Privacy Policy for FinTechRobot Chat
This Privacy Policy describes how Fintechrobot LLC, a company incorporated in the Russian Federation (hereinafter — “we”, “us”, “our”, or “the Company”), collects, uses, stores, and protects information in connection with the mobile application FinTechRobot Chat (bundle id: ru.fintechrobot.chat) (hereinafter — the “App”).
The App is an internal corporate communication tool intended exclusively for employees of Fintechrobot LLC and its affiliated entities (hereinafter — the “Group”). The App is not intended for, and is not offered to, the general public.
By installing and using the App, you acknowledge that you have read and understood this Privacy Policy and have been informed about how your personal data is processed in connection with the App.
1. Contact Information
If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us at:
- Data Controller / App Operator: Fintechrobot LLC
- Jurisdiction: Russian Federation
- Privacy contact email: [email protected]
Where applicable, personal data may also be processed by the relevant Group entity employing or engaging you for employment, administrative, compliance, security, and operational purposes in connection with your use of the App.
2. Scope
This Privacy Policy applies only to the FinTechRobot Chat mobile application (ru.fintechrobot.chat) distributed through the Apple App Store and Google Play Store. It does not apply to any third-party services, websites, or applications that may be linked from within the App.
3. Information We Collect
We collect only the data necessary to provide the App’s functionality as a corporate messaging tool. Specifically:
3.1. Account and Profile Data
Provided by you or your employer when your corporate account is created:
- Full name
- Corporate email address
- Username / user ID
- Profile picture (optional)
- Job title / team affiliation (optional)
- Authentication data necessary to verify and manage access to the App, such as hashed passwords where credentials are managed locally, single sign-on identifiers, authentication tokens, or similar access-related data
3.2. Communications Content
- Messages, channel posts, direct messages, threads, and reactions
- Files, images, videos, voice recordings, and other attachments you send or receive
- Audio and video streams during calls (processed in real time and not intentionally recorded by the Company unless the call recording feature is explicitly enabled and used; however, limited transient technical processing, routing, buffering, session metadata, and diagnostic logs may be generated as necessary to provide and secure the calling functionality)
3.3. Device and Technical Data
- Device model, operating system and version
- App version and language
- IP address
- Session identifiers and login timestamps
- Push notification tokens (APNs / FCM)
3.4. Diagnostic Data (Firebase Crashlytics)
- Crash reports, stack traces, and non-fatal error logs
- Device state at the time of a crash (e.g., free memory, OS version)
- Anonymous installation identifier
Crashlytics data does not include message content, attachments, or credentials.
3.5. Permissions Requested by the App
With your explicit consent, granted through the operating system’s permission dialog, the App may access:
| Permission / Access | Purpose |
|---|---|
| Camera | Video calls and capturing photos/videos to send in chats |
| Microphone | Voice and video calls, voice messages |
| Photo Library | Attaching existing images and videos to messages |
| Notifications | Delivering new-message and call alerts via APNs / FCM |
In addition, the App may use local device storage and application sandbox storage to cache limited data, such as messages, files, and technical data, in order to support performance and offline access where available.
You may revoke any of these permissions at any time in your device’s system settings. Revoking a permission may limit the corresponding App functionality.
4. How We Use Your Information
We use collected information solely for the following purposes:
- Providing the service — enabling messaging, calls, file sharing, and team collaboration within the Group.
- Authentication and security — verifying your identity, protecting accounts from unauthorized access, and maintaining audit logs.
- Delivering notifications — sending push notifications about new messages, mentions, and calls.
- Diagnostics and reliability — identifying and fixing crashes, bugs, and performance issues via Firebase Crashlytics.
- Compliance with legal obligations — including applicable laws of the Russian Federation and other jurisdictions where the Group operates.
- Administration, support, and compliance — enabling authorized IT, security, compliance, legal, and support personnel to administer the App, troubleshoot issues, investigate security incidents or policy violations, fulfill internal audit requirements, enforce applicable corporate policies, and comply with lawful requests or legal holds.
We do not use your data for advertising, profiling for marketing purposes, or sale to third parties.
5. Internal Use of the App
The App is provided as an internal corporate communication and collaboration tool. Communications, files, metadata, logs, and related account activity processed through the App may be accessed, reviewed, disclosed, or preserved by authorized personnel of the Company and/or relevant Group entities on a need-to-know basis for legitimate business purposes, including system administration, technical support, information security, incident investigation, compliance, internal audit, legal hold, and enforcement of corporate policies and applicable law.
Users should use the App with the understanding that it is a business communication tool subject to corporate oversight and controls.
6. Legal Basis for Processing
Where applicable data protection law requires a legal basis, we rely on:
- Performance of a contract — to provide and administer the corporate communication service in connection with your employment, engagement, or other contractual relationship with a Group entity.
- Legitimate interests — ensuring the security, stability, administration, proper operation, and internal governance of the App and the Group’s IT infrastructure, including fraud prevention, incident response, access control, and policy enforcement.
- Legal obligations — compliance with mandatory record-keeping, security, and reporting requirements.
- Consent — for permissions such as camera, microphone, photo library, and push notifications, which you grant through the operating system.
7. Data Storage and Hosting
All message content, user account data, and attachments are stored on cloud servers operated on Amazon Web Services (AWS). We have implemented industry-standard administrative, technical, and physical safeguards designed to protect your data, including:
- Encryption in transit (TLS 1.2+)
- Encryption at rest for stored data and backups
- Access controls and role-based permissions
- Audit logging and monitoring
The data resides in AWS data centers selected by us based on operational and regulatory considerations, which may be located in one or more jurisdictions. AWS acts as a data processor on our behalf and processes data only as necessary to provide the hosting and related infrastructure services under our instructions and applicable agreements.
8. Third-Party Service Providers
We rely on a limited number of trusted third-party service providers strictly to operate the App:
| Provider | Purpose | Data shared |
|---|---|---|
| Amazon Web Services, Inc. | Cloud hosting and storage | All service data (encrypted) |
| Apple Push Notification service (APNs) | iOS push notifications | Push token, minimal message metadata |
| Google Firebase Cloud Messaging (FCM) | Android push notifications | Push token, minimal message metadata |
| Google Firebase Crashlytics | Crash and error diagnostics | Device state, crash traces, anonymous ID |
These providers are contractually bound to process data only according to our instructions and applicable law. Push notification payloads are minimized and are designed, where reasonably feasible and subject to platform and product requirements, not to include message content.
9. International Data Transfers
As the Company is incorporated in the Russian Federation and uses global cloud infrastructure, your data may be transferred to and processed in countries other than your country of residence. Where such transfers occur, we ensure that appropriate safeguards are in place, consistent with the Singapore Personal Data Protection Act (PDPA) and, where applicable, other data protection laws.
10. Data Retention
We retain your data for as long as:
- your corporate account with the Group remains active, and
- as required to comply with legal, accounting, or security obligations.
After your account is deactivated, personal data is deleted, anonymized, or securely isolated in accordance with the Group’s retention schedules and internal policies, except where longer retention is required or permitted by law, necessary for security, audit, legal hold, dispute resolution, enforcement of agreements, or protection of the rights and legitimate interests of the Company or other Group entities.
Different categories of data may be retained for different periods depending on their nature and purpose, including account records, messages and files, backups, audit logs, security logs, and diagnostic data.
Crashlytics diagnostic data is automatically retained for a limited period in accordance with Firebase’s default retention policy.
11. Your Rights
Depending on the jurisdiction in which you reside, you may have the following rights with respect to your personal data, subject to applicable legal limitations and the Company’s obligations in relation to employment, security, internal administration, legal compliance, and the rights of others:
- Access — obtain confirmation of whether we process your data and a copy of it.
- Correction — request correction of inaccurate or incomplete data.
- Deletion — request deletion of your data, subject to legal retention requirements.
- Restriction / Objection — request that we limit or stop certain processing.
- Withdrawal of consent — withdraw any consent you have given, without affecting the lawfulness of prior processing.
- Data portability — receive your data in a structured, commonly used format, where applicable.
- Lodge a complaint — with the competent data protection authority (for Singapore: the Singapore Personal Data Protection Commission (PDPC)).
To exercise any of these rights, contact us at [email protected]. We will respond within the timeframe required by applicable law.
12. Children’s Privacy
The App is an internal corporate tool intended only for authorized workforce members and is not directed to children. We do not knowingly collect personal data from children through the App. If you believe a minor has provided us with personal data, please contact us and we will take appropriate action to delete it.
13. Security
We implement reasonable and appropriate technical and organizational measures to protect personal data from unauthorized access, disclosure, alteration, or destruction. However, no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security.
If we become aware of a data breach that materially affects your personal data, we will notify you and, where required, the competent authority in accordance with applicable law.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The updated version will be posted at the same URL, with a revised “Last updated” date. Where the changes are material, we will provide additional notice through the App or by email.
Your continued use of the App after such changes means that the revised Privacy Policy will apply to your continued use of the App, to the extent permitted by applicable law.
15. Governing Law
This Privacy Policy is governed by the laws of the Russian Federation, without regard to its conflict-of-laws principles. Any disputes arising out of or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of Singapore, unless a mandatory law provides otherwise.