Skip to content

Privacy Policy

Rufoof — Telegram File Distribution Platform

Effective Date: April 17, 2026 Last Updated: April 17, 2026

1. Introduction and Scope

Rufoof ("we," "us," "our," or "the Platform") is a technical infrastructure service that enables Telegram bot operators ("Bot Administrators") to create and manage Telegram bots for the purpose of distributing files to their own end users. This Privacy Policy describes what data the Platform collects, how it is used, how it is stored, and the rights and limitations applicable to users.

This Policy applies to:

  • Bot Administrators — individuals or organizations who register a Telegram bot on this platform to manage and share files via the Rufoof uploader and backend.
  • End Users — individuals who interact with bots created through this platform via the Telegram messaging application.

By using this Platform in any capacity, you acknowledge that you have read and understood this Privacy Policy and agree to its terms. If you do not agree, you must immediately cease all use of the Platform.

2. Role of the Platform and Limitations of Liability

Rufoof is a technical infrastructure provider, not a data controller for End User interactions. Bot Administrators are solely responsible for their own compliance with applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and any equivalent national or regional legislation in the Bot Administrator's jurisdiction.

The Platform does not review, moderate, or verify the nature, legality, or appropriateness of Content uploaded or distributed by Bot Administrators. The Platform Operator accepts no responsibility or liability for any Content uploaded, transmitted, or made accessible by Bot Administrators through the Platform.

THE PLATFORM OPERATOR MAKES NO REPRESENTATIONS OR WARRANTIES REGARDING THE PRIVACY, CONFIDENTIALITY, OR SECURITY OF ANY DATA PROCESSED, TRANSMITTED, OR STORED THROUGH THE PLATFORM OR THROUGH TELEGRAM'S INFRASTRUCTURE. USE OF THIS PLATFORM IS ENTIRELY AT YOUR OWN RISK.

3. Data We Collect

3.1 From Bot Administrators

When a Bot Administrator registers a bot on the Platform, the following information is collected and stored:

  • Telegram bot token — the credential that authorizes the Platform to operate the bot on the administrator's behalf. Stored server-side with access controls in place. Bot Administrators are solely responsible for the security of their own tokens.
  • Telegram channel ID — the identifier of the Telegram channel from which files are served.
  • Bot username — the public Telegram username of the registered bot (e.g., @mybotname).
  • File metadata — file names, file sizes, and Telegram file IDs for files added to the bot's library. The Platform stores only references to files hosted on Telegram's infrastructure; file contents are never stored on Rufoof servers.
  • Bot Administrator's Telegram user ID — used solely to verify ownership of the registered bot and to control access to bot management features.
  • Bot configuration settings — rate limit parameters, whitelist rules, ban durations, and other configuration options set by the administrator.

3.2 From End Users

When an End User interacts with a bot powered by the Platform, the following data may be collected:

  • Telegram user ID — a numeric identifier assigned by Telegram. Used for rate limiting, ban enforcement, and whitelist matching as configured by the Bot Administrator.
  • Telegram username — collected only when the Bot Administrator has configured username-based access controls (whitelisting) for their bot.
  • Interaction logs — a temporary in-memory record of bot interactions used for operational purposes. These logs are never written to permanent storage and are discarded when the server process restarts.
  • Rate limit and ban records — stored temporarily in the database to enforce usage limits configured by the Bot Administrator. These records expire automatically after their configured duration.

3.3 What We Do NOT Collect

The Platform does not collect:

  • File contents — files are stored exclusively on Telegram's servers. The Platform stores only Telegram file ID references.
  • Real names, email addresses, phone numbers, or payment information from End Users.
  • Geographic location data.
  • Device identifiers, IP addresses from End Users, or browser fingerprinting data.
  • Any data beyond what is strictly necessary to operate the technical functionality described above.

4. How We Use Data

Data collected through the Platform is used solely to operate and maintain the Service:

  • To authenticate Bot Administrators and enable them to manage their registered bots.
  • To operate registered Telegram bots (serving files, enforcing rate limits, applying whitelist and ban rules).
  • To prevent abuse and maintain the security and integrity of the Platform.

We do not sell, rent, or trade any data to third parties.

We do not use any collected data for advertising, profiling, or marketing purposes.

We do not share Bot Administrator or End User data with any third party, except as strictly necessary to provide the Service (i.e., through use of the Telegram Bot API, operated by Telegram Messenger Inc.), or as required by applicable law or lawful governmental order.

5. Data Storage and Security

Data is stored on servers located in Netherlands, within a jurisdiction subject to European data protection standards.

We implement reasonable technical and organizational measures to protect stored data against unauthorized access, loss, or disclosure. However, no data storage or transmission system is absolutely secure. The Platform Operator does not warrant or guarantee the security of any data stored on or transmitted through the Platform.

Bot Administrators are strongly advised not to upload, distribute, or otherwise process sensitive personal data, confidential information, or classified materials through this Platform. The Platform Operator accepts no liability for any unauthorized access to, or disclosure of, data stored on or transmitted through the Platform.

Bot Administrators should regenerate their Telegram bot token immediately via BotFather if they have any reason to believe it has been compromised and promptly notify the Platform Administrator.

6. Telegram's Role

This Platform operates exclusively through the Telegram Bot API, provided by Telegram Messenger Inc. All messages, file transfers, and user interactions are routed through Telegram's infrastructure and are subject to Telegram's Privacy Policy, available at https://telegram.org/privacy.

The Platform Operator has no control over and accepts no responsibility for how Telegram Messenger Inc. collects, processes, stores, or discloses data. When an End User sends a message to a bot, that message is handled by Telegram's systems prior to being forwarded to the Platform's server via webhook.

Bot Administrators and End Users must review and accept Telegram's Privacy Policy independently. Rufoof's privacy obligations do not extend to data handled solely by Telegram.

7. Data Retention

Bot Administrator data is retained for as long as the bot remains active on the Platform. Upon removal (disconnection) of a bot, associated data — including the bot token, channel ID, file metadata, and configuration — is generally not deleted unless explicitly requested by the bot's owner.

End User data:

  • Rate limit and ban records expire automatically after the duration configured by the Bot Administrator and are deleted from the database upon expiry.
  • Telegram user IDs associated with active bots are retained for as long as the relevant bot remains registered on the Platform.
  • In-memory interaction logs are discarded on server restart and are never written to permanent storage.

The Platform Operator does not guarantee any specific retention period for operational data and reserves the right to delete data at any time at its sole discretion.

8. Bot Administrator Responsibilities

Bot Administrators operate their own independent services for their End Users through this Platform. By deploying a bot through Rufoof, Bot Administrators accept full and exclusive responsibility for:

  • Obtaining all necessary consents and authorizations from their End Users before collecting or processing any personal data through the bot, as required by applicable law.
  • Complying with Telegram's Terms of Service (https://telegram.org/tos) and all applicable local, national, and international laws and regulations.
  • Not using the Platform to distribute illegal content, malware, infringing material, or any content that violates Telegram's terms or applicable law.
  • Securing their bot token. A bot token confers full programmatic control over the bot. Exposure of a token must be treated as a security incident, and the token must be regenerated immediately via BotFather.
  • Publishing their own appropriate privacy notice to their End Users that accurately describes the data practices applicable to their bot, including those described in this Policy that affect End Users.
  • Ensuring that any personal data of End Users processed through their bot complies with all applicable data protection laws.

The Platform Operator accepts no liability for the acts, omissions, or legal non-compliance of any Bot Administrator. The Platform Operator is not a data controller or data processor for any End User data processed by a Bot Administrator through their bot.

9. End User Rights

End Users who interact with bots on this Platform may have rights under applicable data protection law with respect to data held about them. These may include the right to access data held about them, the right to erasure, and the right to restriction of processing, subject to applicable law.

In the first instance, End Users should direct any data rights requests to the operator of the specific bot they interacted with, as Bot Administrators are responsible for compliance with data subject rights in connection with their own bots.

Where an End User is unable to contact the relevant Bot Administrator, they may contact the Platform Administrator using the details in Section 11. Because the Platform does not collect names or email addresses from End Users, requests must be made by providing your Telegram user ID (a numeric value, visible in Telegram client settings or through tools such as @userinfobot).

The Platform Operator will make reasonable efforts to respond to legitimate requests within a reasonable timeframe but makes no warranty as to the outcome or completeness of any such response.

10. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE PLATFORM OPERATOR SHALL NOT BE LIABLE FOR:

  • Any unauthorized access to, disclosure of, or loss of data stored on or transmitted through the Platform.
  • Any harm, loss, or damage resulting from a Bot Administrator's failure to comply with applicable data protection laws.
  • Any privacy violation resulting from End Users' interactions with a bot operated by a Bot Administrator.
  • Any acts or omissions of Telegram Messenger Inc. or any other third-party service.
  • Any loss, corruption, or unavailability of uploaded files or stored metadata.
  • Any indirect, incidental, special, consequential, or punitive damages arising from use of, or inability to use, the Platform, even if advised of the possibility of such damages.

Nothing in this Policy creates any duty of care by the Platform Operator toward End Users of bots operated by Bot Administrators.

11. Changes to This Policy

We may update this Privacy Policy at any time. When changes are made, the "Last Updated" date at the top of this document will be revised. Continued use of the Platform after any update constitutes acceptance of the revised Policy. Bot Administrators are responsible for reviewing this Policy periodically.

12. Contact

For privacy-related inquiries, data access or erasure requests, or to report a concern about data handling on this Platform:

Platform Administrator: https://t.me/blessed_tree

End Users should contact the operator of their specific bot in the first instance. Bot Administrators should contact the Platform Administrator using the details above.