Privacy Policy
Last updated: September 22nd 2025
Applies to: “Telegram Calendar Bot”Who we are
- Operator/Publisher: Telegram Calendar Bot
- Website: https://telegramcalendarbot.com/
- Privacy contact: takvimbot@gmail.com
What this policy covers
- This policy explains what personal data the Bot processes, why we process it, how we store and share it, and the choices you have. It also includes the disclosures required for apps that access Google user data via OAuth.
What the Bot does
- You message the Bot in Telegram (e.g., “tomorrow at 2pm meet John”, or send an image). The Bot uses AI to interpret your text or image and then creates a Google Calendar event in the calendar you've selected.
Data we process
From Telegram (you → Bot)
- Message content you send to the Bot (text and, if you choose, images/screenshots used to extract event info).
- Telegram user ID and chat ID processed transiently to respond; we do not retain parsed event text or raw messages after processing.
From Google (via OAuth)
- Your calendar list (to let you pick a calendar).
- Events on the selected calendar only as needed to avoid duplicates and perform edits you request.
- Event write access to create/update events you ask us to create.
Technical/ops data
- Non‑PII operational logs and metrics (e.g., timestamps, status/error codes) used for reliability and abuse prevention. We do not log user IDs or chat IDs.
We do not sell personal data and do not use Google user data for ads or ad targeting. We follow Google’s API Services User Data Policy and Limited Use requirements.
OAuth scopes & why we need them
We request only the minimum scopes necessary for the features you expect:
- https://www.googleapis.com/auth/calendar.calendarlist.readonly — read your list of calendars (so you can choose where to add an event).
- https://www.googleapis.com/auth/calendar.events — create and update events on calendars you can access (to add/edit events you ask for).
These are sensitive scopes and therefore undergo Google’s standard verification; we request the narrowest scopes that enable the described functionality.
AI processing (natural language & images)
To interpret your instructions (and optional images you send), we call OpenAI. We send only the minimum text/image content needed to parse your request into event details. We do not send OpenAI any details about our users, and do not identify user in request.
- Provider: OpenAI API.
- Model training: Per OpenAI’s policy, API inputs/outputs are not used to train models by default; opting‑in is required. We do not opt in.
- Provider retention: OpenAI may retain API inputs/outputs for up to 30 days to operate the service and detect abuse; zero‑data‑retention endpoints exist for qualifying use cases. (This retention is at the provider layer and separate from our storage.)
- Our retention: We do not retain parsed event text or raw messages/images after processing.
Please avoid sending sensitive content unless necessary to fulfill your request.
Authentication tokens (refresh tokens)
When you connect Google, we receive tokens to call the Calendar API for you.
- Storage: Refresh tokens are stored encrypted at rest in our database; encryption keys/secrets are managed in AWS Secrets Manager; the service runs in AWS us‑east‑1.
- Transport: TLS enforced in transit.
- Access controls: Least‑privilege service roles; secrets isolated from code.
- Retention: We keep refresh tokens until you revoke access.
- Deletion: We delete your refresh token when you revoke access or when you request deletion (see “Your controls” below).
Data retention
- Refresh tokens: retained until revoked.
- Parsed event text / raw messages / images: not retained after processing.
- Operational logs: non‑PII only; retained for routine operations for two weeks.
Your choices & controls
- Revoke Google access any time: In your Google Account → Security → Third‑party access, remove the app; this invalidates our tokens.
- Delete your data with us: Send the Telegram command
/delete. We will delete your stored refresh token and any user‑level preferences, and deactivate your access. Telegram will retain your chat history, but we will not have access to it. - Contact: You can also email takvimbot@gmail.com for privacy requests.
Security
We use industry‑standard measures: TLS in transit; encryption at rest for refresh tokens; key material in AWS Secrets Manager; role‑based access; and reasonable monitoring/alerting. We also adhere to Google’s Limited Use rules for Google user data.
International transfers
Processing occurs in AWS us‑east‑1 (United States). If you access the Bot from outside the U.S., your data may be transferred to the U.S. We apply the safeguards required by applicable law.
Children’s privacy
Minimum age: 13+ globally; if you are in the EEA/UK, you must be 16+ (or the age required by your country). The Bot is not directed to children. (Do not use the Bot if you are under the applicable age.)
Changes to this policy
We will update this policy as needed and keep the “Last updated” date current. If changes materially affect how we use Google user data, we’ll obtain any required consent and update our disclosures.