analytics cookies (optional): With your consent, we use anonymized analytics to improve our service. You can change your preferences at any time in Cookie Settings.

14. Security Measures

We implement appropriate technical and organizational measures to protect your data:

Technical measures:

  • Encryption in transit (TLS/HTTPS)
  • Encryption at rest for sensitive data
  • Regular security updates and patches
  • Firewalls and intrusion detection systems
  • Access logging and monitoring

Organizational measures:

  • Access controls based on need-to-know principle
  • Employee data protection training
  • Regular security audits
  • Incident response procedures
  • Backup and disaster recovery plans

Data breach notification: In case of a personal data breach likely to result in high risk to your rights, we will notify you and the Estonian Data Protection Inspectorate within 72 hours as required by Art. 33-34 GDPR.

15. Automated Decision-Making and Profiling

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you (Art. 22 GDPR).

16. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

How we notify you:

  • Material changes: We will notify you at least 30 days in advance via Telegram message or email
  • Minor changes: We will update the "Last updated" date at the top of this policy
  • Your continued use of the service after changes take effect constitutes acceptance of the revised policy

Version history: Previous versions are available upon request at support@bot2site.com.

17. Data Protection Principles

We process your personal data in accordance with the following GDPR principles (Art. 5):

  • Lawfulness, fairness, transparency: We process data lawfully and inform you clearly
  • Purpose limitation: We collect data only for specified, explicit purposes
  • Data minimization: We collect only what's necessary
  • Accuracy: We keep data accurate and up to date
  • Storage limitation: We retain data only as long as needed
  • Integrity and confidentiality: We protect data with appropriate security
  • Accountability: We can demonstrate our compliance

18. Contact Us

For questions, concerns, or requests regarding this privacy policy or your personal data:

Email: support@bot2site.com
Telegram: @b2s_support
Postal address: Valnovo OÜ, Narva mnt 7-557, 10117 Tallinn, Estonia

Response time: We aim to respond within 3-5 business days.

Effective date: December 17, 2025
Version: 1.2 (Updated December 17, 2025)