Notice: this page is an English translation of our Russian-language Privacy Policy, provided for reader convenience. In the event of any discrepancy between this translation and the original Russian version, the Russian version prevails.
| Data | Purpose | Legal basis |
|---|---|---|
| Phone number | Sign-up and authentication | Performance of a contract (Art. 6(1)(5) of Federal Law No. 152-FZ of 27 July 2006 on Personal Data) |
| Name, age, gender | Profile display | Performance of a contract (Art. 6(1)(5) of Federal Law No. 152-FZ) |
| Profile photo | Personalisation (optional) | Performance of a contract (Art. 6(1)(5) of Federal Law No. 152-FZ) |
| Messages and media files | Messaging functionality | Performance of a contract (Art. 6(1)(5) of Federal Law No. 152-FZ) |
| Geolocation | Map features (only with permission) | Consent (Art. 6(1)(1) of Federal Law No. 152-FZ) |
| Device model, OS version, unique device identifier, push notification token (FCM) | Session security | Legitimate interest (Art. 6(1)(7) of Federal Law No. 152-FZ) |
| IP address, logs | Abuse prevention | Legitimate interest and security obligations |
| Crash stack traces, app version, app events, user identifier when an active session exists | Diagnostics and crash troubleshooting | Legitimate interest (Art. 6(1)(7) of Federal Law No. 152-FZ) |
We do not collect any data other than that listed in the table above. We do not use trackers or advertising SDKs, and we do not share data with advertising networks.
Crash diagnostic data is processed on the Operator's own infrastructure (self-hosted GlitchTip located in the Russian Federation). Sensitive fields (tokens, passwords, verification codes, phone numbers, email addresses, session identifiers) are stripped on the device before transmission. No transborder data flow takes place.
Personal data (phone number, name, bio) is encrypted on the server using certified cryptographic algorithms compliant with Russian state standards . Authorisation tokens are stored in encrypted form. All connections between the App and our servers are protected by modern encryption protocols.
We apply technical and organisational measures to protect information from unauthorised access, alteration, disclosure, or destruction. Access to personal data is restricted and granted only when necessary.
Data is stored on secured servers located in the territory of the Russian Federation, as required by Federal Law No. 152-FZ of 27 July 2006 on Personal Data. Backups are kept exclusively within the territory of the Russian Federation.
Data is retained for as long as the user account exists. Upon account deletion, personal data is removed from the active database immediately (see section 7); residual copies in backup snapshots are purged as backups rotate — within 30 days at most.
Server-side technical logs (WebSocket events, API request traces) are retained for 30 days. User identifiers in these logs are hashed with a daily-rotating salt, so beyond a 24-hour window the original identifier cannot be recovered — even from the live log buffer.
In accordance with Federal Law No. 149-FZ of 27 July 2006 on Information, Informational Technologies and Protection of Information, certain data (message metadata) may be retained in anonymised form for periods prescribed by law, even after the account is deleted.
We do not sell or otherwise transfer personal data to third parties for commercial purposes.
For push notification delivery to devices with Google Mobile Services we use the Firebase Cloud Messaging service provided by Google LLC (USA). Only the device token is transmitted. The transfer occurs with the user's consent on terms that ensure adequate data protection.
Because Firebase servers are located outside the Russian Federation, the transfer of the device token constitutes a transborder flow of personal data to the United States. The legal basis for this transfer is the user's consent to receive push notifications, granted on first launch of the App in accordance with Art. 12(1) of Federal Law No. 152-FZ. Data processing by Google LLC is carried out under the terms of the Google Cloud Data Processing Addendum, which establishes contractual safeguards for personal data. The user may disable push notifications in the device settings; after disabling, the token is deleted from our database within 30 days.
For push notification delivery to devices without Google Mobile Services (the RuStore build of the App) we use the RuStore Push SDK provided by Mobile Platform LLC, registered in the Russian Federation. Only the device token is transmitted; processing takes place within the Russian Federation, with no transborder data flow. See RuStore privacy policy for details.
For map rendering and geolocation features the App uses Yandex MapKit, provided by Yandex LLC (Russian Federation). The service receives map-tile requests for the visible viewport and geocoding/search queries when the user invokes those features. MapKit has no access to message content or account data. Data transfer takes place within the Russian Federation.
Transfer of data to third parties is otherwise possible only in cases prescribed by the legislation of the Russian Federation (upon request of authorised state bodies).
In accordance with the legislation of the Russian Federation (in particular, Art. 14 of Federal Law No. 152-FZ), you have the right to:
To exercise these rights, please contact us using the details in the "Operator" section below.
You can delete your account yourself — see section 7.
You can delete your account in two ways:
Upon deletion, the following are immediately and permanently removed: name, profile, profile and avatar photos, linked email, biography, map markers, media files (voice/video/images). All active sessions are revoked and push notifications are disabled.
Anonymised message metadata (without author identification) is retained as required by Russian Federal Law No. 149-FZ "On Information".
A hash of your phone number is retained for 14 days from the moment of deletion as protection against harassment via immediate re-registration. After 14 days this hash is also deleted.
If no email is linked to your account, please use the in-app deletion option.
The mobile App does not use cookies. Authentication is performed through access tokens (JWT). We collect basic aggregated analytics (active-user count, feature-usage statistics) not tied to individual users.
For anonymised usage statistics (session starts, install events, install source from app store, device model, operating-system version) we use the AppMetrica analytics service (provided by Yandex LLC, registered in the Russian Federation). Data is transmitted in encrypted form. AppMetrica does not receive access to message content, contacts, location, or other identifying information. AppMetrica security: https://appmetrica.yandex.ru/about. AppMetrica privacy policy: https://yandex.ru/legal/confidential.
The App is not intended for persons under 18 years of age. We do not knowingly collect data from minors. If we learn that a person under 18 has registered, we will delete the corresponding account.
We reserve the right to update this Policy. We will notify you of material changes through the App. The current version of the Policy is always available at this address.
The personal data operator is an individual — the sole developer of the Companion application (hereinafter referred to as the "Operator").
The processing of personal data is carried out on the basis of Art. 22(2)(2) of Federal Law No. 152-FZ (processing of data for the purpose of performing a contract with the data subject).
For questions regarding the processing of personal data and the exercise of your rights, please contact support: @CompanionSupportBot on Telegram or by email: support@app-companion.ru
By using the App and providing your data, you consent to the processing of personal data in accordance with this Privacy Policy and Federal Law No. 152-FZ of 27 July 2006 on Personal Data.
Consent to the processing of personal data is granted by the user at the time of registration in the App by ticking the corresponding box. The date and version of the Policy to which consent was given are recorded.
You may withdraw your consent by deleting your account via Settings → Delete account.