Privacy Policy

Effective from May 9, 2026

We treat your data like our own. This policy explains in plain language what we collect, why, how we store it, and what rights you have. If something is unclear, write to privacy@letgram.ru — we'll reply.

1. Who we are

Personal data operator:

Individual entrepreneur Popkova Elena Grigorievna
OGRNIP: 325237500062811 (registered February 17, 2025)
INN: 230201330074
Address: Krasnodar Krai, Armavir, stanitsa Staraya Stanitsa, Russian Federation
Personal data requests: privacy@letgram.ru
User support: support@letgram.ru

Letgram is a messenger for chat, voice and video calls, stories, posts, and media content. The service is available as a mobile app for iOS and Android, and as a web version.

2. What data we collect

2.1. Data you provide

Phone number — the only account identifier. Used for registration, sign-in, and finding contacts.
First name, last name, profile photo, bio, emoji status — optional.
Content you share: messages, photos, videos, voice notes, documents, stories, posts, reels, comments, reactions.
Address-book contacts — only with your permission, and only as hashes of phone numbers used to find friends on Letgram. Raw contacts are not stored on our side.

2.2. Data we collect automatically

Message metadata: sender, recipient, timestamp, message type. The text and media themselves are encrypted (see §5).
Device technical data: model, OS version, app version, IP address, push token.
Call metadata: participants, start time, and duration. Call content is not recorded.
Security logs: sign-in time, IP, device type — for active sessions and account security.

2.3. What we do NOT collect

We don't collect geolocation unless you send it in chat yourself.
We don't read the contents of your messages manually.
We don't share data with advertising brokers.
We don't use your messages or media to train AI models.

3. How we use the data

Service delivery: sending messages, calls, multi-device sync.
Account security: SMS sign-in codes, suspicious activity detection.
User communication: push notifications about new messages, technical alerts.
Moderation: reviewing complaints, removing illegal content (see §7).
Legal compliance: responding to lawful requests from Russian government authorities.

4. Legal basis for processing

We process your personal data based on:

Your consent (granted at registration in the app).
Contractual necessity to fulfill the offer agreement you accept by using Letgram (Terms of Use).
Russian Federal Laws No. 152-FZ on Personal Data, No. 149-FZ on Information, and No. 374-FZ.
Operator's legitimate interests (anti-fraud, anti-spam, anti-abuse).

5. Categories of subjects and processing actions

5.1. Categories of personal data subjects

Registered users of the iOS / Android apps and the Letgram web version.
Visitors of letgram.ru (public channels, landing, legal pages).
Recipients of notifications (push, email) within the use of the service.

5.2. List of operations performed on personal data

We perform the following operations (Article 3 of FZ-152): collection, recording, systematization, accumulation, storage, refinement (updating, modification), retrieval, use, transfer (provision, access), depersonalization, blocking, deletion, and destruction. Processing is performed both with and without automation tools.

5.3. Automated decision-making

Letgram does not make legally significant decisions about users solely based on automated processing, except for technical actions (e.g., automated spam moderation and anti-fraud filters). Any serious action — account ban based on a complaint, response to a government request — undergoes manual review.

5.4. Cross-border data transfer

User personal data is stored on servers in the Russian Federation and is not transferred outside the country, except for technical transmission of metadata to push services Apple (APNs, USA) and Google (FCM, USA), required to deliver notifications. This transfer is encrypted, contains no message content, and is performed under adequate safeguards (provider's standard contractual clauses).

6. Encryption and data protection

Transport encryption: all traffic between your device and Letgram servers uses TLS 1.3.
Server-side encryption: message content is encrypted with AES-256 using a key stored separately from data. Staff without operational access cannot read decrypted content.
Calls: audio and video are transmitted via WebRTC over DTLS-SRTP — encrypted end-to-end between participants.
Storage: data is stored on servers in the Russian Federation, in compliance with Federal Law 152-FZ.

7. How long we keep data

Messages and media — until you or the conversation partner delete them, or until your account is deleted.
Call metadata — 6 months (per Russian Federal Law 374-FZ requirements for information dissemination organizers).
Security logs — 1 year.
Deleted account — all data is wiped from servers within 30 days of deletion, except records we are legally required to retain.

8. User content and moderation

Letgram is a user-generated content (UGC) messenger. We have zero tolerance for material that violates the law or others' rights: violence, threats, child sexual abuse material, terrorism propaganda, discrimination, spam, and fraud.

Reporting: a "Report" button is available on every message, profile, story, post, reel, and comment.
Response time: we review reports within 24 hours and act — content removal, temporary ban, or permanent account deletion.
Blocking users: you can block any user at any time — they will not be able to message you or see your content.
CSAM: child sexual abuse material is removed immediately, the account is banned permanently, and information is forwarded to Russian law enforcement.

9. Who we share data with (third parties and SDKs)

We do not sell your data. Sharing with third parties happens only in these cases:

SMS provider (MTS Exolve) — receives only your phone number to deliver the sign-in code.
Push services (Apple APNs, Google FCM, Mozilla autopush) — receive a device token and an encrypted "new message" signal. Message content is not transmitted in pushes.
Storage servers (our own data centers in Russia) — to store encrypted data.
Russian government authorities — only upon a lawful, properly issued request (court order or properly motivated FSB/MVD request).

10. Your rights (Articles 14, 15, 21 of FZ-152)

As a personal data subject, you have the right to:

Confirm processing and obtain a copy of your data (Art. 14).
Request correction, blocking or deletion of data that is incomplete, outdated, inaccurate, or unlawfully obtained (Art. 14).
Withdraw consent at any time (Art. 9 cl. 2). Withdrawal terminates processing and triggers account deletion within 30 days.
Object to processing for direct marketing (Art. 15 cl. 3) — we do not send marketing messages.
Appeal our actions to the Russian supervisory authority — Roskomnadzor: rkn.gov.ru, Moscow, Kitaygorodskiy proezd 7, building 2, or via court proceedings.

10.1. How to exercise rights

Email privacy@letgram.ru and include:

Full name or account identifier (phone number, username).
Which right you are exercising (access / correction / deletion / consent withdrawal).
Identification: email tied to the account, or a photo of the first page of your passport (we use the photo only for identification and delete it immediately afterwards).

Response time: no more than 30 calendar days (Art. 20 cl. 1 of FZ-152). Service is free.

10.2. Withdrawing consent

Consent can be withdrawn three ways:

In the app: Settings → Delete Account (instant action, triggers a 30-day deletion process).
By email to privacy@letgram.ru with subject "Withdraw consent".
By registered mail to the operator's postal address (see §1).

11. Account deletion

You can delete your account at any time:

iOS / Android app: Settings → Delete Account.
Web version: Settings → Delete Account.
By email: request to privacy@letgram.ru.

After confirmation, all your messages, media, posts, stories, and profile data are wiped from our servers within 30 days. The action is irreversible.

12. Children

Letgram is not intended for users under 14. We don't request age verification at registration, but if we learn an account belongs to a child under 14, we'll delete it. If you are a parent and discovered your child's account — write to privacy@letgram.ru.

13. Push notifications

Letgram sends push notifications about new messages, calls, reactions, and mentions through Apple APNs (iOS), Google FCM (Android), or native Web Push (RFC 8292) for the web version.

Pushes carry only metadata: chat ID, sender name, event type. Message content is not transmitted in pushes — text is fetched from the encrypted source when you open the notification.
Push permission is granted via the iOS/Android system dialog at first launch — you can decline.
You can disable pushes anytime: system Settings → Notifications → Letgram, or in the app: Settings → Notifications and Sounds.

14. Cookies, LocalStorage, and Service Worker

The Letgram web version (web.letgram.ru) and letgram.ru use browser storage strictly for technical purposes.

14.1. What is stored in your browser

HTTP cookies: we don't set third-party cookies. Technical session cookies may be set by our CDN/Cloudflare for bot protection and rate-limiting.
LocalStorage: the JWT session token, selected interface language, theme (light/dark), and user settings.
IndexedDB: local cache of messages, chats, and media for offline access and faster loading.
Service Worker: registered for PWA functionality — static asset caching, push notification delivery, background sync.

14.2. Cookie categories

Strictly necessary — required for the service to work (session, CSRF). No consent required under FZ-152.
Functional — language and theme selection. Stored in LocalStorage, removed when the site is cleared.
Analytics — NONE. We do not use Google Analytics, Yandex.Metrica, or any other trackers.
Advertising — NONE. No marketing cookies or fingerprinting.

14.3. How to clear or disable

In your browser: Settings → Privacy → Clear site data → letgram.ru.
The "Log out" button in the app removes the token from LocalStorage.
The "Delete Account" button clears all data both on the server and locally.
The Service Worker can be unregistered via DevTools → Application → Service Workers → Unregister.

Disabling cookies and LocalStorage entirely will make the web version unusable — your sign-in won't persist between sessions.

15. Information dissemination organizer registry

Per Russian Federal Law 149-FZ on Information, we comply with obligations of an information dissemination organizer (ORI) and cooperate with authorized Russian government bodies in the manner prescribed by law.

16. Changes to this policy

We may update this policy. Material changes will be posted on this page, and we will notify you in-app 7 days before they take effect. The last update date is shown at the top of this document.

17. Contact

Personal data requests: privacy@letgram.ru
User support: support@letgram.ru
Content reports: in-app via the "Report" button