1. Who collects information and why
Personal data operator:
KLIMOV & Co LLP
BIN: 260440020318
Address: Republic of Kazakhstan, Almaty, 10/2 Zhitomirskaya St.
Email: danil@klimov.company · Tel.: +7 705 993 83 83
Technical developer and sub-processor:
GPO OÜ (Estonia), reg. number 14897399
Address: Peterburi tee 38/9, Tallinn 11415, Estonia
Email: gpowork@gmail.com
Product: the Tuc-Tuc messenger — a client-server application for messaging, audio and video calls, built on the open decentralised Matrix protocol.
2. What data we process
2.1. Data you provide to us yourself
| Category | When collected | Purpose |
|---|---|---|
| Username (MXID) | at registration | identification in the system |
| Display name and avatar (opt.) | when setting up the profile | display in chats |
| Message content | when sending | delivery to recipient, history |
| Media files | when sending in a chat | delivery, temporary storage |
| Voice and video during calls | during calls | transmission between participants |
2.2. Data collected automatically
| Category | Source | Storage |
|---|---|---|
| IP address | when connecting to the server | logs, 30-day rotation |
| Push tokens (APNs, FCM, Web Push) | at device registration | until you sign out |
| Session metadata | when connecting | active session + 24 hours |
| Error events (Sentry) | on failures | 30 days, no content |
| Anonymous analytics (PostHog) | when using features | 90 days, no identification |
2.3. Data we do NOT collect
- Your phone address book contacts
- Geolocation (unless you explicitly allow it)
- Browser history
- Biometric data
3. Legal grounds for processing
Personal data is processed in accordance with:
- The Law of the Republic of Kazakhstan No. 94-V of 21 May 2013 "On Personal Data and its Protection";
- The General Data Protection Regulation (GDPR) of the European Union, applicable to the activities of the sub-processor GPO OÜ.
Grounds for processing:
- Consent of the personal data subject (Art. 8 of Law of the RK No. 94-V) — at account registration.
- Contract — for the provision of messenger services (Art. 9, para. 2).
- Legitimate interests of the operator — ensuring security, countering fraud and abuse.
4. Where and how long data is stored
| Data | Storage location | Retention |
|---|---|---|
| Messages, media, profile | Hetzner Cloud (Germany, NBG1) | until account deletion |
| Server logs | the same server | 30 days (rotation) |
| Backups | Hetzner (Germany) | 30 days daily + 12 months monthly |
| Sentry (errors) | sentry.io (EU region) | 30 days |
| PostHog (analytics) | EU Cloud (Frankfurt) | 90 days |
The server infrastructure is located within the European Union (Germany), which ensures compliance with the GDPR. No data is transferred outside the EU, except in the case of push notifications (see §5).
5. Transfer of data to third parties
| Recipient | What is transferred | Purpose |
|---|---|---|
| Hetzner Online GmbH (Germany) | server and storage | infrastructure hosting |
| Apple Inc. (USA) — APNs | device token + "new message" event (without text) | iOS push notifications |
| Google LLC (USA) — FCM | the same | Android push notifications |
| Sentry / PostHog | technical telemetry | availability monitoring |
| DNS provider (PS.KZ) | DNS queries only | domain name resolution |
We do not sell or transfer your data to third parties for marketing or advertising purposes.
Disclosure of data at the request of authorised state bodies is carried out exclusively in the manner established by the legislation of the Republic of Kazakhstan and of the country hosting the server infrastructure (Germany).
6. Encryption
In the MVP version of the Application:
- Transport encryption: TLS 1.2/1.3 for all traffic between the client and the server, as well as between servers.
- End-to-end encryption (E2E): in the MVP version it is not activated. The operator technically has the ability to access message content on the server side. E2E encryption, natively supported by the Matrix protocol, will be added in subsequent versions of the product.
7. Your rights
Under Articles 24–26 of Law of the RK No. 94-V, you have the right to:
- Obtain information on whether we hold your data and on its processing.
- Amend or supplement your personal data.
- Withdraw consent to processing.
- Request deletion of data — the Application provides a "Delete account" feature (see Account deletion).
- Block processing where there are grounds to believe it is unlawful.
- Appeal the operator's actions to the authorised body for the protection of personal data of the RK or to a court.
Exercising your rights: a request to danil@klimov.company with the subject "Personal data request". A response will be provided within 15 business days.
8. Account deletion
In accordance with the requirements of the Apple App Store, Google Play and Art. 24 of Law of the RK No. 94-V:
- You can delete your account from within the Application itself: Settings → Account → Delete account.
- After deletion is confirmed: message history and media are marked for deletion immediately; physical deletion from servers and backups occurs within 90 days; push tokens are revoked instantly.
Step-by-step instructions: delete.tuc-tuc.asia.
9. Children
The Application is not intended for persons under 16 years of age. We do not knowingly collect their data. Upon receiving information about the registration of a minor without the consent of a legal representative, the account is deleted.
10. Changes to the policy
Material changes (expansion of processing purposes, new data recipients, changes to retention periods) are published in the Application and at https://privacy.tuc-tuc.asia/ at least 30 days before they take effect.
11. Privacy contacts
| Operator email | danil@klimov.company |
|---|---|
| DPO email (technical matters) | gpowork@gmail.com |
| Mailing address | 10/2 Zhitomirskaya St., Almaty, Republic of Kazakhstan |
| Authorised body of the RK | Committee for Information Security of the MDDIAI of the RK |