Privacy Policy

Last updated: 17 May 2026

This policy explains what data CreatorInbox ("we", "the service") collects when you use it, how we use that data, and how you can request its deletion. It supplements Telegram's Mini Apps Terms of Service.

1. Who we are

CreatorInbox is a Telegram Mini App and Business Mode bot that helps creators automate replies to direct messages using a large language model and the creator's own connected data sources. The service is operated by an independent developer (the "operator") and is not affiliated with Telegram Messenger.

2. Data we collect

2.1 Account data (from Telegram)

When you open the Mini App, Telegram passes a signed initData payload to our server. We read and store:

• Telegram user ID — used as your account identifier.
• Telegram username (if set) — used to display your handle in the app.
• Telegram language code — used to pick the interface language (English or Russian).

We do not receive your phone number, email, contact list, or message history through the Mini App.

2.2 Bot configuration data

When you register a bot in the app, we store the bot token you provide, the system prompt you author, your reply mode (draft or auto-send), and your integration configuration. The bot token is used solely to call the Telegram Bot API on your behalf.

2.3 Conversation data (from your bot's incoming DMs)

When a follower sends a DM to a bot you've connected through Telegram Business Mode, our server receives the message via Telegram's webhook so the LLM can draft a reply. We store:

• The incoming message text and a minimal contact record (name, Telegram username, Telegram user ID).
• The generated draft and (if you confirmed it) the reply that was sent.
• A trace of which integrations were called.

Conversation history is retained to maintain context across turns and for your Activity audit log. You can delete it at any time (see Section 7).

2.4 Integration data (third-party services)

When you connect a third-party service (Google Sheets, Notion, Gmail, Calendar, Airtable, HubSpot, Stripe, etc.) the OAuth flow is handled by Composio, our integrations provider. Composio stores the OAuth tokens. We invoke Composio to read or write data on your behalf only when a reply requires it. Each third-party service has its own privacy policy.

2.5 Payment data

• Telegram Stars: Telegram processes the payment and sends us a successful_payment webhook containing a charge ID, amount, currency, and your Telegram user ID. We do not see card or wallet details.
• USD payments (Polar): processed by Polar. We receive a webhook with the order ID, amount, and your Polar customer ID. Polar holds the card data.

2.6 Analytics

The marketing site uses Simple Analytics, a cookieless analytics provider that does not track individuals across sites. The Mini App itself has no third-party analytics.

2.7 Error telemetry

When the Mini App or server encounters an error we capture the stack trace, the URL, and the Telegram user ID associated with the request to diagnose the failure. We do not log message contents in error events.

3. How we use data

• To operate the service — generate replies, run integrations, render the Mini App.
• To send transactional messages to you through the hub bot (payment confirmations, low-balance warnings, subscription renewals).
• To enforce billing and usage limits.
• To investigate abuse, fraud, and security incidents.

We do not sell your data, share it with advertisers, or use your conversation content to train AI models.

4. LLM provider

To generate replies we send the conversation context (system prompt, recent turns, and relevant integration results) to an LLM provider via OpenRouter. The provider processes the request to produce a reply and does not retain it for training under their standard API terms.

5. Data sharing

• Sub-processors: Telegram (Bot API), Composio (integrations), OpenRouter (LLM), Polar (USD payments), Fly.io (hosting), Sentry (error tracking, if enabled).
• Legal requests: we will disclose data only when required by a valid legal order from a competent authority.

6. Data location and retention

Application data is stored in a SQLite database hosted on Fly.io. Backups are retained for up to 30 days.

• Account, billing, and bot configuration: kept while your account is active.
• Conversation history: kept until you delete it or close your account.
• Error telemetry: 30 days.
• Payment records: kept for the period required by accounting law (typically 6 years).

7. Your rights

You can request, correct, export, or delete your data at any time by contacting us (Section 9). For users in the EEA, UK, and similar jurisdictions, the GDPR and equivalent laws give you rights of access, rectification, erasure, restriction, portability, and objection.

8. Children

CreatorInbox is not directed at children under 16. Do not use the service if you are under that age.

9. Contact

For privacy questions, deletion requests, or to exercise the rights above, contact: privacy@creator-inbox.app.

10. Changes

We may update this policy. Material changes will be announced through the hub bot. The "Last updated" date at the top reflects the current version.