Legal

Privacy Policy

What we collect, why, and how we protect it. Last updated: May 16, 2026.

What we collect

For mySkua account holders (you):

  • Email, hashed password (bcrypt), display name
  • Bot tokens (encrypted at rest with Fernet)
  • Telegram user ID and Google sub if you connect those accounts
  • Last-login timestamp + IP for security auditing

For your bot's end users (Telegram subscribers):

  • Telegram user ID, username, display name (as Telegram provides)
  • Preferred language, traffic source attribution
  • Message delivery + engagement metadata

We do not collect message content beyond what's needed for delivery + audit logs.

Where it's stored

EU region (Railway Frankfurt + Vercel Frankfurt). Postgres with daily backups. Bot tokens encrypted with per-instance secret keys.

Who we share with

No third-party advertisers. Sub-processors: Railway (hosting), Vercel (CDN/edge), and your future Stripe (billing). Full sub-processor list available on request.

Your rights

  • Export all your data (one-click from Settings)
  • Delete your account + all bot data permanently (one-click + 30-day grace period)
  • Object to processing, request rectification (GDPR Articles 16/17/21)

Cookies

One: access_token — HttpOnly, Secure, SameSite=None in production. JWT for session, expires after 24 hours.

Contact

For data requests, email privacy@myskua.com. We respond within 7 days.

See also: Data Processing Agreement, Security.