← Home

DAMOSTA Privacy Policy

Version: 1.0 (closed testing) Effective date: April 28, 2026 Last update: April 28, 2026 Data Controller: DAMOSTA (the platform is at the private development stage; the full details of the Controller’s legal entity, country of registration, registration number, and registered address will be specified in an updated edition before the public launch date of the platform) Data inquiries contact: [email protected]

Document status. This edition is issued for closed testing. Access to the Platform is restricted to a list of allowed users. Subject to finalization and verification before the public launch: the full details of the Controller, the necessity of appointing an EU representative and/or DPO, the final list of personal data processors, processing regions, data processing agreements (DPAs), international data transfer mechanisms, and the payment model. Open decisions are listed in docs/legal/launch_checklist.md, part 3.

Preamble

This Privacy Policy (hereinafter — the “Policy”) describes what personal data the Operator collects, how we use it, to whom we transfer it, and how we protect it when you use the DAMOSTA platform (hereinafter — the “Platform”).

The Operator strives for maximum transparency. If anything in the Policy is unclear to you, write to [email protected] and we will explain.

The Policy is drawn up taking into account the requirements of:

  • Regulation (EU) 2016/679 (GDPR) — for users in the European Economic Area and those whose data is processed in the EEA;
  • the Law of Ukraine “On the Protection of Personal Data” — for users in Ukraine;
  • other applicable personal data protection legislation in countries where the Platform is available.

By using the Platform, you confirm that you have read the Policy and understand what data is processed and how.

1. Who processes your data

Controller: DAMOSTA; the full details of the legal entity will be specified after registration — see docs/legal/launch_checklist.md, part 3.1.

A “Controller” is a legal entity or sole proprietor that determines the purposes and means of processing personal data and bears responsibility for its processing.

1.1. EU representative (Article 27 GDPR)

If, based on the analysis of the final structure of the Controller’s registration and the Platform’s targeting in the European Economic Area (EEA), an EU representative under Article 27 GDPR is required, their contact details will be specified here before the moment from which the Platform becomes publicly available to EEA users.

1.2. Data Protection Officer (DPO)

The Controller will assess the obligation to appoint a DPO based on the criteria of Article 37 GDPR (the nature of the core activity, the scale of processing, the categories of data processed). If a DPO is appointed, their contact details will be published in this Policy.

2. What data we collect

2.1. Data from Telegram

When the Telegram Mini App is launched, Telegram may transmit to us the following information through the standard Telegram Web App initData mechanism, depending on Telegram settings, the version of the client, and the fields actually available:

  • Telegram ID — the numeric identifier of your Telegram account;
  • First name;
  • Last name, if it is specified in Telegram;
  • Username, if it is specified in Telegram;
  • Language code (language_code) — the language set in Telegram settings;
  • Profile photo URL in Telegram, if it is transmitted by Telegram in the available fields;
  • other technical profile or interaction signals (for example, the Telegram Premium indicator or an indicator that you have allowed the bot to send you private messages), if Telegram transmits them within the Mini App.

We do not receive from Telegram your phone number, your email, your password, or other authentication tools. Telegram transmits the information to us automatically at the moment the Platform is launched.

2.2. Email address and mandatory verification for Owners

For Users in the role of Business Owners, we additionally process:

  • the email address specified by the User when creating the first Business;
  • the fact and date of email confirmation through a verification code sent by our transactional provider (Resend);
  • the link between the email address and the Telegram ID — for the purposes of identifying the User in formal communications.

Email is used as a formal communication channel and is mandatory for creating a Business. Without a confirmed email, the function of creating a Business is not available.

For Users in the role of Customer, an email is not requested at the moment of mere browsing of the Platform. Email becomes mandatory when performing formal actions that require identification.

2.3. Data you provide yourself

You may voluntarily inform us of:

  • information about a Business: name, description, category, sales direction, photographs, address, working hours, contact details (including phone, email, links to websites and social networks);
  • settings and preferences (for example, an interface language different from Telegram);
  • messages you send to the support service;
  • other information that you voluntarily publish on the Platform.

2.4. Technical data

We automatically collect technical information about your interaction with the Platform:

  • IP address — for security purposes, protection from attacks, request rate limiting, verification of compliance with territorial restrictions (section 3.4 of the Terms of Use);
  • device type, operating system, Telegram client version, Platform version — for compatibility and diagnostics;
  • date and time of interaction with the Platform;
  • actions on the Platform (transitions between screens, button clicks, errors, performance) — in anonymized or pseudonymized form, where technically possible;
  • error logs — technical messages about errors arising during the operation of the Platform.

Terminological clarification. We may process technical and product events of Platform usage, including transitions between screens, button clicks, errors, performance, and compatibility information, in anonymized or pseudonymized form, where technically possible. If such information may be linked to an Account, Telegram ID, IP address, device, or session, it is considered personal data and is processed in accordance with this Policy.

2.5. Payment data

If you pay for the Platform’s paid features, payment is processed by external payment providers. The specific provider will be specified in section 4 of this Policy after finalization of the payment model (see docs/legal/launch_checklist.md, part 3.5).

We do not store full payment card numbers, CVV codes, or other details transmitted in the course of payment. We may receive from the payment provider only the information necessary for payment accounting, depending on the chosen payment model:

  • the fact and amount of payment;
  • the transaction identifier;
  • the payment status;
  • the subscription plan and payment period;
  • limited information about the payment instrument, if it is provided by the provider and required for display to the User or for accounting;
  • information for accounting and tax reporting.

2.6. Document acceptance logs

When you accept the Terms of Use, the Platform Rules, or this Policy, the Platform records:

  • the version of the accepted document;
  • the date and time of acceptance (UTC);
  • your Telegram ID;
  • the IP address;
  • the hash (SHA-256) of the accepted text;
  • an indicator of whether the acceptance is a test acceptance (during the closed testing period) or a real legal acceptance (after the public launch).

The logs are kept for the period established by law, but no less than 3 (three) years after termination of the Account. The logs are an exception to the right to deletion under Article 17(3)(e) GDPR — necessary for the establishment, exercise, or defense of legal claims.

2.7. Email address and referral attribution in the waiting list (waitlist)

If you left your email in the “Waiting list” form on damosta.com or in the closed testing banner in the Mini App, we process the following categories of data:

  • the email address you entered in the form;
  • the interface language code (locale) in which you interacted with the form — to send the confirmation email in the corresponding language;
  • the date and time of expressing consent to receive a public launch notification — to document consent within the meaning of Article 7 GDPR;
  • the source of the request (website page, Mini App banner, or another entry point) — to assess the effectiveness of communication channels;
  • the referral code through which you came to the form, if applicable — for the purposes of the referral program (Section 7.9 of the Terms of Use);
  • the personal referral code generated by the Platform exclusively after confirmation of your email through a two-step procedure (double opt-in) in accordance with Section 7.9.2 of the Terms of Use — for your subsequent participation in the referral program.

Separately, for the purposes of preventing automated abuse of the request form (anti-abuse rate-limiting), the Platform maintains a technical request submission record containing a hash of the IP address (HMAC-SHA256 with a non-public salt), minimal technical indicators of form submission, and a timestamp. This record is generated independently from the waiting list request, stored separately from it (see Section 6), and is not used for purposes unrelated to protecting the form from abuse.

Distinction from the Business Owner’s email. Confirmation of an email in the waiting list does not constitute creation of an Account, registration of a Business, or confirmation of the Business Owner’s email within the meaning of Section 4.4 of the Terms of Use. An email left in the waiting list is not used as a formal communication channel with the Business Owner and does not create a link with a Telegram ID until the relevant person independently completes Business registration with confirmation of the same email through the procedure described in Section 2.2 of this Policy.

You have the right to withdraw your consent to participate in the waiting list at any time by sending a request to [email protected]. Withdrawal of consent results in deletion of your email address and related waiting list data within a reasonable period not exceeding 30 (thirty) calendar days, except for minimal records retained to confirm referral attribution (Section 7.9 of the Terms of Use), comply with legal obligations, or defend legal claims.

2.8. Cookies and local storage

The Platform uses a limited set of cookie files and browser local storage mechanisms. We do not use cookies for advertising tracking, cross-site profiling, transferring data to advertising networks, or any other purposes beyond the functional tasks expressly described below.

Current set of cookies and similar technologies used:

Technology Purpose Category Lifetime Condition for setting
Cookie dps_ref Storing the referral code through which the user came to the website, for the subsequent correct allocation of a bonus to the referral program participant (Section 7.9 of the Terms of Use) Functional / referral attribution 30 (thirty) calendar days from the first visit via the referral link Set only after the user’s explicit consent requested in a banner shown exclusively when accessing the website through a link with a referral code. If consent is not given, the cookie is not set and referral attribution is not applied. If the cookie is already set and has not expired, a subsequent visit through another referral link does not overwrite the existing attribution. The user’s consent applies within the lifetime of the set cookie.
Local Storage dps-site-theme Remembering the website theme selected by the user (light / dark) Strictly necessary — required to apply the user’s display preferences Stored until explicitly deleted by the user through browser settings Set when the user first changes the theme. Does not require separate consent because it is used exclusively to provide the setting requested by the user to the extent permitted by applicable cookie law, including requirements implementing Article 5(3) of Directive 2002/58/EC.
Local Storage dps-cookie-consent Storing the user’s choice regarding the dps_ref cookie (accepted / declined), so that the consent banner is not shown again Strictly necessary — required to implement the user’s expressed choice regarding cookies Stored until explicitly deleted by the user through the “Manage cookies” link at the bottom of the website or through browser settings Set when the user clicks either button in the consent banner. Does not require separate consent because it is used exclusively to implement the user’s choice regarding cookies to the extent permitted by applicable cookie law, including requirements implementing Article 5(3) of Directive 2002/58/EC.

The user may change their choice regarding the dps_ref cookie at any time through the “Manage cookies” link placed at the bottom of any website page. Opening the relevant panel does not reload the page and does not set any new cookies before an explicit action by the user. Disabling the dps_ref cookie does not affect the ability to use the Platform or submit a request to the waiting list, but it results in loss of referral attribution — the referral invitation through which the user came to the website will not be counted in the referral program.

If new cookies or other similar technologies are added, this section will be supplemented with their purpose, category, lifetime, and condition for setting.

2.9. Web analytics

The Platform uses the self-hosted web analytics service Umami, deployed on our own infrastructure in the European Union. We chose a self-hosted solution with a minimal feature set because it allows us to understand the aggregated picture of Platform usage without creating individual profiles, without using cookies, and without transferring data to external analytics providers, advertising networks, or data brokers.

What we collect. Analytics collects only aggregated technical information about visits to the Platform and interaction with pages:

  • event type (as of the effective date of this version — see the list of categories below);
  • country (at country level, without precise coordinates or geolocation);
  • device type (desktop / tablet / mobile);
  • browser and operating system;
  • referrer (the previous page from which the visitor arrived);
  • UTM tags, if they are present in the URL.

The IP address may be technically processed during the request solely to determine the country at country level and is not stored in the analytics database as part of the event.

List of event categories as of the effective date of this version:

Category Meaning
Page view the fact that a page was opened (URL without query parameters that may contain personal data)
Waitlist form view the page with the form for joining the waiting list was opened
Waitlist form submission technical result: submission attempt, success, validation error (without disclosing the exact error code), delivery error
Email confirmation opening the confirmation landing page, clicking the confirmation button, viewing the successful confirmation page
Interface language change the user changed the locale
Appearance theme change the user switched the light/dark theme
Main CTA click click on the main call-to-action buttons
Navigation link click click on links in the footer or site header
Pricing plan view a specific pricing plan block entered the visible area of the screen
FAQ question opening the user expanded a specific question in the frequently asked questions list

No event contains the user’s name, email address, telegram_id, phone number, referral code, payment status, form field contents, exact text of error messages that could contain personal data, or any other identifiers of a specific person. This is an invariant of the analytics architecture, documented in our internal technical documentation.

New events may not contain personal data or identifiers of a specific person. Any material change to the composition of analytics is reflected in an updated version of this section.

What we do NOT collect. Analytics does not receive or store:

  • users’ email addresses;
  • Telegram ID, telegram username, names from a Telegram profile;
  • phone numbers;
  • IP addresses as part of an event (the IP may be processed “on the fly” solely to determine the country);
  • contents of form fields;
  • contents of private messages;
  • payment data;
  • biometric data, health data, and other special categories;
  • personal identifiers (account ID, business ID, referral code);
  • precise geolocation (city, coordinates).

We do not use analytics for advertising profiling, cross-site tracking, creating user profiles, making automated decisions that produce legal or similarly significant effects, or transferring data to advertising networks.

Events related to accepting or declining cookies are not transferred to web analytics; the user’s choice is stored locally in the browser (see § 2.8).

Legal basis for processing. The legal basis for processing web analytics data is the operator’s legitimate interest (Art. 6(1)(f) GDPR) — the interest in understanding the aggregated audience of the Platform for its development and service improvement. We consider that, under these conditions, the legitimate interest of the Operator is not overridden by the rights and freedoms of data subjects: the scope of data is minimized, cookies are not used, individual profiles are not created, and data is not transferred to external analytics providers or advertising networks.

Cookies and other technologies for storing information on the device. Because web analytics does not use cookies, local storage, or other mechanisms for storing or reading information from the user’s device for analytics purposes, separate consent under Article 5(3) of Directive 2002/58/EC is not requested for such analytics.

Retention period. Web analytics data is stored for 180 (one hundred eighty) calendar days from the moment of collection. After this period, the corresponding records are automatically deleted from the analytics database. This period was chosen as the minimum sufficient period for understanding seasonal trends in Platform usage while minimizing storage risks.

Data transfer. Analytics is deployed on our own infrastructure within the European Union. Web analytics data is not transferred to external analytics providers, advertising networks, or data brokers, is not sold, and is not used for behavioral advertising. Processing may be carried out by our infrastructure providers only within the limits described in § 4 of this document.

Respect for Do Not Track. We respect the standard browser header Do Not Track (DNT). If your browser sends the DNT: 1 header, the web analytics script is not initialized on Platform pages and no data about your interaction is collected.

Territorial availability of the service. Certain interactive functions of the Platform may be technically unavailable from territories that are not among the Platform’s serviced markets, in accordance with the Terms of Use and Platform Rules. Such restrictions may be applied at the CDN/WAF level. Minimal CDN/WAF security logs (timestamp, IP address, country, firewall decision) may be generated for infrastructure protection purposes. This is a separate layer from web analytics; such logs are not used for advertising profiling or web analytics.

Your rights regarding web analytics data. Because web analytics does not store individual identifiers, exercising the right of access to specific records that relate to you personally is technically impossible — there is no link in the system between an event record and a specific person. At the same time, you have the right to:

  • object to processing based on legitimate interest (Article 21 GDPR) — in this case, we recommend enabling the Do Not Track header in your browser settings, which will automatically exclude your interaction from tracking;
  • receive additional explanations regarding the processing by contacting our support service at: [email protected];
  • lodge a complaint with the competent personal data protection authority in your jurisdiction.

Changes to event composition. A material change to the composition of web analytics, the addition of new event categories, or a change in the architecture of the analytics service is reflected in an updated version of this section. The list of categories above is valid as of the effective date of this version of the document.

2.10. Data we do NOT collect

We do not collect:

  • your precise GPS location (unless you have manually specified the address of a Business);
  • information about your other actions outside the Platform;
  • your contacts in Telegram, correspondence in Telegram, or other information beyond what Telegram transmits to us within the Telegram Mini App;
  • biometric data;
  • health data;
  • information about racial and ethnic origin, political views, religious or philosophical beliefs, trade union membership, genetic data, sexual orientation (except in cases where you voluntarily publish such information as part of a Business — but we do not recommend doing so).

3. Why we process data (purposes and legal bases)

In accordance with Article 6 GDPR, any processing of personal data must have a legal basis. Below we specify, for each processing purpose, the corresponding basis.

3.1. Provision of the Platform’s functions

What we process: Telegram ID, first name, username, photo, language, Owner’s email, Business Content, technical data.

Why: to create your Account, to give you the ability to create and manage a Business, to display your Business to other Users, to provide a formal communication channel with Owners through email.

Legal basis (GDPR): Article 6(1)(b) — performance of a contract (the Terms of Use).

3.2. Security and protection from abuse

What we process: IP address, action logs, technical data, information about suspicious activity, connection metadata for verifying territorial restrictions (section 3.4 of the Terms of Use).

Why: to detect and prevent fraud, cyberattacks, violations of the Rules, to protect the Platform and other Users; to control compliance with sanctions law and the territorial restriction concerning the Russian Federation/Belarus.

Legal basis: Article 6(1)(f) — our legitimate interest in ensuring the security of the Platform and protecting Users; Article 6(1)(c) — performance of a legal obligation regarding compliance with sanctions regimes.

3.3. User support

What we process: the content of your inquiries, your contact details.

Why: to answer your questions, process complaints, and handle support-related issues.

Legal basis: Article 6(1)(b) — performance of a contract and preparation for it.

3.4. Improvement of the Platform

What we process: pseudonymized information about actions on the Platform, technical information, error logs.

Why: to improve functionality, fix errors, measure performance.

Legal basis: Article 6(1)(f) — legitimate interest in the development and maintenance of the Platform’s operability.

3.5. Error and performance monitoring

We may use error, stability, and performance monitoring services to detect failures, diagnose problems, protect security, and improve the operation of the Platform. Such services may receive technical data, error logs, information about the device, the version of the client, the time of the event, and limited context of the action during which the error occurred. The specific monitoring service is specified in section 4 of this Policy.

Error monitoring services are or will be engaged as processors under Article 28 GDPR. Before the public launch, the Controller will verify and record the corresponding data processing agreements (Data Processing Agreements), processing regions, and international transfer safeguards, if applicable. We do not use this data for advertising profiling and do not transfer it to data brokers.

3.6. Legal obligations

What we process: information mandatory for retention under applicable law (accounting and tax reporting, document acceptance logs, payment information).

Why: to comply with mandatory legal requirements.

Legal basis: Article 6(1)(c) — performance of a legal obligation.

3.7. Protection of rights and legal claims

What we process: information related to disputes, claims, suits.

Why: to establish, exercise, or defend our legal rights; to consider complaints; to respond to requests from state authorities.

Legal basis: Article 6(1)(f) — legitimate interest.

3.8. Service notices and marketing

Service notices. We may send you messages necessary for the operation of the Platform: changes to the Terms, the Policy, or the Rules; security notifications; restoration of access; response measures; payments; and other legally or technically significant notifications.

Legal basis: Article 6(1)(b) GDPR — performance of a contract; Article 6(1)(c) GDPR — performance of a legal obligation; Article 6(1)(f) GDPR — legitimate interest in maintaining the security and proper operation of the Platform.

Marketing messages. We may send information about new features, updates, or offers of the Platform only to the extent permitted by applicable law and with the possibility of opting out of such messages.

Legal basis: Article 6(1)(a) GDPR — consent, if required; or Article 6(1)(f) GDPR — legitimate interest in informing existing users about related features of the Platform, if such informing is permitted by law.

You have the right to opt out of marketing messages at any time (see section 7). Opting out of marketing does not affect the receipt of service notices, security notices, or legally significant notifications.

3.9. What we DO NOT use your data for

  • we do not sell your personal data to third parties;
  • we do not use your data for targeted advertising outside the Platform;
  • we do not transfer your data to data brokers, advertising networks, or profiling services;
  • we do not profile you for the purpose of automated decisions with legal consequences (see section 9).

3.10. Informing about the public launch of the Platform (waiting list)

What we process: email address, locale, consent date, request source, referral code, personal referral code, as well as the fact and date of email confirmation through a two-step procedure.

Separately, within the anti-abuse record, — IP address hash and minimal technical indicators of form submission.

Why:

(a) to send the user a one-time notification about the public launch of DAMOSTA to the specified email address;

(b) to provide the user with a personal referral code for participation in the referral program in accordance with Section 7.9 of the Terms of Use, if the user has confirmed their email through a two-step procedure;

(c) to correctly account for referral attribution if the user joined the waiting list through someone else’s referral link and gave consent to set the dps_ref cookie;

(d) to protect the request form from automated abuse, including mass submissions and attacks on the deliverability of the email channel, applying data minimization and a limited storage period for technical indicators.

Legal basis:

Article 6(1)(a) GDPR — the user’s explicit consent, expressed by an active action (entering an email address and clicking the relevant button in a form with a clearly stated purpose), with respect to processing the email address, locale, fact of consent, request source, and referral attribution;

Article 6(1)(f) GDPR — the Platform’s legitimate interest in ensuring the security of the request form, preventing mass automated abuse, and protecting deliverability of the email channel, with respect to the IP address hash and technical metadata of the request submission. The measures applied — pseudonymization of the IP address by means of HMAC-SHA256 with a non-public salt, separate storage from the waiting list request, limited storage period, and no use for purposes unrelated to anti-abuse rate-limiting — ensure the proportionality of processing to the stated purpose and the balance between the Platform’s interests and the rights of the data subject.

The user has the right to withdraw consent to participate in the waiting list at any time in the manner described in Section 2.7 of this Policy, without the need to provide reasons and without adverse consequences for the ability to use the Platform in the future.

4. To whom we transfer data

4.1. Processors acting on our instructions

We engage third-party service providers (processors in GDPR terminology) who process data exclusively in accordance with our instructions and in our interests.

For closed testing, the current technical stack and expected categories of processors are listed below. Before the public launch, the Controller will verify and record the final details of processors, processing regions, the existence of DPAs, SCCs, or other necessary international transfer safeguards.

Current composition of processors (as of the date of the latest update of the Policy):

Category Provider Country of jurisdiction / server location Processing agreement / safeguards
DNS, proxy, routing of incoming emails, hosting of the public web page Cloudflare, Inc. USA (HQ); global network, EU centers available Subject to verification and recording before public launch
Hosting of backend and databases DigitalOcean, LLC USA (HQ); servers in Frankfurt (FRA1, Germany) Subject to verification and recording before public launch
Transactional email and SMTP sending on behalf of the domain Resend (Resend, Inc.) USA (HQ); processing region eu-west-1 (Ireland) Subject to verification and recording before public launch
Error and performance monitoring Sentry (Functional Software, Inc., d/b/a Sentry) USA (HQ); region sentry.io/eu (Ireland/Germany) Subject to verification and recording before public launch
Payment operations (for paid plans) Will be specified after finalization of the payment model — see docs/legal/launch_checklist.md, part 3.5 TBD TBD
Legal, accounting, and audit consultants As needed According to the consultant’s jurisdiction Confidentiality agreements

Before the public launch, data processing agreements (Data Processing Agreement, DPA) will be concluded with all permanent processors, obliging them to comply with GDPR standards.

4.2. Telegram

Telegram Messenger Inc. itself collects certain information about your interaction with the bot and the Mini App in accordance with its own privacy policy. Telegram is not our processor — it is an independent controller of its own data. If you wish to learn what Telegram collects, refer to the Telegram Privacy Policy.

4.3. Disclosure required by law

We disclose personal data:

  • upon a mandatory request from a competent state authority (court, prosecutor’s office, police, tax authorities, and others) — to the extent expressly provided by applicable law;
  • to protect the life and health of people in emergency situations;
  • to prevent and suppress crimes;
  • to protect our legal rights in judicial, administrative, and other proceedings;
  • to comply with sanctions law and laws on counteracting money laundering and the financing of terrorism.

In such cases, we strive to disclose the minimum necessary scope of information and, where permitted by law, notify the affected User.

4.4. Transfer in case of reorganization

In the event of merger, acquisition, sale of business, reorganization, or bankruptcy, we may transfer personal data to a new owner or successor. In such case, we will notify Users in advance, and the new owner will be obliged to ensure a level of protection no lower than that established by this Policy.

4.5. To whom we do not transfer data

We do not transfer your data to:

  • advertisers;
  • data brokers;
  • other platforms for commercial purposes;
  • other Users, except in cases where the Users themselves voluntarily publish information as part of a Business.

5. Where we store data

5.1. Primary storage

The servers on which Users’ data is hosted are located in Germany (Frankfurt, the DigitalOcean FRA1 data center). When choosing a hosting location, we give priority to jurisdictions with reliable personal data protection and standards equivalent to those of the EU.

In addition, certain categories of data may pass through the infrastructure of:

  • Cloudflare (a global proxy and DNS network with the possibility of routing through EU centers);
  • Resend (region eu-west-1, Ireland) — for transactional emails;
  • Sentry (region EU, Ireland / Germany) — for error logs.

5.2. International transfer

If, in the course of the Platform’s operation, data is transferred to a country outside your jurisdiction (for example, for users in the EEA — outside the EEA through infrastructure partners with global presence), we ensure proper safeguards:

  • transfer to countries recognized by the EU as ensuring an adequate level of protection (adequacy decision);
  • Standard Contractual Clauses (SCC) approved by the European Commission;
  • other mechanisms provided by Chapter V GDPR.

If a provider has a head office or group companies outside the EEA, access to data or support services may, in certain cases, be carried out from outside the EEA, even if the primary storage region is chosen in the EU. In such cases, we apply the corresponding safeguards provided by Chapter V GDPR, including SCCs and additional technical and organizational measures, if they are necessary.

The list of current international transfers and applicable safeguards is available upon request at [email protected].

6. How long we store data

The retention periods listed below are baseline retention periods for closed testing and may be refined before the public launch depending on the chosen jurisdiction of the Controller, the payment model, and tax and accounting requirements. If the law requires a longer retention period or the data is needed for a dispute, investigation, or defense of rights, we keep them for the necessary period.

Data category Retention period
Basic Account data (Telegram ID, name, language) While the Account is active; after deletion — up to 30 days in the primary database, up to 90 days in backup copies
Owner’s email and the link with Telegram ID While the Account is active; after deletion — up to 30 days (subject to exceptions if the email appears in document acceptance logs)
Business Content While the Business is active; after deletion — up to 30 days (after that — anonymization or deletion)
Action logs and technical logs Up to 12 months (for security and diagnostic purposes)
Logs of acceptance of the Terms, Rules, and Policy No less than 3 years after termination of the Account (for protection in possible disputes)
Payment information and financial reporting Within the periods provided by applicable tax and accounting law (as a rule, 3–7 years)
Correspondence with support Up to 2 years from the moment the inquiry is closed
Information related to incident investigations or active disputes Until the relevant proceedings are completed and the appeal periods have expired

After the periods have expired, the data is deleted or anonymized (brought to a form that does not allow them to be associated with a particular person).

6.1. Waiting list (waitlist) data and related technical records

Unconfirmed requests (email entered by the user, but confirmation through the link in the email has not been completed): stored for 24 (twenty-four) hours from submission and then automatically deleted. The technical confirmation token is stored in hashed form and deleted together with the request.

Confirmed requests with respect to the email address: stored until the public launch date of the Platform and for 30 (thirty) calendar days after the one-time launch notification is sent. After this period, the email address and related identifying data of the waiting list are deleted. If, by the time of deletion, the relevant person has independently completed Business registration with confirmation of the same email address under the procedure described in Section 2.2 of this Policy and Section 4.4 of the Terms of Use, the email address is processed within the lifecycle of the Business Owner’s Account. The remaining waiting list data are deleted in accordance with this section.

Minimal referral attribution records: the user’s personal referral code, information about users invited by them, and information about the referral attribution through which the user themselves joined the waiting list are stored separately for the duration of the corresponding referral bonuses and the period necessary to verify the correctness of their allocation, in accordance with the periods established in Section 7.9 of the Terms of Use, in particular Section 7.9.9, — but not more than 12 (twelve) calendar months from confirmation of the user’s email, unless otherwise follows from applying the bonuses to an active subscription.

Anti-abuse request submission record (IP address hash and minimal technical indicators): stored separately from the waiting list request for 30 (thirty) calendar days from submission and then automatically deleted. The system does not store the original IP address as part of the waitlist request or the anti-abuse record; the hash is used exclusively to match repeated requests within the stated storage period for rate-limiting purposes.

Cookie dps_ref on the visitor’s device: 30 (thirty) calendar days from the time it is set. Local Storage dps-cookie-consent and dps-site-theme: until explicitly deleted by the user through the “Manage cookies” link or browser settings.

Requests to withdraw consent: processed within no more than 30 (thirty) calendar days from receipt, taking into account the exceptions stated above regarding minimal referral attribution records, if at the time of withdrawal such records are necessary to confirm bonuses already allocated or pending allocation in favor of third parties — participants in the referral program.

6.2. Subscription Lifecycle and Data Deletion

The retention periods and the procedure for deleting the Business owner’s personal data, Business entry content and related customer data in the event that the trial period ends without payment for the paid subscription, the paid subscription is cancelled or it is not renewed are described in § 7.4 of the Terms of Use, in particular in the provisions on frozen mode, archive mode, the 90-day retention period, data deletion, exceptions for legally necessary records and sensitive actions available only to the Business owner.

Protective identifiers formed on the basis of the Telegram identifier and email address may be retained for the period necessary to prevent abuse of the trial period and to protect the Operator’s legitimate interests. The email address is not stored in plain form, but is processed as a cryptographic hash. Such retention is based on the Operator’s legitimate interest pursuant to Art. 6(1)(f) GDPR, and hashing the email address is a pseudonymisation measure within the meaning of Art. 4(5) GDPR.

7. Your rights

In accordance with the GDPR (Articles 12–22) and similar provisions of applicable law, you have the following rights with regard to your personal data:

7.1. Right of access (Article 15 GDPR)

You have the right to obtain from us confirmation of whether your data is processed and, if so, a copy of the data being processed and information about the purposes, categories, recipients, retention periods, sources, and existence of automated decision-making.

7.2. Right to rectification (Article 16 GDPR)

You have the right to require correction of inaccurate or incomplete data. Most of the information you can correct yourself through the Platform’s interface.

7.3. Right to erasure (“right to be forgotten”, Article 17 GDPR)

You have the right to require deletion of your data if:

  • the data is no longer needed for the purposes for which they were collected;
  • you withdraw the consent on which processing is based and there is no other legal ground;
  • you object to the processing and there are no overriding legitimate grounds;
  • the data is processed unlawfully;
  • the data is subject to deletion under a mandatory law.

The right to erasure does not apply if storage is necessary for:

  • performance of a legal obligation (for example, tax reporting);
  • the establishment, exercise, or defense of legal claims (including document acceptance logs — section 2.6);
  • public interest in the field of public health;
  • archival, scientific, research, or statistical purposes with proper safeguards;
  • freedom of expression and information.

7.4. Right to restriction of processing (Article 18 GDPR)

You have the right to require restriction of processing in cases where you contest the accuracy of the data, consider the processing unlawful, or the processing is no longer needed by us but is needed by you to defend rights.

7.5. Right to data portability (Article 20 GDPR)

You have the right to receive your data in a structured, commonly used, machine-readable format (for example, JSON or CSV) and to transmit them to another controller.

7.6. Right to object (Article 21 GDPR)

You have the right to object to processing based on our legitimate interests (see section 3). We cease processing unless we demonstrate the existence of overriding legitimate grounds or processing is necessary for the defense of legal claims.

With regard to direct marketing, you have the right to object without any justification, and we will immediately cease processing for these purposes.

7.7. Right to withdraw consent (Article 7 GDPR)

If processing is based on your consent, you have the right to withdraw it at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

7.8. Right not to be subject to automated decision-making (Article 22 GDPR)

You have the right not to be subject to decisions based solely on automated processing if such decisions produce legal or other significant effects for you. See section 9.

7.9. Right to lodge a complaint with a supervisory authority (Article 77 GDPR)

You have the right to lodge a complaint with a data protection supervisory authority, primarily — with the authority of the country of your habitual residence, place of work, or the place of the alleged violation.

The list of EEA supervisory authorities: https://edpb.europa.eu/about-edpb/about-edpb/members_en.

In Ukraine — the Ukrainian Parliament Commissioner for Human Rights: https://www.ombudsman.gov.ua.

7.10. How to exercise your rights

To exercise any of the listed rights, send a request:

  • through the Platform’s interface (for individual functions — Account deletion, data export);
  • to [email protected].

We respond to requests within 30 (thirty) calendar days. In complex cases, this period may be extended by an additional 60 days, with notification to you of the reasons for the extension.

Exercise of rights is free of charge, except in cases of manifestly unfounded or excessive requests (for example, repetitive ones), in which we have the right either to charge a reasonable fee or to refuse fulfillment with justification.

To confirm your identity before fulfilling the request, we may request additional information. If the request is sent from a verified email linked to the Account, this may be taken into account as one of the factors of identity confirmation, but we may request additional verification if the request concerns deletion, export, modification of critical data, or if there is a risk of unauthorized access.

8. Cookies and similar technologies

8.1. What we use

The Platform operates predominantly as a Telegram Mini App, so traditional “cookies” are used to a limited extent. We apply the following technologies for storing information on your device:

  • localStorage and sessionStorage in the Telegram Mini App — for saving language settings, the indicator of acceptance of the Terms, interface caching;
  • technical session identifiers — only for session authorization, without advertising tracking between different services.

We do not use cookies to track you across other applications and websites and do not transfer cookies to third parties for advertising purposes.

8.2. Management

You may clear local storage through the settings of your browser or Telegram. Clearing will result in the need for a repeated language choice and repeated acceptance of the Terms upon the next launch.

9. Automated decision-making and profiling

9.1. What we do

We apply automated processing for:

  • the technical operation of the Platform (for example, displaying Businesses depending on the chosen category and language);
  • detecting abuse (for example, signs of manipulation, spam, fraud);
  • request rate limiting for protection from attacks;
  • verifying compliance with territorial restrictions (section 3.4 of the Terms of Use).

9.2. What we do not do

We do not make automated decisions that produce legal effects for you or otherwise significantly affect you, based solely on automated processing.

Decisions on the application of response measures with significant consequences (permanent blocking of an Account, deletion of a Business) are made with human involvement or are subject to review with human involvement at your request. If you believe that a decision based solely on automated processing has been made about you and you wish it reviewed, contact [email protected].

10. Data security

We apply technical and organizational measures reasonably corresponding to the risks of processing:

  • encryption of transmitted data (HTTPS/TLS);
  • encryption of data at rest to the extent technically achievable by the infrastructure provider;
  • access segregation for employees and contractors on the principle of minimum sufficiency;
  • access logs for sensitive data;
  • backup copying with regular integrity checking;
  • dependency updates and vulnerability auditing;
  • two-factor authentication for administrative accounts;
  • error and incident monitoring through a specialized service with priority of using the EU region, if such region is available and configured;
  • employee training on personal data processing rules (as the team grows).

10.1. Data breach notifications

In the event of a personal data breach that may pose a risk to the rights and freedoms of Users, we:

  • notify the competent supervisory authority within 72 hours of detection (Article 33 GDPR);
  • if the violation poses a high risk — notify the affected Users directly and without unjustified delay at their verified email (Article 34 GDPR);
  • investigate the causes and take measures to prevent recurrence.

11. Children

The Platform is not intended for persons under 18 years of age. We deliberately do not collect data about children. If we learn that data of a person under 18 has been collected through use of the Platform, we delete such data at the earliest opportunity, except for information that needs to be temporarily retained for security, prevention of abuse, or performance of a legal obligation.

If you are a parent or legal representative and believe that your child has gained access to the Platform and provided us with information, contact [email protected] and we will delete the data.

12. Changes to the Policy

We have the right to make changes to the Policy. We notify Owners of Businesses of substantial changes at their verified email no less than 14 calendar days before the changes take effect. Additionally, the changes are published on the Platform. The date of the latest update is indicated at the beginning of the document.

Version history. The current version of the Policy is published at https://damosta.com/privacy. All previous versions are kept and available at permanent links in the version archive at https://damosta.com/privacy/history. Upon request, previous versions of the Policy are provided to you.

13. Jurisdictional reservations

13.1. For users in the European Union

Applicable data protection law: GDPR (Regulation (EU) 2016/679) and national laws of EEA member states. Supervisory authority: specified in section 7.9.

13.2. For users in Ukraine

Applicable law: the Law of Ukraine “On the Protection of Personal Data”. Supervisory authority: the Ukrainian Parliament Commissioner for Human Rights.

13.3. For users in the United Kingdom

Applicable law: UK GDPR and Data Protection Act 2018. Supervisory authority: the Information Commissioner’s Office (ICO).

13.4. For users in other countries

The applicable data protection law of the country of your residence, in the part of its mandatory rules.

14. Languages

The Policy is published in several languages. The Ukrainian-language version is the controlling legal version. Translations are provided for the convenience of Users and do not have prevailing force over the controlling version. If applicable mandatory law of the country of residence of a consumer User requires the provision of the document in the official language of that country or grants the consumer protection regardless of the chosen language, such requirements remain in force in the mandatory part.

15. Contacts

For personal data processing inquiries: [email protected] Exercise of data subject rights: [email protected] Notifications about security incidents: [email protected] EU representative (if applicable, Article 27 GDPR): will be specified after assessment of necessity — see part 1.1 DPO (if applicable): will be specified after assessment of necessity — see part 1.2

Legal details of the Controller: will be specified after registration of the legal entity — see docs/legal/launch_checklist.md, part 3.1.

Appendix A: Brief summary (TL;DR)

If you do not have time to read in full — the essentials:

  1. We receive from Telegram only basic information that Telegram transmits through the Mini App: ID, name, username, language, as well as the profile photo or other technical signals — if such fields are transmitted by Telegram.
  2. For Owners of Businesses, a verified email is additionally required — it is a formal communication channel, mandatory for creating a Business.
  3. We store what you yourself publish as part of a Business (texts, photographs, contacts).
  4. We do not sell your data.
  5. We do not show you third-party advertising.
  6. We do not transfer data to advertising networks.
  7. We store data on servers in Germany (Frankfurt, DigitalOcean).
  8. We use service providers (Cloudflare, DigitalOcean, Resend, Sentry). Before the public launch, the final list of providers, processing regions, and data processing agreements will be verified and recorded.
  9. You have the right to request access to your data, their correction, deletion, or receipt in a file. Write to [email protected] — we will review the request in the manner described in this Policy.
  10. If something has gone wrong — write to [email protected] or complain to the supervisory authority of your country of residence.
  11. If you are under 18 — the Platform is not for you, do not use it.

End of the document “DAMOSTA Privacy Policy”, version 1.0 (closed testing).

All open decisions requiring closure before public launch are listed in docs/legal/launch_checklist.md, part 3.

Archive of previous versions: version history