Legal documents

Privacy Policy

Version: 1.0Updated: 04 June 2026Product: Tuc-Tuc messenger
Draft. This document has been prepared as a technical template reflecting the specifics of the product (Matrix) and requires legal review by an authorised lawyer before publication.

1. Who collects information and why

Personal data operator:
KLIMOV & Co LLP
BIN: 260440020318
Address: Republic of Kazakhstan, Almaty, 10/2 Zhitomirskaya St.
Email: danil@klimov.company · Tel.: +7 705 993 83 83

Technical developer and sub-processor:
GPO OÜ (Estonia), reg. number 14897399
Address: Peterburi tee 38/9, Tallinn 11415, Estonia
Email: gpowork@gmail.com

Product: the Tuc-Tuc messenger — a client-server application for messaging, audio and video calls, built on the open decentralised Matrix protocol.

2. What data we process

2.1. Data you provide to us yourself

CategoryWhen collectedPurpose
Username (MXID)at registrationidentification in the system
Display name and avatar (opt.)when setting up the profiledisplay in chats
Message contentwhen sendingdelivery to recipient, history
Media fileswhen sending in a chatdelivery, temporary storage
Voice and video during callsduring callstransmission between participants

2.2. Data collected automatically

CategorySourceStorage
IP addresswhen connecting to the serverlogs, 30-day rotation
Push tokens (APNs, FCM, Web Push)at device registrationuntil you sign out
Session metadatawhen connectingactive session + 24 hours
Error events (Sentry)on failures30 days, no content
Anonymous analytics (PostHog)when using features90 days, no identification

2.3. Data we do NOT collect

3. Legal grounds for processing

Personal data is processed in accordance with:

Grounds for processing:

  1. Consent of the personal data subject (Art. 8 of Law of the RK No. 94-V) — at account registration.
  2. Contract — for the provision of messenger services (Art. 9, para. 2).
  3. Legitimate interests of the operator — ensuring security, countering fraud and abuse.

4. Where and how long data is stored

DataStorage locationRetention
Messages, media, profileHetzner Cloud (Germany, NBG1)until account deletion
Server logsthe same server30 days (rotation)
BackupsHetzner (Germany)30 days daily + 12 months monthly
Sentry (errors)sentry.io (EU region)30 days
PostHog (analytics)EU Cloud (Frankfurt)90 days

The server infrastructure is located within the European Union (Germany), which ensures compliance with the GDPR. No data is transferred outside the EU, except in the case of push notifications (see §5).

5. Transfer of data to third parties

RecipientWhat is transferredPurpose
Hetzner Online GmbH (Germany)server and storageinfrastructure hosting
Apple Inc. (USA) — APNsdevice token + "new message" event (without text)iOS push notifications
Google LLC (USA) — FCMthe sameAndroid push notifications
Sentry / PostHogtechnical telemetryavailability monitoring
DNS provider (PS.KZ)DNS queries onlydomain name resolution

We do not sell or transfer your data to third parties for marketing or advertising purposes.

Disclosure of data at the request of authorised state bodies is carried out exclusively in the manner established by the legislation of the Republic of Kazakhstan and of the country hosting the server infrastructure (Germany).

6. Encryption

In the MVP version of the Application:

7. Your rights

Under Articles 24–26 of Law of the RK No. 94-V, you have the right to:

  1. Obtain information on whether we hold your data and on its processing.
  2. Amend or supplement your personal data.
  3. Withdraw consent to processing.
  4. Request deletion of data — the Application provides a "Delete account" feature (see Account deletion).
  5. Block processing where there are grounds to believe it is unlawful.
  6. Appeal the operator's actions to the authorised body for the protection of personal data of the RK or to a court.

Exercising your rights: a request to danil@klimov.company with the subject "Personal data request". A response will be provided within 15 business days.

8. Account deletion

In accordance with the requirements of the Apple App Store, Google Play and Art. 24 of Law of the RK No. 94-V:

  1. You can delete your account from within the Application itself: Settings → Account → Delete account.
  2. After deletion is confirmed: message history and media are marked for deletion immediately; physical deletion from servers and backups occurs within 90 days; push tokens are revoked instantly.

Step-by-step instructions: delete.tuc-tuc.asia.

9. Children

The Application is not intended for persons under 16 years of age. We do not knowingly collect their data. Upon receiving information about the registration of a minor without the consent of a legal representative, the account is deleted.

10. Changes to the policy

Material changes (expansion of processing purposes, new data recipients, changes to retention periods) are published in the Application and at https://privacy.tuc-tuc.asia/ at least 30 days before they take effect.

11. Privacy contacts

Operator emaildanil@klimov.company
DPO email (technical matters)gpowork@gmail.com
Mailing address10/2 Zhitomirskaya St., Almaty, Republic of Kazakhstan
Authorised body of the RKCommittee for Information Security of the MDDIAI of the RK

Other documents

Back to home →