ЭТОЧАТБОТ
Messengers
Telegram MAX Instagram* VK
AI agents Pricing
Product
About us Contact Help center Blog Legal
Start for free Sign in

Legal· Privacy policy

Service documents

Privacy policy

Principles and conditions for processing personal data in ETOCHATBOT in line with Federal Law No. 152-FZ.

Updated April 29, 2026

The essentials

ETOCHATBOT operates in the Russian Federation in strict compliance with Federal Law No. 152-FZ of July 27, 2006 "On Personal Data" (the "152-FZ"). The Operator is listed in the Register of Operators Processing Personal Data under registration number 16-25-027399 (entry in the Roskomnadzor Register).

We collect the minimum amount of data needed to deliver the service. We don't share it with ad networks, don't sell it to third parties, and don't use it for anything unrelated to running the service.

1. Terms and definitions

  • Operator — sole proprietor Dmitry Yuryevich Kiselev, taxpayer ID 165720128759, state registration number OGRNIP 323169000141965 (full details on the Operator details page).
  • Service — the ETOCHATBOT software and hardware platform, accessible at https://etochat.bot and through the dashboard at /panel.
  • User — an individual, legal entity, or sole proprietor who has registered for the service.
  • End customer — a third party who contacted a chat bot connected by the User.
  • Personal data (PD) — any information relating to a directly or indirectly identified or identifiable individual (Article 3, clause 1 of 152-FZ).
  • Personal data processing — any action or set of actions on personal data, as listed in clause 3 of Article 3 of 152-FZ.

2. Legal grounds for processing

The Operator processes personal data on the following legal grounds under Part 1, Article 6 of 152-FZ:

  • Data subject's consent (clause 1) — given on registration (see the Personal data processing consent).
  • Contract performance (clause 5) — delivery of the service under the Public offer.
  • Legitimate interests (clause 7) — keeping the service running and secure (access logs, anti-fraud).
  • Performance of statutory duties (clause 2) — accounting and tax records (Tax Code of the Russian Federation), responses to lawful requests from government authorities.

3. Categories of data subjects and the data processed

3.1. Service Users

  • Full name (if provided on registration or in profile settings).
  • Email address, mobile phone number (optional).
  • A password hash (the original password can't be recovered).
  • Legal entity or sole proprietor details — when signing a contract.
  • Service usage data: action timestamps, IP address, browser type, session ID.
  • Limited payment data: card type, last 4 digits. The Operator does not receive or store the full card details.
  • Keys and tokens of connected bots — stored in encrypted form.

3.2. End customers of Users

When an end customer writes to a User's bot, their data flows into the Service. The Operator processes the following data of end customers:

  • User identifier on the corresponding chat channel.
  • Username, display name, profile photo — if provided by the channel.
  • Message contents and media sent to the bot.
  • Message metadata: time, delivery status, identifiers.

In this part of the processing, the Operator acts as a data processor on the User's instructions (Part 3, Article 6 of 152-FZ). The conditions of those instructions are spelled out in the Data processing agreement (DPA). The User is solely responsible for the lawfulness of collecting end-customer data and for having legal grounds to process it.

3.3. Support requests

When you contact support, the Operator processes the User's email or contact, the request text, and any attached files — solely to resolve the issue.

4. Purposes of processing

  • Registration and identification of the User in the service; providing access to the features.
  • Delivery of services under the Terms of service and the Public offer.
  • Exchanging messages between the User and their end customers.
  • Settlements, invoicing, generating closing documents, tax accounting.
  • Notifying the User about service status, plan changes, scheduled maintenance.
  • Supporting the User on service-related questions.
  • Ensuring information security (logs, abuse protection).
  • Analyzing service operation in anonymized form to improve the product.
  • Meeting the requirements of Russian law.

5. Processing principles (Article 5 of 152-FZ)

  • Lawfulness and fairness: processing is carried out only on lawful grounds.
  • Purpose limitation: personal data is processed only for the purposes stated in this Policy.
  • Minimization: the scope of personal data processed matches the purpose.
  • Accuracy: the Operator keeps the data accurate and updates it on a subject's request.
  • Storage no longer than needed: retention periods are listed in section 9.
  • Security: technical and organizational protection measures are applied (section 8 and Security measures).

6. Processing methods and localization

Personal data is processed both with automated tools (on server infrastructure located in data centers in the Russian Federation, in line with Part 5, Article 18 of 152-FZ) and without them — when data is entered manually into the interface or printed out.

Localization: initial collection and subsequent storage of personal data of Russian Federation citizens take place exclusively in databases located in Russia.

7. Sharing data with third parties

The Operator shares personal data with third parties only in the following cases:

  • Acquiring bank / payment aggregator — for processing payments. The data shared includes: payer's name (for legal entity payments), email, amount, order number.
  • Hosting provider (Russian Federation) — for hosting the server infrastructure. The hosting provider is bound by a confidentiality agreement and does not have access to the database contents.
  • Russian government authorities — on a lawful request (Roskomnadzor, Federal Tax Service, Ministry of Internal Affairs, courts).
  • Auditors and consultants — under a non-disclosure agreement (NDA), when a compliance review is needed.

The Operator does not share personal data with ad networks or marketing agencies, does not sell it to third parties, and does not use it to build advertising profiles.

8. Data security

In accordance with Article 19 of 152-FZ and the requirements of Government Decree No. 1119 of November 1, 2012 (which defines the personal data protection levels), the Operator applies the following measures:

  • Technical measures: TLS 1.2+ for all connections; cryptographic hashing of user passwords; encryption of sensitive fields; network segmentation; firewalls; antivirus protection; regular OS and application updates.
  • Organizational measures: a limited set of people with access to personal data; individual accounts; access logging; employee training; a removable-media policy.
  • Backups: daily encrypted backups with limited retention (see section 9).
  • Incident response: a procedure for notifying Roskomnadzor within 24 hours and data subjects within 72 hours in case of a personal data breach (Part 3.1, Article 21 of 152-FZ).

Read more on the Security measures page.

9. Retention periods

  • User account — for the entire period the service is used, plus 30 calendar days after deletion (in case of restoration).
  • Messages and media in conversations — for the entire period the connected bot is active. After the bot is disconnected — 12 months, then automatic deletion.
  • Payment documents and primary accounting records — 5 years (Article 29 of the Federal Law "On Accounting", clause 317 of the Standard Archival Records List approved by Rosarkhiv Order No. 236).
  • Security logs — 90 calendar days.
  • Personal data processing consents and their withdrawals — 5 years from receipt / withdrawal.
  • Database backups — up to 30 calendar days, then overwritten.

10. Data subject rights

Under Article 14 of 152-FZ, a data subject has the right to:

  1. Receive confirmation that their personal data is being processed, along with information about the operator, the purposes, methods, and timelines of processing, the list of personal data being processed, and the source.
  2. Receive a copy of the personal data being processed (subject to the limits of Part 8, Article 14 of 152-FZ).
  3. Request the clarification, blocking, or destruction of personal data if it is incomplete, outdated, inaccurate, unlawfully obtained, or no longer necessary for the stated purpose of processing.
  4. Withdraw consent to personal data processing (Part 2, Article 9 of 152-FZ). After withdrawal, the Operator stops processing the data or destroys it, except in the cases set out in Part 5, Article 21 of 152-FZ (for example, tax documents).
  5. Appeal the Operator's actions or inaction to Roskomnadzor or through the courts.

Send requests to info@etochat.bot with "Personal data request" in the subject line. Response time: 10 business days for clarifying information and 30 calendar days to provide a copy of the personal data (Parts 1 and 2 of Article 20 of 152-FZ). The Operator may request identification documents to verify the subject's identity.

For convenience, a self-service deletion option is also available — see Data deletion.

11. Cookies and similar technologies

The service uses cookies and similar technologies (localStorage) for technical operation (sessions, sign-in, interface preferences) and for anonymized traffic analytics. Read more in the Cookie policy.

12. Minors

The service is not intended for use by anyone under 18. Read more on the Age policy page.

13. Changes to the policy

The Operator may amend this Policy. Material changes are published 14 calendar days before they take effect, with notice to Users by email and in their dashboards. The current version is always available at /privacy; the date of the current version is shown at the top of the document.

14. Contact information

For any questions about personal data processing, contact the Operator:

  • Email: info@etochat.bot (subject: "Personal data request").
  • Postal address: 25 Chetaev St., Kazan, 420126, Russia.
  • Full details on the /requisites page.

The supervisory authority: Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor), https://rkn.gov.ru.