Privacy Policy
Last updated: 2026-06-02
SnapCal is a private Telegram bot + mini-app that turns event screenshots into calendar invites. This page explains exactly what we collect, why, how long we keep it, and how you exercise your GDPR rights.
1. Who is the data controller?
Gediminas Žilius, a sole operator based in Lithuania (EU). Contact: ged.zilius@gmail.com. SnapCal is not a registered company — it is an early-access personal project. Once monetised, this section will be updated to reflect the legal entity.
2. What we collect, and why
| Category | Why we need it | Lawful basis (GDPR Art. 6) |
|---|---|---|
| Telegram user ID, first name, username, language code | Identify you across sessions; greet you in the mini-app; auto-detect UI language (English only for v1.0) | Contract — necessary to deliver the service you requested by sending /start |
| Forwarded content — text, images, documents | Extract the event details you want stored as calendar entries | Contract |
| OCR text from images | Locally extracted from your uploads via Tesseract so we can identify dates and venues | Contract |
| Classifier output — title, intent, event date / time / location, topical tags | Locally generated by Llama 3.2:3b running on the same server; powers calendar export | Contract |
| Pro waitlist email (only if you provide it) | To notify you when SnapCal Pro launches | Consent — withdrawable at any time |
| HTTP request logs (IP address, URL, status code, user agent) | Operational debugging, abuse detection, rate-limit enforcement | Legitimate interest — kept for 14 days, then rotated out |
| Error reports (Sentry) | Diagnose crashes — message, file path, line number, tenant ID. Request bodies, cookies, headers, and IP addresses are stripped before sending. | Legitimate interest |
3. Cookies
SnapCal sets exactly one essential cookie on the mini-app:
snapcal_sess— opaque signed token containing only your Telegram user ID.HttpOnly,Secure,SameSite=None. 90-day TTL so the PWA Share Target works between Telegram sessions.
No analytics, advertising, or third-party tracking cookies are set. The cookie consent banner asks you to accept this single essential cookie before any session is issued.
4. Sub-processors
SnapCal runs end-to-end on infrastructure we operate directly:
- Hostinger — VPS hosting in Frankfurt, Germany (EU).
- Backblaze B2 — encrypted database + media backups, EU-Central region. Only backup snapshots leave the primary VPS; never live traffic.
- Sentry (Functional Software Inc.) — error reporting, EU region (Frankfurt). Configured to strip request bodies, cookies, headers and IP addresses before submission.
- Telegram — message transport. Your messages to the SnapCal bot pass through Telegram's servers per their own privacy policy.
No data is sent to OpenAI, Anthropic, Google AI, or any other third-party LLM provider. The classifier (Llama 3.2:3b) and OCR engine (Tesseract) both run locally on our VPS.
5. Retention
- Your notes, images, classifier output, OCR text: kept until you delete them (or your account) — there is no automatic expiry.
- Backups in B2: rolling 30-day retention. A deleted note disappears from backups within 30 days.
- Local backup snapshots on the VPS: rolling 7-day retention.
- HTTP logs: 14 days.
- Error reports (Sentry): 30 days (Sentry free-tier default).
- Waitlist emails: kept until you ask to be removed or Pro launches and you decline.
6. Your rights (GDPR)
- Access (Art. 15) & portability (Art. 20): send the bot
/export_datafor an instant JSON + media ZIP of everything we hold on you. - Erasure (Art. 17 — "right to be forgotten"): send the bot
/delete_account DELETEto permanently wipe all notes, images, OCR text, classifier output, reminders, waitlist row and the session cookie. Backups containing the deleted data are rotated out within 30 days. - Rectification (Art. 16): use the bot's
/edit_title,/edit_date,/edit_time,/edit_locationcommands. - Withdraw consent (Art. 7): reply with the email change command or email us to remove waitlist consent. Erasure of the account removes all consent records.
- Complaint (Art. 77): if you believe SnapCal is mishandling your data you may complain to the Lithuanian State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija).
7. Security
- All traffic over TLS 1.3 (Let's Encrypt, auto-renewed).
- Telegram WebApp authentication via HMAC-SHA256 against the bot token.
- Multi-tenant isolation: every database query is scoped by your Telegram user ID; cross-tenant access is structurally impossible.
- Per-tenant media paths; the media fetcher rejects any path that doesn't start with your tenant ID.
- Off-host nightly backups to Backblaze B2 (EU); 30-day retention.
8. Children
SnapCal is not directed at users under 16. If you are under 16, do not use SnapCal without parental consent. If we become aware of an under-16 user we will delete the account.
9. Changes to this policy
Material changes will be announced via the bot before they take effect. The Last updated date at the top reflects the current version.
10. Contact
Privacy questions: ged.zilius@gmail.com
Or message the bot: @snapcalendar_bot