How we handle the data that concerns you.

1Introduction

Tavora ("the Bot") is a Telegram bot for managing communities, proposals, votes, and collaborative tasks. This Privacy Policy describes what data we collect, how we use it, and how we protect it.

By using the Bot, you accept the practices described in this policy.

2Data controller

Tavora Systems
Email: tavorasystems@gmail.com

3Data we collect

3.1 Telegram identifiers

When you interact with the Bot, we automatically collect:

• Telegram User ID — unique numeric identifier
• Telegram username — public username
• Timestamp — date and time of first and last interaction

These data points are required for the Bot to work and are provided automatically by Telegram on every interaction.

3.2 User-generated content

• Proposals: title, description, type, attachments (photos, videos, documents)
• Votes: vote type (in favor/against) associated with your User ID
• Comments: the text of comments on proposals and votes
• Tasks: title, description, notes, checklist, attachments
• Task notes: note text (public or private)

To preserve the original formatting you enter (bold, italic, links, animated Telegram Premium emoji), we also store a "rich" HTML version of your content alongside the plain text. Animated Telegram Premium emoji are saved as a numeric identifier (custom emoji ID), not as an image.

3.3 Community data

• Role and membership in communities (member, admin, founder)
• Custom permissions assigned within each community
• Join requests for communities with manual approval
• Community-level bans — users banned from a specific community, recorded with User ID, ban author, and timestamp
• Ownership transfer requests — when a founder transfers a community to another user, we record the two User IDs involved and the request status
• Community publishing language — the language chosen by the founder for messages published in groups (proposal cards, votes, tasks, announcements). This is a community setting, not a personal one

3.4 User preferences

• Personal language — automatically detected on first launch from your Telegram language code (e.g. it, en) and used for the interface. You can change it any time from the Bot settings
• Time zone — if set manually, used for delivering reminders. Saved as a time-zone string (e.g. Europe/Rome) and as an offset in minutes
• Notification settings — per-community notification preferences
• Bot block status — if you block the Bot on Telegram, we record the event (date and last delivery error) so we don't keep trying to reach you. We automatically clear the flag if you start interacting again

3.5 Telegram group data

When the Bot is added to a group, we store:

• The group ID and its name
• The presence of users in the group (only ID and username, to verify membership for proposal-submission policy purposes)

3.6 Technical data and audit trail

• Task event history — we record who created, modified, completed, or deleted a task (audit trail)
• Digital signature — exported PDFs include an SHA-256 hash of their content to verify integrity. The hash is public and contains no sensitive data
• Temporary wizard data — drafting sessions (proposal/task creation) are saved temporarily so you can resume them after a Bot restart, and are deleted automatically after 24 hours of inactivity
• Bug-report and feedback attachments — when you send a report through the Bot's "Feedback" function, any attached files (photos, videos, documents) are stored as a Telegram reference (file_id) along with the related management-group message, so we can review them while we work on the report. These references are deleted automatically after about 30 days

3.7 Donation-related data

The Bot lets you support the project through donations in Telegram Stars. When you make a donation, we record:

• Telegram User ID and username of the donating user
• Telegram first name of the donating user — used solely to thank you publicly on the official channel, if you accept, or to display the donor badge
• Donation amount in Stars
• Transaction ID (charge_id) returned by Telegram, useful for any refunds or disputes
• Donation date and time

We do not receive or store your payment-method details (card, account, etc.): the transaction happens entirely inside Telegram Stars. See also the Telegram Privacy Policy.

3.8 Internal product analytics (beta phase)

During the Bot's beta phase, we record aggregated events about users' initial activation — for example when you see the "Create your first community" button, whether you click it, and whether you complete the creation of your first community. We do this to understand where to improve the product.

These events are tied to your User ID and a timestamp, remain internal to the Tavora team, are never shared with third parties nor used for profiling or advertising, and will be removed at the end of the beta phase. You can request early deletion via email (see section 9).

3.9 Tavora AI data (conversational assistant)

Tavora includes an AI assistant that answers members' questions based on the materials uploaded to the community Library and on Tavora's base knowledge. When you interact with Tavora AI, we collect the following data:

• Conversation history (memory) — the questions you ask and the AI's replies in private chat with the bot are saved so the AI can give coherent multi-turn answers ("do you remember what I asked you?"). Memory is persistent until you delete it manually (see section 9) or 30 days of complete inactivity with that AI go by. Each memory is isolated per (user, community) pair
• Synthetic AI user profile — an automatic summary of your interaction style (max 200 characters) generated weekly to calibrate the assistant's tone. Updated in aggregate, never used to identify or commercially profile you
• Conversation history summary — when memory exceeds ~20 turns, the older turns are compressed into a summary (~300 characters) saved in place of the original turns. The 10 most recent turns are kept intact
• Usage counters — number of questions asked in rolling windows (24h per user, 7 days per community), to enforce the usage limits described in the bot. They do not contain the text of the questions
• Answer cache — public questions to the global Tavora AI (/start menu) are associated with the reply via a numeric embedding to serve instant answers to similar questions. The cache never contains personally identifiable data beyond the question itself

In group chats with /ask, NO memory is saved: each question in a group is isolated, for privacy. Public replies remain independent.

3.10 Automatic moderation of AI Instructions

When a community founder or admin saves an AI Instruction (a behavioral rule the assistant must follow), the text of the instruction is sent to the AI model provider (see section 7.3) for an automatic safety check. If the instruction violates the usage policies (insults, prompt-injection, illegal activities), it is flagged as "ignored" and the AI does not apply it. The user sees an AI note explaining why.

Only the text of the instruction is sent to the provider — no other personal data of the admin or community members.

3.11 Data we do NOT collect

The Bot does not collect:

• Last name, email, phone number
• Profile picture or biographical data
• Location or GPS data
• Private messages outside the conversation with the Bot
• Data from other apps or services
• Browsing history, cookies, or device data
• Payment details (credit cards, bank accounts, IBAN)

Note: the Telegram first name can only be saved for donors (see 3.7). For all other users we record only the numeric User ID and the Telegram username (see 3.1).

4How we use the data

The collected data is used exclusively to:

• Run the Bot — manage proposals, votes, tasks, and communities
• Display — show authors, votes, and comments to community members
• Send notifications — reminders, task updates, and vote results
• Generate exports — produce PDF reports of community activity (on admin request)
• Moderate — manage bans, permissions, and roles inside communities
• Tavora AI — answer members' questions based on the Library materials + conversational memory to keep coherence across turns of the same person

The data is not used for:

• Commercial or advertising profiling
• Sale to third parties
• Behavioral analysis or marketing

5Data visibility

What other community members can see

• Proposals: your username as author is visible to all members
• Votes: your vote and username are visible to community managers (via the /votes command)
• Comments: your comments are visible to members of the group where they are published
• Tasks: assignments and public notes are visible to community members
• Private notes: visible only to you and the task admins/assignees

What is NOT visible

• Your private interactions with the Bot (direct messages)
• Proposals you have hidden from your personal view

6Data retention

• Data is retained for the entire duration of your use of the Bot and the community
• Community deletion: when a founder deletes a community, members are removed immediately and the community is flagged as "pending deletion" (soft-delete with timestamp). Associated data (proposals, votes, tasks) is kept for 10 days, during which recovery can be requested via email. After this period, the community and all associated data are deleted permanently and automatically
• Temporary wizard sessions: drafting sessions (proposal/task creation) are deleted automatically after 24 hours of inactivity
• Feedback attachments: attachments to reports sent through the "Feedback" function are deleted automatically after about 30 days
• Orphan proposals: proposals pending for more than 7 days are finalized automatically
• Global ban: in case of a ban, your User ID and username are kept on the ban list
• Bot block: if you block the Bot on Telegram, we record the event and the block status. Your data remains in the database but you will no longer receive any communication from the Bot
• Beta analytics events: the onboarding events (section 3.8) will be deleted or anonymized at the end of the Bot's beta phase
• Tavora AI memory: conversation turns with the AI assistant (private chat) are kept until you delete them manually with the "🧹 Reset memory" button (see section 9) or 30 days of complete inactivity with that AI go by. In groups (/ask) no memory is kept
• Synthetic AI user profile: updated weekly, replaced by the most recent version. Deleted on memory reset or on account deletion
• Global AI answer cache: kept as long as the underlying materials don't change. Automatically invalidated on knowledge-base updates

7Third-party services

7.1 Telegram

The Bot operates exclusively through the Telegram APIs. All messages, files, and interactions pass through Telegram's servers in accordance with their Privacy Policy.

Attachments (photos, videos, documents) are not stored on our servers — only the reference (file_id) provided by Telegram is stored. The files stay on Telegram's servers.

7.2 Database

Data is stored in a privately managed PostgreSQL database. We do not use third-party cloud services to store data.

7.3 Anthropic (Tavora AI)

For Tavora AI replies (conversational assistant), the Bot relies on Anthropic (anthropic.com), the provider of the Claude language model. When a user asks the AI a question, the following are sent to the provider exclusively:

• The text of the current question
• The previous conversation turns (in private chat) to give coherence to the reply — see section 3.9
• Relevant excerpts from the community's Library materials (only those flagged AI=Yes by the staff)
• The community staff's AI Instructions (behavioral rules, see 3.10)

Anthropic does not use the data received to train its models (standard API clause), keeps it for at most 30 days for safety purposes and then deletes it. See Anthropic's Privacy Policy and Data Processing Addendum.

NOT sent to Anthropic: your Telegram User ID, username, personal data, data from other communities, conversations with other users. The community is isolated and Anthropic does not know who you are.

Vector embeddings: the computation of embeddings (numerical representation of text for retrieval) is performed locally on the Bot's server via the open-source multilingual-e5-large model. No embedding data is sent to third parties.

7.4 No other third-party services

Beyond Telegram (7.1) and Anthropic (7.3), the Bot does not rely on:

• Third-party analytics or tracking services (Google Analytics, Mixpanel, Amplitude, etc.)
• Tracking cookies or pixels
• Advertising services
• External APIs other than Telegram

For full transparency: the only tracking we perform is the internal and aggregated one described in section 3.8 (product analytics during the beta phase).

8Data security

We adopt the following security measures:

• Parameterized queries — protection against SQL injection
• Encryption at rest — disk volumes hosting the database are encrypted
• Secure connection — encrypted communication between Bot and database
• Safe logging — authentication tokens and sensitive data are not written to logs
• Anti-abuse limits — rate limiting on proposal/task creation and interactions
• Input validation — all user input is validated and truncated to safe maximum lengths
• Restricted access — only Bot administrators have direct access to the database
• Digital signature — exported PDF documents are signed with SHA-256 to guarantee integrity

9Your rights

9.1 Right of access

You can request which data we have stored about you by contacting us via email.

9.2 Right to erasure

You can request the complete deletion of your data. The Bot includes a built-in GDPR function. Deletion entails:

• Removal of: user account, community memberships, roles, bans, access requests, transfer requests
• Removal of communities you founded (including all associated data)
• Anonymization of: created proposals, cast votes, comments, tasks created/assigned, notes, events, templates

Created content (proposal text, comments, task notes) is anonymized but kept, as it belongs to the community. Aggregated vote tallies remain unchanged, but the voter's identity is removed.

9.3 Right to rectification

Your Telegram username is updated automatically in the Bot when you change it on Telegram.

9.4 Right to portability

You can export your community data through the PDF/ZIP export functions available in the Bot (proposals, tasks, votes).

9.5 Right to object

• You can leave any community at any time through the Bot menu
• You can block the Bot to stop any communication
• You can hide your proposals from your personal view

9.6 Right to delete memory with Tavora AI

You can delete on your own the memory of your conversation with Tavora AI at any time, without having to go through email:

• Community Tavora AI (private): open the community → tap 🤖 Tavora AI → 🧹 Reset memory (N) button always visible (N = number of saved exchanges)
• Global Tavora AI (/start menu): tap ⚙️ Settings → 🧹 Reset Tavora AI memory (N) button

The reset immediately deletes: all conversation turns, the synthetic AI user profile, and any history summary. The operation is irreversible and requires explicit confirmation. A specific memory is also deleted automatically after 30 days of complete inactivity.

To exercise the other rights (access, full deletion, rectification), send an email to tavorasystems@gmail.com stating your Telegram User ID.

10Minors

The Bot is not intended for people under 16. We do not knowingly collect data from minors. If a parent or guardian believes a minor has provided personal data, they can contact the administrator to request its removal.

11Privacy Policy changes

We reserve the right to update this Privacy Policy. In the event of substantial changes, users will be notified through the Bot. The date of the latest update is shown at the top of this page.

12Contact

For questions, access requests, or data deletion, write to:

• tavorasystems@gmail.com

Please include your Telegram User ID in the request so we can identify your data.

13Support form data

When you fill in the support form on the landing page (/support/), we collect the data you voluntarily provide to handle your message.

What we collect

• Type (bug or suggestion), title (max 120 chars) and description (max 4000 chars)
• Sender email (so we can reply)
• Optional attachments (max 3 files, 4 MB total; accepted types: JPG, PNG, WebP, GIF, MP4, WebM, MOV, PDF, TXT)
• Page language and IP hash (SHA-256 with salt) used only for rate-limiting and diagnostic logs, never in cleartext

Legal basis and purpose

We process this data based on your explicit consent (Art. 6.1.a GDPR — required checkbox in the form) and on performance of a service requested by the data subject (Art. 6.1.b GDPR — replying to you). Without explicit consent, the form does not submit.

Subprocessors

Emails are delivered to our inbox tavorasystems@gmail.com via Resend Inc. (USA), a transactional email provider compliant with the EU-US Data Privacy Framework standard. Resend processes the data as a processor on our behalf via Data Processing Agreement.

Anti-bot verification is performed by Cloudflare Turnstile (Cloudflare Inc., USA) — it does not use persistent cookies nor cross-site tracking.

Retention

Received emails are kept in our Gmail inbox for the time necessary to handle the message, and in any case for a maximum of 24 months for audit purposes. Vercel Function diagnostic logs (IP hash, country, outcome) are kept for 7 days and contain no personal data in cleartext.

Your rights

You can request access, rectification, deletion, restriction, portability or objection by writing to tavorasystems@gmail.com (see also section 9 — Your rights). You can withdraw consent at any time; withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Extra-EU transfer: Resend and Cloudflare have servers in the United States. Transfer is based on the Data Privacy Framework and on Standard Contractual Clauses where applicable.