Privacy Policy
This Privacy Policy explains how we collect, use, store, and protect your personal data when you use Sunny, an AI-powered mindfulness and self-reflection companion delivered via the Telegram messaging platform.
We take your privacy seriously, especially because Sunny processes information related to your emotional and psychological state, which qualifies as a special category of personal data under Article 9 of the General Data Protection Regulation ("GDPR").
1. Who we are
Data Controller:
- Name:
Oganesian Karen - Status: Self-employed individual (autónomo) registered in Spain
- Tax identifier:
Z1265366A - Address:
C/ Josep Serrano 32, 08024 Barcelona, Spain - Contact:
support@sunnysafebot.com
We are the controller of personal data processed in connection with the Sunny service. We have assessed and determined that the appointment of a Data Protection Officer is not required under Article 37 GDPR or Article 34 of the Spanish Organic Law on Personal Data Protection (LOPDGDD), as our processing does not constitute large-scale processing within the meaning of EDPB Guidelines WP243. This assessment is reviewed periodically.
2. What this policy covers
This policy applies to personal data we process when you:
- Interact with the Sunny bot on Telegram (
@sunnysafebot) - Visit our website at
sunnysafebot.com - Contact us at
support@sunnysafebot.com - Subscribe to a paid plan through our payment provider
This policy does not apply to the Telegram messaging platform itself, which operates as an independent data controller under its own privacy policy (see Section 11).
3. Personal data we process
3.1 Operational data (necessary to provide the service)
- Telegram chat identifier (
chat_id) — a numeric identifier assigned to your Telegram account - Telegram language preference and time zone offset (derived from your interaction)
- Account state: onboarding step, subscription status, last activity timestamp
- Consent records: which version of which consent you accepted and when
3.2 Content you provide
- Text messages you send to the bot
- Voice messages (transcribed via OpenAI Whisper API; see Section 9)
- Information you voluntarily share through the structured reflection prompts
- Information you voluntarily share through support communications
3.3 Inferred data (generated by automated analysis)
- Categorical tags describing detected indicators of stress or emotional state (used solely to adapt the system's response pattern)
- Periodic structured summaries of your reflection sessions
3.4 Identifiers you may voluntarily disclose
Telegram does not provide us with your real name, phone number, or email address. However, if you voluntarily share additional identifiers (your Telegram username, real name, email, or any other identifying information) in messages or support requests, we treat those as part of your personal data and protect them on the same basis.
3.5 Payment data
If you subscribe to a paid plan, payment data (card details, billing address, transaction history) is processed by our payment processor as an independent merchant of record. We do not store your payment card data. We receive only an anonymised transaction confirmation and your chat identifier to activate access.
3.6 Website analytics
When you visit sunnysafebot.com, we use Plausible Analytics — a cookie-free, privacy-friendly analytics service hosted in the EU (Germany). Plausible does not use cookies, does not collect personal data, does not track individual visitors across sessions, and does not share data with third parties. Only aggregated, anonymous metrics are collected (page views, approximate country, device type, referrer). See Section 14 for details.
4. Lawful basis for processing
We rely on the following legal grounds (GDPR Article 6 and Article 9):
| Category of data | Lawful basis |
|---|---|
| Operational data (Section 3.1) | Article 6(1)(b) — performance of contract |
| Content and inferred data (Sections 3.2–3.3) | Article 9(2)(a) — explicit consent for special category data |
| Payment data | Article 6(1)(b) — performance of contract and Article 6(1)(c) — legal obligation (tax records) |
| Support communications | Article 6(1)(b) and Article 6(1)(f) — legitimate interest in providing support |
| Tax records | Article 6(1)(c) — legal obligation under Spanish tax law |
| Website analytics (Plausible, cookie-free, aggregated) | Article 6(1)(f) — legitimate interest (low-impact, anonymous metrics; no personal data) |
| Automated decision-making (stress indicators) | Article 22(2)(c) and Article 9(2)(a) — explicit consent |
You may withdraw your consent at any time (see Section 12). Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
5. Who can use Sunny
Sunny is intended exclusively for users aged 18 or older. We do not knowingly collect data from minors. If you believe we have inadvertently collected data from a minor, please contact support@sunnysafebot.com and we will delete the data immediately.
6. Where your data comes from
We collect personal data directly from you when you interact with Sunny. We do not purchase, scrape, or otherwise acquire personal data from third parties.
7. International data transfers
Some of our service providers process data outside the European Economic Area, specifically in the United States. These transfers occur under appropriate safeguards as required by GDPR Chapter V:
- OpenAI Whisper API (voice transcription): voice content is transmitted to OpenAI Ireland Ltd. and may be processed by OpenAI OpCo, LLC in the United States. This transfer is legitimised under the EU-US Data Privacy Framework (adequacy decision, July 2023) and EU Standard Contractual Clauses (Commission Implementing Decision 2021/914). Under the OpenAI API Data Usage Policy, audio submitted via the API is not used to train OpenAI models; the default retention for abuse-monitoring purposes is up to 30 days.
- Google Cloud Platform (Vertex AI for our AI processing): currently processed in
europe-west1(Belgium). Where transfers outside the EEA occur, they are governed by the Google Cloud Data Processing Addendum, including incorporated Standard Contractual Clauses. - Netlify (website hosting): operated by Netlify, Inc. (US-headquartered). Visitor IP addresses and HTTP request metadata may be processed in the United States. Transfer is legitimised under the EU-US Data Privacy Framework and Standard Contractual Clauses.
Other service providers (Supabase, n8n Cloud, Google Workspace, Plausible Analytics) process data within the European Economic Area.
You may request more information about specific transfer mechanisms at support@sunnysafebot.com.
8. Subprocessors
We rely on the following service providers ("processors") to operate Sunny:
| Processor | Role | Location | Safeguards |
|---|---|---|---|
| Supabase | Database hosting | EU (Stockholm) | DPA signed |
| Google Cloud Platform (Vertex AI) | AI inference | EU (europe-west1) | DPA via Cloud Terms |
| Google Workspace | Email infrastructure for support@sunnysafebot.com | EU multi-region | DPA via Cloud Terms |
| n8n Cloud | Workflow orchestration | EU (Frankfurt or Dublin) | DPA signed |
| OpenAI | Voice transcription (Whisper API) | OpenAI Ireland Ltd. → OpenAI OpCo, LLC (US, with DPF + SCCs) | DPA via Business Terms |
| Polar.sh | Merchant of record (payment processing) | Delaware C Corp with EU OSS VAT registration | DPA at vendor onboarding |
| Netlify | Website hosting | Global edge (US-headquartered) | DPA via terms |
| Plausible Analytics | Website analytics (cookie-free, aggregated) | EU (Germany) | DPA via Plausible Terms |
We update this list as we change service providers. Material changes will be communicated through our website and/or in-bot notice.
9. Telegram as an independent controller
Sunny operates as a bot on the Telegram messaging platform. Telegram (operated by Telegram FZ-LLC and/or Telegram Messenger Inc.) acts as an independent controller of data transmitted through its platform under its own privacy policy, available at telegram.org/privacy.
We have no contractual control over how Telegram processes your data. Telegram does not provide us with your real name, phone number, or email address. If you wish to delete your Telegram-side message history with Sunny, please use the Telegram client directly — we cannot delete messages stored on Telegram's servers.
10. Retention periods
We retain your data for the following periods:
| Data category | Retention period | Reason |
|---|---|---|
| Raw messages (text and transcriptions) | 90 days from creation | Service delivery + automated retention cleanup |
| Conversation logs | 90 days from creation | Service delivery |
| Weekly reflection summaries | 365 days from creation | Long-term personalisation |
Stress-indicator tags (active_tags) | Until you request erasure or 12 months of inactivity | Service personalisation |
| Account-level data (chat_id, settings, consent records) | Until you request erasure or 12 months of inactivity | Service operation |
| Support email correspondence | 5 years from last interaction | Spanish consumer law (TRLGDCU Art. 25) + Commercial Code (Art. 30) |
| Payment transactions and invoices | 6 years from issuance | Spanish Commercial Code (Art. 30) and tax law |
After the retention period expires or upon valid request, data is deleted or anonymised. Payment records subject to legal retention obligations are isolated and used solely for compliance with those obligations.
11. Your rights
Under GDPR, you have the following rights regarding your personal data:
| Right | Article | What it means |
|---|---|---|
| Access | Art. 15 | Receive a copy of your personal data |
| Rectification | Art. 16 | Correct inaccurate or incomplete data |
| Erasure ("right to be forgotten") | Art. 17 | Have your data deleted |
| Restriction | Art. 18 | Have processing temporarily paused |
| Portability | Art. 20 | Receive your data in a structured, machine-readable format |
| Object | Art. 21 | Object to specific processing activities |
| Withdraw consent | Art. 7(3) | Withdraw any consent you previously gave (processing stops; data is not necessarily deleted unless you also request erasure) |
| Not be subject to solely automated decision-making | Art. 22 | Request human review of automated determinations (see Section 13) |
| Lodge a complaint with a supervisory authority | Art. 77 | See Section 16 |
How to exercise your rights
To exercise any of these rights, email support@sunnysafebot.com with the subject line [GDPR Request] and describe what you need. We will respond within 30 days as required by Article 12(3) GDPR.
For identity verification, please include your Telegram username (@handle) linked to the account and the approximate date you started using Sunny. We will reply with a short verification code that you must send into your Telegram chat with Sunny — this lets us reliably link your request to your chat_id without disclosing the chat_id to you. This procedure is necessary to prevent fraudulent requests.
We do not provide bot commands for exercising these rights to avoid accidental data loss. All requests are handled via email.
12. Withdrawing consent
You may withdraw your consent for processing of special category data (Article 9 content) at any time by emailing support@sunnysafebot.com. We will:
- Stop further processing of your content
- Mark your account as "consent withdrawn"
- Inform you that you may also request full erasure under Article 17 if you wish to delete your existing data
Withdrawal of consent does not automatically delete your existing data, because we may have a separate legal obligation to retain certain records (e.g., tax records for payment transactions).
13. Automated decision-making
We use automated analysis of your input to detect indicators of elevated stress or distress. When detected, the system adapts its response pattern (for example, switching from analytical conversation to structured grounding exercises) and may suggest contacting emergency services.
This automated processing has a meaningful effect on your experience but does not produce legal effects. The logic involved is high-level pattern matching based on the content of your messages. The consequence is a change in how the bot responds to you.
If you believe an automated determination was made in error or you wish to contest a determination, email support@sunnysafebot.com. A human will review your case and, where appropriate, override the automated determination.
14. Cookies and website analytics
The website does not use cookies. No cookie consent banner is required because no cookies are placed on your device by us.
For analytics, we use Plausible Analytics (operated by Plausible Insights OÜ, hosted in the EU — Germany). Plausible is a cookie-free, privacy-first analytics service that:
- Does not use cookies, fingerprinting, or any persistent identifiers
- Does not collect personal data
- Does not track individual visitors across sessions or websites
- Does not share data with third parties
- Only collects aggregated, anonymous metrics: page views, approximate country, device type, browser, referrer
Because Plausible does not process personal data and does not place anything on your device, no consent under Article 6(1)(a) GDPR or LSSI-CE Article 22 is required. We rely on Article 6(1)(f) GDPR — legitimate interest in understanding aggregate website traffic. You can read Plausible's privacy guarantees at plausible.io/privacy-focused-web-analytics.
The bot itself does not use cookies — your interaction with Sunny on Telegram does not involve cookies on our side.
15. Security
We implement appropriate technical and organisational measures to protect your personal data:
- TLS encryption for all data in transit
- Encryption at rest in our database
- Access control: only the controller has administrative access to production systems
- Subprocessor security review at onboarding
- Documented breach response procedure aligned with Article 33 GDPR (72-hour notification to the supervisory authority where applicable)
No system is completely secure. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you in accordance with Article 34 GDPR.
16. Supervisory authorities
You have the right to lodge a complaint with a supervisory authority if you consider that the processing of your personal data infringes the GDPR.
The primary supervisory authority for this service is:
Agencia Española de Protección de Datos (AEPD)
C/ Jorge Juan, 6
28001 Madrid, Spain
aepd.es
Under Article 77 GDPR, you also have the right to lodge a complaint with the supervisory authority of your country of habitual residence, place of work, or the place of the alleged infringement.
17. Changes to this policy
We may update this policy from time to time. We maintain a version number and effective date at the top of the document and a changelog at the bottom.
For material changes (changes that affect your rights or the way we process your data), we will notify you through the bot and/or via the email address you used to contact us, and where required by law, request renewed consent.
18. Languages
This Privacy Policy is provided in English and Russian. The English version is authoritative; the Russian version is a translation for convenience. In case of any discrepancy between the two, the English version shall prevail.
If you require a copy in another language to understand your rights, please contact support@sunnysafebot.com and we will provide one within 30 days.
19. Contact us
For any questions about this Privacy Policy, your personal data, or to exercise your rights, contact us at:
support@sunnysafebot.comChangelog
| Version | Date | Change |
|---|---|---|
| 1.0 | 2026-05-01 | Initial publication |