Companion

Privacy Policy

Last updated: 1 July 2026

Notice: this page is an English translation of our Russian-language Privacy Policy, provided for reader convenience. In the event of any discrepancy between this translation and the original Russian version, the Russian version prevails.

1. What data we collect

Data Purpose Legal basis
Phone number Sign-up and authentication Performance of a contract (Art. 6(1)(5) of Federal Law No. 152-FZ of 27 July 2006 on Personal Data)
Email address (optional) Account recovery, security notifications Consent (Art. 6(1)(1) of Federal Law No. 152-FZ)
Name, age, gender Profile display Performance of a contract (Art. 6(1)(5) of Federal Law No. 152-FZ)
Profile photo Personalisation (optional) Performance of a contract (Art. 6(1)(5) of Federal Law No. 152-FZ)
Messages and media files Messaging functionality Performance of a contract (Art. 6(1)(5) of Federal Law No. 152-FZ)
Geolocation Map features (only with permission) Consent (Art. 6(1)(1) of Federal Law No. 152-FZ)
Device model, OS version, unique device identifier, push notification token (FCM) Session security Legitimate interest (Art. 6(1)(7) of Federal Law No. 152-FZ)
IP address, logs Abuse prevention Legitimate interest and security obligations
Crash stack traces, app version, app events, user identifier when an active session exists Diagnostics and crash troubleshooting Legitimate interest (Art. 6(1)(7) of Federal Law No. 152-FZ)

We do not collect any data other than that listed in the table above. We do not use trackers or advertising SDKs, and we do not share data with advertising networks.

Crash diagnostic data is processed on the Operator's own infrastructure (self-hosted GlitchTip located in the Russian Federation). Sensitive fields (tokens, passwords, verification codes, phone numbers, email addresses, session identifiers) are stripped on the device before transmission. No transborder data flow takes place.

Markers on the map, interest zones and the presence status ("online") that you create are visible to other users of the App to the extent provided by its functionality. Your device's precise location is not published automatically - only what you place yourself is shown on the map. You can delete your markers at any time and manage visibility in the App settings.

2. How we use data

3. Data protection

Personal data (phone number, name, bio) is encrypted on the server using certified cryptographic algorithms compliant with Russian state standards . Authorisation tokens are stored in encrypted form. All connections between the App and our servers are protected by modern encryption protocols.

Media files (voice messages, video, images) are stored encrypted using the AES-256-GCM algorithm in isolated private storage.

We apply technical and organisational measures to protect information from unauthorised access, alteration, disclosure, or destruction. Access to personal data is restricted and granted only when necessary.

4. Data retention

Data is stored on secured servers located in the territory of the Russian Federation, as required by Federal Law No. 152-FZ of 27 July 2006 on Personal Data. Backups are kept exclusively within the territory of the Russian Federation.

Data is retained for as long as the user account exists. Upon account deletion, personal data is removed from the active database immediately (see section 7); residual copies in backup snapshots are purged as backups rotate - within 30 days at most.

Server-side technical logs (WebSocket events, API request traces) are retained for 30 days. User identifiers in these logs are hashed with a daily-rotating salt, so beyond a 24-hour window the original identifier cannot be recovered - even from the live log buffer.

In accordance with Federal Law No. 149-FZ of 27 July 2006 on Information, Informational Technologies and Protection of Information, certain data (message metadata) may be retained in anonymised form for periods prescribed by law, even after the account is deleted.

5. Security incident notification

In the event of unlawful or accidental access to personal data, or its destruction, alteration, copying or disclosure (an incident), the Operator notifies the authorized authority (Roskomnadzor) within the timeframes set by Federal Law No. 152-FZ: within 24 hours of the fact of the incident, and within 72 hours of the results of the internal investigation. Affected users are informed by available means.

6. Transfer of data to third parties

We do not sell or otherwise transfer personal data to third parties for commercial purposes.

For push notification delivery to devices with Google Mobile Services we use the Firebase Cloud Messaging service provided by Google LLC (USA). Only the device token is transmitted. The transfer occurs with the user's consent on terms that ensure adequate data protection.

Because Firebase servers are located outside the Russian Federation, the transfer of the device token constitutes a transborder flow of personal data to the United States. The legal basis for this transfer is the user's consent to receive push notifications, granted on first launch of the App in accordance with Art. 12(1) of Federal Law No. 152-FZ. Data processing by Google LLC is carried out under the terms of the Google Cloud Data Processing Addendum, which establishes contractual safeguards for personal data. The user may disable push notifications in the device settings; after disabling, the token is deleted from our database within 30 days.

For push notification delivery to devices without Google Mobile Services (the RuStore build of the App) we use the RuStore Push SDK provided by Mobile Platform LLC, registered in the Russian Federation. Only the device token is transmitted; processing takes place within the Russian Federation, with no transborder data flow. See RuStore privacy policy for details.

For delivery of service emails (verification codes when linking or changing an email address, security notifications, account-deletion links) we use Resend (resend.com, USA). The recipient's email address and the message body are transmitted. Because Resend's servers are located outside the Russian Federation, this transfer constitutes a transborder flow of personal data to the United States. The legal basis is the user's consent, granted when voluntarily linking an email address to the account, in accordance with Art. 12(1) of Federal Law No. 152-FZ. No service emails are sent unless an email address is linked.

To verify a phone number during sign-up and sign-in, the number is transmitted to code-delivery services: a verification call from a check number (call-password.ru, zvonok.com), processed within the Russian Federation; and code delivery to the Telegram app (Telegram Gateway), which is handled by Telegram infrastructure located outside the Russian Federation and constitutes a transborder flow of the phone number. The legal basis is the user's consent to the processing of personal data granted at registration (Art. 12(1) of Federal Law No. 152-FZ).

For map rendering the App uses map tiles hosted on the Operator's own infrastructure within the Russian Federation (maps.app-companion.ru). Map data is based on OpenStreetMap (© OpenStreetMap contributors). Map-tile requests are served solely by the Operator's servers and are not transmitted to any third-party mapping service.

Transfer of data to third parties is otherwise possible only in cases prescribed by the legislation of the Russian Federation (upon request of authorised state bodies).

7. Automated decisions

The Operator does not make decisions that produce legal effects for the user, or similarly significantly affect the user's rights, solely on the basis of automated processing of personal data (art. 16 of Federal Law No. 152-FZ).

8. User rights

In accordance with the legislation of the Russian Federation (in particular, Art. 14 of Federal Law No. 152-FZ), you have the right to:

To exercise these rights, please contact us using the details in the "Operator" section below.

You can delete your account yourself - see section 9.

9. Account deletion

You can delete your account in two ways:

Upon deletion, the following are immediately and permanently removed: name, profile, profile and avatar photos, linked email, biography, map markers, media files (voice/video/images). All active sessions are revoked and push notifications are disabled.

Anonymised message metadata (without author identification) is retained as required by Russian Federal Law No. 149-FZ "On Information".

A hash of your phone number is retained for 14 days from the moment of deletion as protection against harassment via immediate re-registration. After 14 days this hash is also deleted.

If no email is linked to your account, please use the in-app deletion option.

10. Cookies and analytics

The mobile App does not use cookies. Authentication is performed through access tokens (JWT). We collect basic aggregated analytics (active-user count, feature-usage statistics) not tied to individual users.

For anonymised usage statistics (session starts, install events, install source from app store, device model, operating-system version) we use the AppMetrica analytics service (provided by Yandex LLC, registered in the Russian Federation). Data is transmitted in encrypted form. AppMetrica does not receive access to message content, contacts, location, or other identifying information. AppMetrica security: https://appmetrica.yandex.ru/about. AppMetrica privacy policy: https://yandex.ru/legal/confidential.

11. Children

The App is not intended for persons under 18 years of age. We do not knowingly collect data from minors. If we learn that a person under 18 has registered, we will delete the corresponding account.

12. Changes to the policy

We reserve the right to update this Policy. We will notify you of material changes through the App. The current version of the Policy is always available at this address.

13. Personal data operator

The personal data operator is an individual - the sole developer of the Companion application (hereinafter referred to as the "Operator").

Personal data is processed on the legal bases set out in Section 1 of this Policy (performance of the contract with the user and the consent of the data subject).

For questions regarding the processing of personal data and the exercise of your rights, please contact support: @CompanionSupportBot on Telegram or by email: companion.relax@gmail.com

14. Consent

By using the App and providing your data, you consent to the processing of personal data in accordance with this Privacy Policy and Federal Law No. 152-FZ of 27 July 2006 on Personal Data.

Consent to the processing of personal data is granted by the user at the time of registration in the App by ticking the corresponding box. The date and version of the Policy to which consent was given are recorded.

You may withdraw your consent by deleting your account via Settings → Delete account.