Source Join the beta
Legal

Privacy Policy

Last updated: June 28, 2026 · Owner: CRgraM Cloud, EU

The short version

CRgraM Cloud is built so that we never see your Telegram data. Each customer runs on their own VPS. Your Telegram session, your messages, your AI keys, your contacts — all live exclusively on infrastructure you control. We cannot read them.

The only data we receive from your deployment is health-only telemetry (uptime, version, error category counts) — and only if you opt in. We do not receive message content, contact names, AI prompts, or attachment data.

We receive business data when you sign up: name, email, billing information (processed by Stripe), and whatever you tell us in support conversations. We use it to operate the service and support you. We don't sell it.

What we collect and why

1. Account data (we are the controller)

  • Name, email, company. Provided when you sign up. Used for billing, support, and account management.
  • Billing information. Processed by Stripe. We never see your full card number — Stripe tokenizes everything.
  • Waitlist applications. Name, email, Telegram handle (optional), industry, message. Used to evaluate fit and contact you about onboarding.
  • Support correspondence. Emails, chat transcripts, support tickets. Used to provide support. Retained for 24 months after your last interaction.

2. Telemetry from your VPS (we are the controller, you opt in)

If you enable health telemetry in your settings, your VPS sends us a heartbeat every 6 hours containing:

  • VPS UUID, software version, update channel
  • Subscription tier and uptime
  • Service health statuses (api/live_sync/ocr/backup)
  • Error category counts (no error content)

We do NOT receive: message content, chat names, contact info, AI prompts or responses, attachment data, tags, partner-state assignments, notes, or any other CRM content.

3. Your Telegram data (we are NOT a controller)

Your Telegram messages, contacts, AI summaries, opportunity detections, partner states, notes, and attachments all live exclusively on your VPS. We are not a data processor for this content because we never receive it, never process it, never store it.

Backups of your VPS are encrypted with a passphrase only you hold. The encrypted blobs live in our Backblaze B2 account, but we cannot decrypt them.

4. Email opens (we are the controller)

We may use a tracking pixel in transactional emails (welcome, billing alerts, support replies) to detect bounces and improve deliverability. We do not use email tracking for marketing analytics.

Sub-processors

We use the following sub-processors. Customer VPS instances additionally use Z.AI or Anthropic (chosen by you) for AI processing — those are YOUR direct vendor relationships, not ours.

  • Stripe — payment processing (PCI-DSS compliant)
  • Backblaze B2 — encrypted backup storage
  • Hetzner or Fly.io — VPS infrastructure for your deployment
  • Resend — transactional email delivery
  • Cloudflare — DNS and edge network for marketing site
  • Fastcomet — hosting for crgram.com marketing site

Your rights

Under GDPR (EU residents) and similar regulations, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your account and personal data (we will also deactivate your VPS license)
  • Export your data in a portable format
  • Object to processing for specific purposes
  • Lodge a complaint with your local data protection authority

To exercise any of these rights, email privacy@crgram.com. We respond within 30 days.

Data retention

  • Active customer accounts: retained for the life of the account.
  • Cancelled accounts: business data deleted within 90 days of cancellation. Your VPS data is your responsibility — we cannot delete what we cannot access.
  • Waitlist applications: retained for 12 months, then deleted unless you become a customer.
  • Support correspondence: retained for 24 months after last interaction.
  • Telemetry: aggregated and anonymized after 90 days.

Data residency

Your VPS can be provisioned in EU (Hetzner Nuremberg/Helsinki) or US (Hetzner Falkenstein/Virginia) regions. We respect your choice. EU customers default to EU regions.

Our business data (accounts, billing, support) is stored in EU jurisdictions.

Security

  • All VPS volumes use LUKS full-disk encryption.
  • Session files get additional per-column envelope encryption.
  • Customer backups are zero-knowledge encrypted with Argon2id-derived keys.
  • API keys stored in mode-0600 env files, never logged, never transmitted off-VPS.
  • All connections TLS 1.2+.
  • Source code is AGPL-3.0 — security through transparency.

International transfers

If you are outside the EU, your data may be processed in the EU (our HQ) or in the region you select for your VPS. We use Standard Contractual Clauses for any transfers out of the EU/EEA.

Children's privacy

CRgraM Cloud is not directed at children under 18. We do not knowingly collect data from children. If you believe we have, contact privacy@crgram.com immediately.

Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email to active customers at least 30 days before they take effect. Continued use after the effective date constitutes acceptance.

Contact

CRgraM Cloud
EU
Email: privacy@crgram.com
For EU GDPR matters: same address above. We do not have a designated DPO; the founding partner handles data protection.