Telegram

Telegram is a cloud-based instant messaging and voice over IP service.

This page is not published. While you can access it via its direct link, it is not yet displayed on the website.

Transparency

Does the policy require users to be notified in case of a data breach? No

0/7

Decided May 18, 2020 (revision history). This question accounts for 8% of the final score.

Note that all companies operating in the EU are subject to Art. 33 of the GDPR, which requires companies to notify their data protection authority of a data breach within 72 hours of discovering it.

Possible Options

No0/7
Yes, eventually5/7
Yes, within 72 hours7/7
N/A (the service collects so little personal data that notification would not be possible)7/7

Note

The service is not required to disclose data breaches per its privacy policy

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Will affected users be notified when the policy is meaningfully changed? Yes

5/5

Decided May 18, 2020 (revision history). This question accounts for 6% of the final score.

Possible Options

No0/5
Yes5/5
N/A (no personal data—or contact information—collected)5/5

Citation

We will review and may update this Privacy Policy from time to time. Any changes to this Privacy Policy will become effective when we post the revised Privacy Policy on this page www.telegram.org/privacy. Please check our website frequently to see any updates or changes to our Privacy Policy, a summary of which we will set out below. [...] Important changes made to this Privacy Policy will be notified to you via Telegram.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Is the policy's history made available? Yes, with revisions or a change-log

5/5

Decided May 18, 2020 (revision history). This question accounts for 6% of the final score.

Possible Options

No0/5
Only the date it was last modified3/5
Yes, with revisions or a change-log5/5

Citation

March 25, 2019: Expanded [10.2. Deleting Messages] with data on the new features in version 5.5, which allow both participants to remove any messages from one-on-one chats for both sides without a time limit. Important changes made to this Privacy Policy will be notified to you via Telegram.

[...]

This policy has been expanded on August 14, 2018 to add information required by the EU data protection law.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the policy outline the service's general security practices? Yes

2/3

Decided May 18, 2020 (revision history). This question accounts for 4% of the final score.

Possible Options

No0/3
Somewhat1/3
Yes2/3
Yes, including audits2.5/3
N/A (no personal data collected)3/3
Yes, including independent audits3/3

Note

They have a full FAQ for "technically inclined" stating all of their security practices and measures at: https://core.telegram.org/techfaq

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Collection

Is it clear why the service collects the personal data that it does? Yes

10/10

Decided May 18, 2020 (revision history). This question accounts for 12% of the final score.

This question deals with transparency. Even if the service uses data for reasons that aren't ideal for privacy, provided they list all of those uses, the service can still receive full credit for this question. However, if they are not explicit about their uses (by employing language like "such as"), a lower score is assigned.

Possible Options

No0/10
Somewhat4/10
Mostly7/10
Yes10/10
No personal data is collected10/10

Citation

5.1. Our Services Telegram is a cloud service. We will process your data to deliver your cloud chat history, including messages, media and files, to any devices of your choosing without a need for you to use third-party backups or cloud storage.

5.2. Safety and Security Telegram supports massive communities which we have to police against abuse and Terms of Service violations. Telegram also has more than 200 million users which makes it a lucrative target for spammers. To improve the security of your account, as well as to prevent spam, abuse, and other violations of our Terms of Service, we may collect metadata such as your IP address, devices and Telegram apps you've used, history of username changes, etc. If collected, this metadata can be kept for 12 months maximum.

5.3. Spam and Abuse To prevent phishing, spam and other kinds of abuse and violations of Telegram’s Terms of Service, our moderators may check messages that were reported to them by their recipients. If a spam report on a message you sent is confirmed by our moderators, your account may be limited from contacting strangers – temporarily or permanently. You can send an appeal using @Spambot. In case of more serious violations, your account may be banned. We may also use automated algorithms to analyze messages in cloud chats to stop spam and phishing.

5.4. Cross-Device Functionality We may also store some aggregated metadata to create Telegram features (see section 5.5 below) that work across all your devices.

5.5. Advanced features We may use some aggregated data about how you use Telegram to build useful features. For example, when you open the Search menu, Telegram displays the people you are more likely to message in a box at the top of the screen. To do this, we calculate a rating that shows which people you message frequently. A similar rating is calculated for inline bots so that the app can suggest the bots you are most likely to use in the attachment menu (or when you start a new message with “@”). To turn this feature off and delete the relevant data, go to Settings > Privacy & Security > Data Settings and disable “Suggest Frequent Contacts”.

5.6. No Ads Unlike other services, we don't use your data for ad targeting or other commercial purposes. Telegram only stores the information it needs to function as a secure and feature-rich cloud service.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the policy list the personal data it collects? Yes, exhaustively

10/10

Decided May 18, 2020 (revision history). This question accounts for 12% of the final score.

All types of collected personal data are listed specifically

Possible Options

No0/10
Only summarily3/10
Yes, generally7/10
Yes, exhaustively10/10
N/A (no personal information is collected)10/10

Citation

Telegram is a communication service. You provide your mobile number and basic account data (which may include profile name, profile picture and about information) to create a Telegram account.

To make it easier for your contacts and other people to reach you and recognize who you are, the screen name you choose, your profile pictures, and your username (should you choose to set one) on Telegram are always public. We don't want to know your real name, gender, age or what you like.

We do not require your screen name to be your real name. Note that users who have you in their contacts will see you by the name they saved and not by your screen name. This way your mother can have the public name ‘Johnny Depp’ while appearing as ‘Mom’ to you and as ‘Boss’ to her underlings at work (or the other way around, depending on how these relationships are structured).

When you enable 2-step-verification for your account or store documents using the Telegram Passport feature, you can opt to set up a password recovery email. This address will only be used to send you a password recovery code if you forget it. That's right: no marketing or “we miss you” bullshit.

Telegram is a cloud service. We store messages, photos, videos and documents from your cloud chats on our servers so that you can access your data from any of your devices anytime without having to rely on third-party backups. All data is stored heavily encrypted and the encryption keys in each case are stored in several other data centers in different jurisdictions. This way local engineers or physical intruders cannot get access to user data.

Secret chats use end-to-end encryption. This means that all data is encrypted with a key that only you and the recipient know. There is no way for us or anybody else without direct access to your device to learn what content is being sent in those messages. We do not store your secret chats on our servers. We also do not keep any logs for messages in secret chats, so after a short period of time we no longer know who or when you messaged via secret chats. For the same reasons secret chats are not available in the cloud — you can only access those messages from the device they were sent to or from.

When you send photos, videos or files via secret chats, before being uploaded, each item is encrypted with a separate key, not known to the server. This key and the file’s location are then encrypted again, this time with the secret chat’s key — and sent to your recipient. They can then download and decipher the file. This means that the file is technically on one of Telegram’s servers, but it looks like a piece of random indecipherable garbage to everyone except for you and the recipient. We don’t know what this random data stands for and we have no idea which particular chat it belongs to. We periodically purge this random data from our servers to save disk space.

In addition to private messages, Telegram also supports public channels and public groups. All public chats are cloud chats (see section 3.3.1 above). Like everything on Telegram, the data you post in public communities is encrypted, both in storage and in transit — but everything you post in public will be accessible to everyone.

Telegram uses phone numbers as unique identifiers so that it is easy for you to switch from SMS and other messaging apps and retain your social graph. We ask your permission before syncing your contacts.

We store your up-to-date contacts in order to notify you as soon as one of your contacts signs up for Telegram and to properly display names in notifications. We only need the number and name (first and last) for this to work and store no other data about your contacts.

Our automatic algorithms can also use anonymized sets of phone numbers to calculate the average number of potential contacts an unregistered phone number may have on Telegram. When you open the ‘Invite friends’ interface, we display the resulting statistics next to your contacts to give you an idea of who could benefit most from joining Telegram.

You can always stop syncing contacts or delete them from our servers in Settings > Privacy & Security > Data Settings.

If you are using Android, Telegram will ask you for permission to access your phone call logs (READ_CALL_LOG). If you grant this permission, Telegram will be able verify your account by transmitting a phone call instead of asking you to enter a code. Telegram uses this permission only to confirm receipt of the confirmation call by verifying the number in the call log.

The only cookies we use are those to operate and provide our Services on the web. We do not use cookies for profiling or advertising. The cookies we use are small text files that allow us to provide and customize our Services, and in doing so provide you with an enhanced user experience. Your browser should allow you to control these cookies, including whether or not to accept them and how to remove them. You may choose to block cookies with your web browser, however, if you do disable these cookies you will not be able to log in to Telegram Web.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the service collect personal data from third parties? No

10/10

Decided May 18, 2020 (revision history). This question accounts for 12% of the final score.

This includes the use of data brokers and independent verification authorities (such as background check providers).

Possible Options

Yes0/10
Only for critical data7/10
No10/10

Note

Telegram doesn't collect data from third-parties

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the service allow the user to control whether personal data is used or collected for non-critical purposes? N/A (no data used for non-critical purposes)

5/5

Decided May 18, 2020 (revision history). This question accounts for 6% of the final score.

Some services allow users to opt-out or opt-in to of non-critical collection or use of personal data, such as collecting data for personalized advertisements.

Possible Options

No0/5
On an opt-out basis, but only for some non-critical data/uses1.5/5
On an opt-out basis, for all non-critical data/uses3/5
N/A (no data used for non-critical purposes)5/5
On an opt-in basis5/5

Note

Data is not used for non-critical purposes

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Handling

Does the policy allow personally-targeted or behavioral marketing? No

10/10

Decided May 18, 2020 (revision history). This question accounts for 12% of the final score.

Possible Options

Yes0/10
Yes, but you can opt-out3.5/10
Yes, but you must opt-in7/10
No10/10

Note

No data is shared for marketing purposes

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the service allow third-party access to private personal data? Yes, all parties specified (only to critical service providers)

8/10

Decided May 18, 2020 (revision history). This question accounts for 12% of the final score.

This may come in the form of outright data sharing or by using local third-party analytics software (such as Google Analytics, which collects a plethora of user information).

Note that whether the policy allows sharing aggregated user data does not affect this question.

If the personal data is encrypted when it passes through the third-party, it does not count as third-party access (as the data is inaccessible to that party).

If personal data has been made public by, for example, posting it to a blog, it does not count as private personal information (and is therefore not considered by this question).

Possible Options

Yes, not all parties specified0/10
Yes, all parties specified (including non-critical service providers such as advertisers)3/10
Yes, not all parties specified (but only to critical service providers)7/10
Yes, all parties specified (only to critical service providers)8/10
No10/10

Citation

Other users of our Services with whom you choose to communicate with and share certain information, who may be located outside the EEA. Note that by entering into the Terms of Service and choosing to communicate with such other users of Telegram, you are instructing us to transfer your personal data, on your behalf, to those users in accordance with this Privacy Policy. We employ all appropriate technical and organizational measures (including encryption of your personal data) to ensure a level of security for your personal data that is appropriate to the risk.

We may share your personal data with: (1) our parent company, Telegram Group Inc, located in the British Virgin Islands; and (2) Telegram FZ-LLC, a group member located in Dubai, to help provide, improve and support our Services. We will implement appropriate safeguards to protect the security and integrity of that personal data. This will take the form of standard contract clauses approved by the European Commission in an agreement between us and our relevant group companies. If you would like more information regarding these clauses, please contact us using the details in section 12 below.

If Telegram receives a court order that confirms you're a terror suspect, we may disclose your IP address and phone number to the relevant authorities. So far, this has never happened. When it does, we will include it in a semiannual transparency report published at: https://t.me/transparency.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the service allow you to permanently delete your personal data? Yes, using an automated mechanism

5/5

Decided May 18, 2020 (revision history). This question accounts for 6% of the final score.

Even if there is a reasonable delay before the data is fully deleted (as is common), the data still counts as "permanently deleted" and satisfies the parameters for this question.

Possible Options

No0/5
Yes, by contacting someone3/5
Yes, using an automated mechanism5/5
N/A (no personal information collected)5/5

Citation

If you would like to delete your account, you can do this on the deactivation page. Deleting your account removes all messages, media, contacts and every other piece of data you store in the Telegram cloud. This action must be confirmed via your Telegram account and cannot be undone.

Note

The deactivation page is at https://telegram.org/deactivate

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


When does the policy allow law enforcement access to personal data? Only when required by a court order or subpoena

4/5

Decided May 18, 2020 (revision history). This question accounts for 6% of the final score.

Possible Options

Always0/5
Not specified0/5
When reasonably requested3/5
Only when required by a court order or subpoena4/5
N/A (no personal data to share)5/5
Never (special legal jurisdiction)5/5

Note

If Telegram receives a court order that confirms you're a terror suspect, we may disclose your IP address and phone number to the relevant authorities. So far, this has never happened. When it does, we will include it in a semiannual transparency report published at: https://t.me/transparency.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.



Warnings

Telegram has no warnings published on PrivacySpy. PrivacySpy publishes warnings when it learns a service has announced a data breach or is found misusing user data. If you believe a warning should be published for Telegram, submit one here.


Highlighted Policy Snapshot ALPHA

No highlighted policy snapshot has been created for this privacy policy. To view the policy at its original location, click here.

8.7/10

How we calculate ratings →


Version Added

May 18, 2020

Ratings Updated

May 18, 2020

Warnings

0

Maintained by

doamatto

Original Location
Open in New Tab
Other Versions