Privacy Policy

Avrelium is operated by Ivan Tereshchenko as an individual. The data controller contact for any privacy-related question, including deletion or export, is 0630039863abc@gmail.com.

When you use Avrelium we store:

• ☩Your Telegram user ID and username (used to identify you across sessions).
• ☩The full text of each idea you submit (voice messages are transcribed and the transcript is kept; original audio is discarded after transcription).
• ☩The intermediate outputs produced by the pipeline: research summaries, concept blocks, arbitration verdicts, plans, ICP profiles, distribution maps, outreach kits, product specs, unit economics.
• ☩Metadata: timestamps, idea status, cost-tracking records of language-model calls.
• ☩Session cookies (httpOnly, sameSite=lax, secure) used to keep you signed in.

We do not store passwords. Authentication runs through the official Telegram Login Widget, which uses an HMAC signature; we never see your Telegram password.

• ☩To run the pipeline you asked us to run — every stored field is needed for the next pipeline stage.
• ☩To show you the history of your ideas in the web interface.
• ☩To improve the product (aggregate, de-identified usage statistics — model latency, error rates, stage success rates).

We do not sell or trade personal data. We do not use it for advertising. We do not share it with marketing partners.

To run the pipeline we send your idea text to these external services. Each of them processes the text according to their own policies; we only send what is strictly required.

• ☩OpenAI — voice-message transcription (Whisper API). Voice audio is sent to OpenAI, transcribed, then discarded on our side. Their policy: openai.com/policies.
• ☩OpenRouter — routing for text-generation models (Anthropic Claude, Google Gemini, Qwen, GPT-class). Idea text and intermediate outputs are sent for inference. Their policy: openrouter.ai/terms.
• ☩Telegram — the messaging channel. Your messages to the bot and our replies travel through Telegram. Their policy: telegram.org/privacy.

All long-term data is stored in a self-hosted Postgres 16 database on a Hetzner Cloud server in the European Union. Daily encrypted database backups are kept locally with seven-day rotation.

We keep your data while your account is active. If you ask us to delete it, we remove your account record and all ideas, transcripts, concepts and derived artefacts within 30 days. Some logs (without personal identifiers) may remain for up to 90 days for security and debugging.

You can ask us to: export everything we hold on you, correct any inaccurate field, delete your account entirely, or restrict processing. Write to 0630039863abc@gmail.com and we will respond within 30 days.

TLS 1.3 for all traffic. Httponly, sameSite=lax, secure cookies for sessions. CSP, HSTS-equivalent and standard security headers on every response. Database not exposed to the public internet. Vulnerability reports — see /.well-known/security.txt.