Privacy Policy

Last updated: May 11, 2026

General information

This Privacy Notice explains what information we collect about you, how we use it, and what rights and choices you have. It applies to the telegrin service (the “Service”), available at https://tg.grinfi.io (and any successor domain such as https://telegrin.io).

The Service is operated by Private limited company Grinfi OÜ (company number: 16546847, “we”, “us”, “our”), registered at Harju maakond, Tallinn, Kesklinna linnaosa, Vesivärava tn 50-201, 10152, Estonia.

By using the Service, you agree to this Privacy Notice. If you do not agree, please do not use the Service.

What personal information we collect

We collect data from people who sign up for the Service, from people who visit our website, and from publicly accessible Telegram chats that you choose to monitor.

Information you provide

Account data required for signup: first name, last name, email address, password (stored as a salted hash).
Optional profile data: company name, position, country, timezone, preferred language.
Workspace configuration: workspace name, team members you invite, role assignments.
Billing data: name, billing address, and tax identifiers. Card numbers and payment instruments are collected and processed directly by our payment processor (Stripe) — we never see or store full card details.
Telegram account credentials: when you connect a Telegram account to the Service, you provide your phone number and a one-time login code so that we can establish a session with Telegram on your behalf. The resulting session is encrypted at rest and used solely to perform the monitoring and messaging actions you configure.
Monitoring configuration: the Telegram chats you choose to monitor, the keywords you choose to track, the prompts and templates you configure for AI-generated replies.
Support and sales messages: the content you send to us via email, in-app chat, or other support channels.

Information collected automatically

Pages visited, session duration, request headers (such as Referer, User-Agent, Accept), browser and operating system information, IP address.
Authentication and session cookies (see “Cookies” below).
Error and performance telemetry, including stack traces and contextual metadata, captured via Sentry. We scrub known sensitive fields (tokens, passwords, secrets) from this telemetry before it leaves your browser or our servers.

Information collected from Telegram on your direction

When you connect a Telegram account and configure monitoring, the Service collects information from the publicly accessible Telegram chats you select:

Messages that match your keywords or AI-classification rules.
Sender identifiers (Telegram user ID, username, first name where visible).
Chat identifiers and titles.
Timestamps and message metadata.
Derived data: AI-generated classifications, language detection, suggested replies, and your moderation decisions on each signal.

We do not access private chats or direct messages that fall outside the scope of the monitoring you configure, except for direct messages exchanged through workflows you explicitly enable (for example, AI-assisted replies on conversations you started).

Cookies and tracking

Cookies are small files that a site transfers to your device through your web browser. We use cookies for:

Session management: keeping you signed in and remembering your preferred language and region.
Security: anti-bot protection on sign-in and sign-up forms (Cloudflare Turnstile).
Operational analytics: understanding which features are used so we can improve them.

Third-party providers (such as Stripe, Sentry, Cloudflare, and Intercom) may set their own cookies when their tools are loaded. These providers are contractually limited to using the information for the purpose of providing their service to us. You can manage cookies through your browser settings.

How we use the data

We use the data described above to:

Provide, maintain, and improve the Service.
Authenticate you, secure your account, and prevent fraud and abuse.
Process payments, send invoices, and manage subscriptions.
Communicate with you about your account, product updates, security notices, and (with your consent where required) marketing.
Generate AI classifications, summaries, and suggested replies for the Telegram signals you monitor.
Detect and respond to violations of our Terms & Conditions and applicable law.
Comply with legal obligations and respond to lawful requests.
Maintain internal records, including audit logs of significant account actions.

The legal bases on which we rely (under the GDPR, where applicable) are:

Performance of a contract — to provide the Service you signed up for.
Legitimate interests — to secure the Service, prevent abuse, and improve product quality.
Consent — for optional marketing communications and for connecting third-party accounts such as Telegram.
Legal obligation — for tax, accounting, and law-enforcement requirements.

Sub-processors and third parties

We engage trusted service providers to help us operate the Service. Each sub-processor is bound by a written agreement to protect your data and to use it only on our instructions:

Hetzner Online GmbH (Germany) — hosting and storage.
Stripe, Inc. (United States and EU) — payment processing and subscription management.
OpenAI, L.L.C. and Anthropic, PBC (United States) — large-language-model inference for signal classification, translation, and reply generation. Inputs and outputs are sent to these providers solely to produce the requested output and are not used to train third-party models.
Cloudflare, Inc. (United States) — DNS, CDN, WAF, and anti-bot challenges.
Functional Software, Inc. d/b/a Sentry (United States) — error monitoring and performance telemetry.
Intercom, Inc. (United States) — customer support messaging.
Email delivery providers — transactional emails (account verification, password reset, billing receipts).

The current list of sub-processors is available on request at [email protected]. We will notify customers of material changes to this list.

Data storage location

We are an Estonian company with customers worldwide. Our primary servers are hosted in Germany by Hetzner Online GmbH, which provides infrastructure compliant with EU data protection rules. Some sub-processors are located outside the European Economic Area (EEA), in particular in the United States. Where data is transferred outside the EEA, we rely on Standard Contractual Clauses or equivalent safeguards approved by the European Commission.

Reference: Hetzner Data Privacy Policy — https://www.hetzner.com/legal/privacy-policy.

Sharing and disclosure

We do not sell your personal data. We share information only as described below:

On your instructions or with your consent. For example, when you connect a third-party account or invite a teammate.
With sub-processors listed above, strictly for the purposes for which they are engaged.
In a change of ownership. If we are acquired by or merged with another company, your data may be transferred as part of that transaction, subject to the protections described in this notice.
For legal reasons. We may disclose data if we reasonably believe disclosure is required by law, regulation, or legal process, or is necessary to protect our rights, the safety of users, or the public.
To enforce our agreements and prevent fraud. Including against violations of the Terms & Conditions, abuse of the Service, or criminal activity.

Your data, your responsibilities

When you use the Service to monitor public Telegram chats and to reach out to leads:

You remain responsible for complying with Telegram’s Terms of Service and with any laws applicable to your outreach (including consumer protection, anti-spam, and data-protection laws in the jurisdictions of the people you contact).
For lead data that you collect through the Service, you are the data controller and we act as your data processor. A Data Processing Agreement (DPA) is available on request at [email protected].

Data retention

We retain your data for as long as your account is active. You can ask us to delete your account at any time by emailing [email protected]. After deletion, residual copies may remain in encrypted backups for up to 30 days before they are overwritten. Billing and tax records are retained longer where required by Estonian and EU law (typically 7 years for accounting purposes).

Your rights

Subject to applicable law, you have the right to:

Access the personal data we hold about you.
Correct inaccurate or incomplete data.
Request deletion of your data.
Restrict or object to certain processing.
Receive your data in a portable format.
Withdraw consent at any time, where processing is based on consent.
Lodge a complaint with a supervisory authority. The competent authority in our jurisdiction is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon — https://www.aki.ee/en).

To exercise any of these rights, email [email protected].

Children

The Service is intended for business users. We do not knowingly collect personal information from anyone under 18 years of age. If you believe we have collected such information, please contact us and we will delete it.

Security

We use industry-standard safeguards to protect your data, including encryption in transit (TLS) and at rest for sensitive fields such as Telegram session strings, hardened authentication (password hashing with a modern KDF, optional bot challenges on login, refresh-token rotation), network-level controls, and audit logging of administrative actions. No system is perfectly secure, but we work continuously to reduce risk and to respond promptly to incidents.

Changes to this notice

We may update this notice from time to time. For material changes, we will notify you by email or through an in-app notice before the change takes effect.

Contact us

If you have questions about this notice or about how we handle your data, email [email protected] or write to:

Grinfi OÜ
Harju maakond, Tallinn, Kesklinna linnaosa
Vesivärava tn 50-201, 10152
Estonia