Privacy Policy

1. Introduction

This Privacy Policy explains how Gemheap ("we," "our," or "us") collects, uses, and safeguards information when you use the Job Alerts - Gemheap Telegram bot service (the "Service").

By using the Service, you consent to the data practices described in this policy. If you have questions or wish to exercise any of your privacy rights, please contact us at rm.gemheap@gmail.com.

2. Information We Collect

Because the Service operates entirely through Telegram, we collect only the minimum data necessary to provide job alerts:

• Telegram chat ID. A numeric identifier provided by Telegram that uniquely identifies your conversation with the bot. We use this to route alerts to you. We do not collect your Telegram username, phone number, or name unless you voluntarily include them in a message to the bot.
• Watchlist data. The company slugs you choose to watch, any keyword filters you set, and the associated ATS type (Greenhouse, Lever, Ashby, or Personio).
• Plan and subscription status. Your current plan (Free, Pro, or Team) and the number of companies you are monitoring.
• Billing data (paid plans only). Paid transactions are handled by Paddle as the Merchant of Record. We do not collect or store your payment card details, billing address, or other financial information. Paddle processes this data under their own Privacy Notice. We receive from Paddle only the information needed to confirm your subscription status (e.g., plan level and subscription ID).
• Usage data. Basic bot interaction logs (command names, timestamps) for debugging and service improvement. We do not log the content of free-text messages beyond bot commands.

3. How We Use Your Information

• To provide and maintain the Service, including delivering job alerts and enforcing plan limits.
• To process subscription upgrades and cancellations via Paddle.
• To communicate with you about service updates, security alerts, or support responses (via Telegram bot message or email if you contact us).
• To detect and prevent abuse, fraud, or violations of our Terms.
• For aggregate, anonymised analytics to understand how the Service is used and improve it.

4. How We Share Your Information

We do not sell your personal data. We share data only in the following limited situations:

• Paddle (payment processor). Your Telegram chat ID is associated with your Paddle subscription to confirm your plan status. Paddle's use of your data is governed by their Privacy Notice.
• AWS (infrastructure provider). Data is stored in AWS DynamoDB (eu-central-1 region). AWS processes data as a data processor under our instructions.
• For legal reasons. We may disclose information if required by law or in response to valid requests by public authorities.
• Business transfers. If Gemheap is involved in a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you in advance.

5. Data Storage and Security

Your data is stored in Amazon DynamoDB in the eu-central-1 (Frankfurt) region. We implement appropriate technical and organisational measures to protect your data, including:

• Encryption of data at rest and in transit (TLS).
• IAM access controls restricting database access to authorised Lambda functions only.
• Webhook signature verification to ensure only Telegram and Paddle can invoke our bot handlers.

No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

6. Data Retention

We retain your data for as long as you have an active account with the bot. Seen job IDs are automatically deleted after 30 days (enforced via DynamoDB TTL). If you stop using the Service and request deletion, we will remove your data within 30 days of your request, except where retention is required by law.

7. Your Privacy Rights

Depending on your location, you may have rights regarding your personal data under applicable laws (including the GDPR for EU/EEA residents and UK GDPR for UK residents):

• Access: Request a copy of the data we hold about you.
• Correction: Request correction of inaccurate data.
• Deletion: Request deletion of your data ("right to be forgotten").
• Portability: Request your data in a structured, machine-readable format.
• Objection / Restriction: Object to or request restriction of certain processing.

To exercise any of these rights, contact us at rm.gemheap@gmail.com. We will respond within 30 days.

8. International Data Transfers

Your data is stored in the EU (Frankfurt, Germany). If you access the Service from outside the EU/EEA, your data may be processed in a country with different data protection laws. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses) for any transfers outside the EU/EEA.

9. Children's Privacy

The Service is not directed at anyone under the age of 18. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via the bot or by updating the "Last updated" date above. Continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

11. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us:

Email: rm.gemheap@gmail.com
Gemheap. Chisinau, Moldova.