Privacy Policy

Welcome to Varta, a Telegram antispam bot service ("Service," "we," "our," or "us"). We are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Telegram bot. By using our Service, you agree to the collection and use of information in accordance with this policy.

01 Data Controller

The data controller responsible for your personal data is:

A Data Protection Officer (DPO) has not been appointed. For any data protection inquiries, please contact the Data Controller at the email address above.

02 Information We Collect

We collect limited information strictly necessary to provide and improve our antispam services:

• User IDs and Usernames: Telegram User IDs, usernames, and display names of members in groups where Varta is active, to identify message senders and manage spam flags.
• Profile Metadata: Account age, bio text, and profile photo presence are used as behavioral signals for spam detection.
• Group IDs: Telegram Group IDs of groups and channels where the bot is installed.
• Message Content: Text and content of messages sent in groups, processed for spam detection purposes. Messages are analyzed in real time and are not stored after analysis unless flagged as spam.
• Flagged Content: Messages identified as potential spam are temporarily retained for administrator review.
• Direct Message (DM) Conversations: Text content and conversation history of direct messages sent to the bot by administrators, including commands, settings changes, and support conversations.
• Admin Data: Language preference, notification preferences, and group settings configured by administrators.
• AI Chat Interactions: Questions submitted by administrators through the AI chat feature.
• Images and Screenshots: Photos shared in groups or forwarded by administrators for spam analysis.
• Reputation and Learning Data: Cross-group ban history (user ID and count) to detect repeat spammers. Learned spam patterns (text fragments) to improve detection accuracy. User IDs in learned patterns are anonymized during GDPR deletion.
• Usage Statistics: Aggregated message counts per group, spam detection counts, and AI usage counts per owner for billing and plan limits.
• Billing Information: For paid subscriptions, Stripe customer ID, subscription ID, and payment history references are stored. We do not store credit card numbers, CVVs, or full payment details. All payment processing is handled exclusively by Stripe.

03 Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

• Contract Performance (Art. 6(1)(b) GDPR): Processing is necessary to provide the antispam service you or your group administrator have requested. This includes DM conversations, admin settings, and billing data.
• Legitimate Interest (Art. 6(1)(f) GDPR): Processing message content, profile metadata, and cross-group reputation data for spam detection serves the legitimate interest of maintaining safe group environments. We have conducted a balancing test and concluded that the minimal data processed (message text analyzed in real time, not stored long-term) does not override users' rights.
• Consent (Art. 6(1)(a) GDPR): Where applicable, such as for optional AI chat interactions or image analysis initiated by administrators.
• Legal Obligation (Art. 6(1)(c) GDPR): Retention of payment records as required by applicable tax and financial law.

04 How We Use Your Information

• Spam Detection and Prevention: Analyzing group messages, profile metadata, and cross-group reputation to identify potential spam using AI models.
• Service Operation: Operating, maintaining, and providing the core functionality of the bot, including processing DM conversations for commands and settings.
• Administrator Review: Allowing group administrators to review flagged content.
• AI Chat Feature: Processing administrator questions to provide relevant responses.
• Image Analysis: Analyzing screenshots and photos for spam detection.
• Communication: Contacting administrators regarding service updates, support, or billing.
• Service Improvement: Understanding usage patterns to improve spam detection accuracy, including learning spam patterns from flagged content.

05 AI Processing

Varta uses third-party AI services to analyze suspicious messages:

• Anthropic (Claude models) — Primary AI provider for message content analysis and admin chat feature.
• OpenAI (GPT models) — Fallback AI provider for spam analysis.
• Google (Gemini models) — Fallback AI provider for spam analysis.

When a message is sent to AI for analysis:

• Only the message text and minimal context (group type, recent conversation snippet) are sent.
• No user IDs, usernames, or personal identifiers are included in AI prompts.
• AI providers process data under their data processing agreements and do not use API-submitted data for training their models.

Additionally, Google Safe Browsing API is used to check URLs found in messages for known malicious sites.

06 Sub-Processors and Third-Party Services

We use the following third-party services to process data:

• Anthropic (Anthropic, PBC) — Primary AI provider for spam analysis and admin chat. Data shared: message text content, admin chat questions. Anthropic does not use data submitted via its API for training. Data is processed in the United States. See Anthropic's Privacy Policy.
• OpenAI (OpenAI, L.L.C.) — Fallback AI provider for spam analysis. Data shared: message text content. OpenAI does not use data submitted via its API for training. Data is processed in the United States. See OpenAI's Privacy Policy.
• Google (Google LLC) — Fallback AI provider (Gemini) and Safe Browsing API for URL checking. Data shared: message text snippets, URLs. Data is processed in the United States. See Google's Privacy Policy.
• Stripe (Stripe, Inc.) — Payment processing. Stripe handles all payment card data directly. See Stripe's Privacy Policy.
• Sentry (Functional Software, Inc.) — Error monitoring and crash reporting. Error logs may include user IDs in stack traces. See Sentry's Privacy Policy.
• Hetzner (Hetzner Online GmbH) — Server hosting in Finland (EU). All primary data is stored on Hetzner servers. See Hetzner's Privacy Policy.
• Telegram Bot API (Telegram FZ-LLC) — Communication platform. See Telegram's Privacy Policy.
• Cloudflare (Cloudflare, Inc.) — CDN + DDoS protection for getvarta.com (Cloudflare Pages). Data shared: visitor IP, user-agent, page requests. Processed globally via Cloudflare's network. See Cloudflare's Privacy Policy.
• Microsoft Clarity (Microsoft Corp.) — Session-recording analytics on the website (getvarta.com). Data shared: visitor IP, mouse movement, scroll depth, clicked elements. Not loaded in the bot itself. See Microsoft's Privacy Policy.
• Umami (self-hosted at analytics.getvarta.com) — Privacy-friendly page-view analytics. No cross-site tracking. Data stays on our Hetzner infrastructure.

Changes to this list are announced in this document's Last Updated date (top of page). Enterprise customers with DPAs receive 30-day advance notice of new sub-processors via email. To receive notifications as a non-Enterprise customer, email [email protected] with "sub-processor updates" in the subject.

07 Data Storage and Retention

• Real-Time Processing: Messages are analyzed in real time for spam detection and are not stored after analysis unless flagged.
• Flagged Content: Content flagged as spam is retained for administrator review and is automatically deleted after 90 days.
• DM Conversation Logs: Direct message conversations with the bot are retained for 90 days, then automatically deleted.
• User Statistics: Aggregated usage statistics (message counts, detection counts) are retained for 90 days, then automatically deleted.
• Learned Spam Patterns: Text fragments identified as spam patterns are retained for 90 days from first detection, then automatically deleted.
• Cross-Group Reputation: Ban history and reputation data is retained for 180 days from last offense, then automatically deleted.
• Group Settings: Configuration and settings are retained for the duration of the group's use of the Service and deleted when the group removes the bot.
• Payment Records: Retained as required by applicable law (typically 7 years for tax purposes).
• Error Logs (Sentry): Retained for 90 days per Sentry's default retention policy.
• Automatic Cleanup: A daily cleanup process permanently deletes old records. Data is permanently deleted, not archived.
• Data Location: Primary data is stored on secure servers located in the European Union (Finland, Hetzner). Data may also be processed in the United States through our AI sub-processors (see Section 6).

08 Automated Decision-Making

Varta uses automated processing, including artificial intelligence, to analyze messages and determine whether they constitute spam. Based on this analysis, the bot may automatically take actions such as deleting messages, restricting users, or flagging content for administrator review.

You should be aware of the following regarding automated decisions:

Automated spam detection decisions are made in real time to protect the group environment. No automated decision results in permanent consequences without the possibility of human review. Group administrators can review all flagged content and reverse any automated action taken by the bot. If you believe your message was incorrectly flagged or removed, you may contact the group administrator to request a review. Group administrators retain full control over the bot's behavior and can adjust sensitivity settings, whitelist users, or disable automated actions at any time.

Under GDPR Article 22, you have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you. If you believe an automated decision by Varta has significantly affected your rights, you may contact us to request human review of that decision.

09 Your Rights (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights regarding your personal data:

• Right of Access: You have the right to request a copy of the personal data we hold about you.
• Right to Rectification: You have the right to request correction of inaccurate personal data.
• Right to Erasure ("Right to Be Forgotten"): You have the right to request deletion of your personal data.
• Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format.
• Right to Object: You have the right to object to processing of your personal data based on legitimate interest.
• Right to Restrict Processing: You have the right to request restriction of processing in certain circumstances.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• Right Related to Automated Decision-Making: You have the right to request human review of automated decisions that significantly affect you (see Section 8).

How to exercise your rights

Option 1 (fastest): Send /deletedata to @Varta_moderator_bot on Telegram. This immediately deletes your personal data: language preferences and settings, conversation history, user statistics, feedback and support history, referral data, and removes your user ID from learned patterns (the underlying anonymized patterns remain, since they contain no direct identifier). Exception — reputation counters. Cross-group ban signals tied to your pseudonymous Telegram user ID (strike counts, "groups banned in" tally) are retained for up to 180 days from the last offense under legitimate interest (GDPR Art. 6(1)(f)) to prevent spammers from using /deletedata to reset their strike count. Legitimate users who want this residue removed can email [email protected] and we'll handle it case-by-case within 30 days. You will receive confirmation with the number of records deleted.

Option 2: Email [email protected] with your Telegram user ID. We will respond within 30 days as required by GDPR. If we need additional time, we will inform you of the reason and extension period (up to 60 additional days).

Note: Deletion is permanent and cannot be undone. Group-level aggregated statistics (e.g., "47 spam messages blocked today") are retained as they contain no personal data.

You also have the right to lodge a complaint with a supervisory authority in your country of residence.

10 Group Members' Notice

If you are a member of a Telegram group or channel that uses Varta:

Your messages are analyzed in real time for spam detection. Messages identified as legitimate are not stored by Varta. Messages flagged as spam are stored for up to 90 days so group administrators can review and undo false positives. You can request deletion of your data at any time by sending /deletedata to @Varta_moderator_bot.

Group administrators are responsible for informing their members that an antispam bot is active. We encourage administrators to mention Varta in their group description or pinned message.

11 Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected individuals without undue delay.

12 International Data Transfers

Varta is available worldwide and supports 33 languages. Your data is primarily stored in the European Union (Finland). Some data may be processed in the United States by our AI sub-processors (Anthropic, OpenAI, Google) and payment processor (Stripe). For transfers of personal data from the EEA, we rely on Standard Contractual Clauses (SCCs) or other appropriate safeguards as required by applicable law.

13 Cookies

Our website uses essential cookies (session management, language preference) and two analytics tools that set non-essential cookies:

• Umami — privacy-friendly, self-hosted analytics at analytics.getvarta.com. Collects aggregated page views, referrer, country, device. No advertising, no cross-site tracking, no personal identifiers.
• Microsoft Clarity — session recordings (mouse movement, scroll depth) on a US sub-processor (Microsoft Corp). Your IP is collected by Clarity as part of the service. We use it to spot UX issues and dead-click patterns.

We do not use advertising cookies, retargeting pixels, or third-party ad networks. EU/UK visitors: under the ePrivacy Directive, Clarity's analytics cookies require consent — a cookie banner is in progress. In the meantime, Clarity is blocked by default by uBlock Origin, Brave's shield, Firefox Enhanced Tracking Protection, and most other privacy extensions. To request removal of any Clarity session recordings tied to you, email [email protected].

14 Disclosure of Your Information

We do not sell, trade, rent, or otherwise transfer your personally identifiable information to outside parties. We may share information in the following limited circumstances:

• Sub-Processors: As described in Section 6, we share minimal data with third-party services necessary to operate the Service.
• Legal Requirements: We may disclose your information if required by law or in response to valid requests by public authorities.
• Business Transfers: In the event of a merger, acquisition, or asset sale, your information may be transferred. We will provide notice before your information becomes subject to a different Privacy Policy.

15 Security

We use administrative, technical, and physical security measures to help protect your personal information, including encrypted connections (HTTPS/TLS), access controls, and regular security reviews. All data is stored on servers in the EU (Finland) hosted by Hetzner. Access to the server is restricted to the developer only. No data is sold to third parties, ever. While we take reasonable steps to secure your data, no method of transmission or storage is 100% secure.

16 Data Processing Agreement

For Enterprise customers or organizations that require a Data Processing Agreement (DPA) for GDPR compliance purposes, please contact us at [email protected]. We will provide a DPA upon request.

17 Children's Privacy

Our Service is not intended for use by anyone under the age of 16. We do not knowingly collect personally identifiable information from children under 16. If we become aware that we have collected personal data from a child under 16 without verification of parental consent, we take steps to remove that information from our servers.

18 Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Effective Date." Significant changes will also be announced via the bot. You are advised to review this Privacy Policy periodically.

19 Contact Us

If you have any questions or concerns about this Privacy Policy or wish to exercise your data rights, please contact us: